:-==+==---::
:-=------=*******+==-:
.:::-=++=--:::--===++***+===+******+==-.
:-------==++*#%%%#####+=-:-===-:::--===++**#%+
+==+++*#%%@@@@@@@@@@@@%=-::::===::::==--:--=*%%*=:
+++*###%@@@@@@@@@@@@@@@#==::::-====*###*=---=+*#%@@#=. ......:::::
++**##%@@@@@@@@@@@@@@@@#+++=::::-=+%@@@##%*==**====*%%#: ......:-::::::::::::------
**##%@@@@@@@@@@@@@#=: :++**+=::::=%@@@@@@@@@@@%#**++%@= .:::..::--=------+++====++++====
#%@@@@@@@@@@@@@@*. :*%%%+-:-=#%@*:@@@@@@@@@@@@#++%#. ..:::--=----:..:::::::--:::----=+=-+*##%%@@%%%%#*+==--
@@@@@@@@@@@@@@*. ::----=+=+#%@@@@+@@@@@@@#+%%%% ::-:-+=+*#%+++++:.::-**+**+-:------+%@@@@%%%@@%@%%#*+++=--
@@@@@@@@@@@@+. :-+**#%@@- =@@@@@@.:%%@# :+###%#**++=*%@@+:=*-#@@*-::==----=%@@@@@@@@%%%%%%%##**+++
@@@@@@@@%*- =*#@%@% +@@@@@* -=- .+%@@%*-::-+%%++**%@@@@@@@@@@@@@@@@@@%%%%%
@@@@@#+: %@@@#@= *@@@@* .+#*-:-+#%@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
%*=: **:-+= -@@#%= :-=++=*#%@@%%%@@@@@@@@@@@@@#=. :--=+*##%%%
:+====#@@#%@#==*@%#%@@@@@%=
:+#@@@#*#@@###%#%@%%%*=:
=*@@#*@@+:=+%@=:::.
+%@@+#@* -@@@=
==@%+@# :*+%-
-+@%+@- ==*.
:: :.
Homelabbing #1: SSO for Proxmox
At the start of my career, I got to intern at a DevOps team, which among others had a project managing a few pretty big Kubernetes clusters. Now, at that point, my experience with Kubernetes was equal to zero, so to get familiar with it, I decided I’d do some hands-on side project. After all, there’s no better way to understand a technology than setting it up from scratch.
I went home on Friday and set out on the ambitious goal of setting up a self hosted gitlab server on a Proxmox Homelab. I actually got pretty far. I had 3 VM's with microk8s installed and a half-functioning ceph cluster. I even had the gitlab helm chart deployed, but come Sunday, storage classes had defeated me. I didn't stay on the Kubernetes project very long.
Now having spent a while around cloud architecture, filling in the knowledge gaps, I think it's time to relaunch the project!
Agenda for today: Secure Remote Access
On the first iteration of the project, I made a brilliant decision worthy of an end user: I set up port forwarding on my router pointed at the Proxmox admin dashboard.
I have considered 2 options for connecting to the admin panel. The first was a VPN server. The second was Cloudflare Tunnel. My router even provides a VPN experience out of the box, but I've been looking for an excuse to use cloudflared for ages now, and for my one-person Homelab, RBAC was an obvious non-negotiable.
Since I last touched this Homelab Proxmox 9.1 came out, which allows you to create LXC containers from OCI images. We will want to try those out later. The recommended major upgrade path is a wipe of the OS itself while keeping the data, but because we have nothing important from our last experiment we will just start fresh.
First order of business is installing and configuring the cloudflared client. To do this I need to first connect to my admin panel over its local ip and bypass a big scary warning about self signed certs. Thankfully Cloudflare provides commands we can copy paste directly into the web shell, it even wraps the tunnel into a systemd service to ensure it survives restarts!
Before I expose the dashboard to the internet (again) I decide to go back and Cloudflare Access Self-hosted app for the pve.mydomain.com hostname and authorize only my email.
Right now I only have one node which makes this much easier but the entire point of this is I want to simulate some failover scenarios which means I will have to set up a load balancer with a tunnel per node. As usual Cloudflare foresaw this use case. Turns out I can even use origin certs with the tunnels!
We create the published application route, specify the origin server name to make sure our origin certificate is served and voila! We are live, and secure.
Up next is kubernetes. See you soon :)