:-==+==---::
:-=------=*******+==-:
.:::-=++=--:::--===++***+===+******+==-.
:-------==++*#%%%#####+=-:-===-:::--===++**#%+
+==+++*#%%@@@@@@@@@@@@%=-::::===::::==--:--=*%%*=:
+++*###%@@@@@@@@@@@@@@@#==::::-====*###*=---=+*#%@@#=. ......:::::
++**##%@@@@@@@@@@@@@@@@#+++=::::-=+%@@@##%*==**====*%%#: ......:-::::::::::::------
**##%@@@@@@@@@@@@@#=: :++**+=::::=%@@@@@@@@@@@%#**++%@= .:::..::--=------+++====++++====
#%@@@@@@@@@@@@@@*. :*%%%+-:-=#%@*:@@@@@@@@@@@@#++%#. ..:::--=----:..:::::::--:::----=+=-+*##%%@@%%%%#*+==--
@@@@@@@@@@@@@@*. ::----=+=+#%@@@@+@@@@@@@#+%%%% ::-:-+=+*#%+++++:.::-**+**+-:------+%@@@@%%%@@%@%%#*+++=--
@@@@@@@@@@@@+. :-+**#%@@- =@@@@@@.:%%@# :+###%#**++=*%@@+:=*-#@@*-::==----=%@@@@@@@@%%%%%%%##**+++
@@@@@@@@%*- =*#@%@% +@@@@@* -=- .+%@@%*-::-+%%++**%@@@@@@@@@@@@@@@@@@%%%%%
@@@@@#+: %@@@#@= *@@@@* .+#*-:-+#%@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
%*=: **:-+= -@@#%= :-=++=*#%@@%%%@@@@@@@@@@@@@#=. :--=+*##%%%
:+====#@@#%@#==*@%#%@@@@@%=
:+#@@@#*#@@###%#%@%%%*=:
=*@@#*@@+:=+%@=:::.
+%@@+#@* -@@@=
==@%+@# :*+%-
-+@%+@- ==*.
:: :.
Homelabbing #1: SSO for Proxmox
At the start of my career, I got to intern at a DevOps team, which, among other things, had a project managing a few pretty big Kubernetes clusters. At that point, my experience with Kubernetes was equal to zero, so to get familiar with it, I decided I’d do a hands-on side project. After all, there’s no better way to understand a technology than setting it up from scratch.
I went home on Friday and set out on the ambitious goal of setting up a self-hosted GitLab server on a Proxmox homelab. I actually got pretty far. I had 3 VMs with MicroK8s installed and a half-functioning Ceph cluster. I even had the GitLab Helm chart deployed, but come Sunday, storage classes had defeated me. I didn't stay on the Kubernetes project very long.
Now that I've spent a while around cloud architecture and filled in the knowledge gaps, I think it's time to relaunch the project!
Agenda for today: Secure Remote Access
On the first iteration of the project, I made a brilliant decision worthy of an end user: I set up port forwarding on my router pointed at the Proxmox admin dashboard.
I considered two options for connecting to the admin dashboard. The first was a VPN server. The second was Cloudflare Tunnel. My router even provides a VPN experience out of the box, but I've been looking for an excuse to use cloudflared for ages now, and for my one-person homelab, RBAC was an obvious non-negotiable.
Since I last touched this homelab, Proxmox 9.1 came out, which allows you to create LXC containers from OCI images. We will want to try those out later. The recommended major upgrade path is a wipe of the OS itself while keeping the data, but because we have nothing important from our last experiment, we will just start fresh.
First order of business is installing and configuring the cloudflared client. To do this, I first need to connect to my admin dashboard over its local IP and bypass a big scary warning about self-signed certs. Thankfully, Cloudflare provides commands we can copy/paste directly into the Proxmox web shell, and it even installs the tunnel as a systemd service so it survives restarts!
Before I expose the dashboard to the internet again, I decide to go back and create a Cloudflare Access self-hosted app for the pve.mydomain.com hostname and authorize only my email.
Right now I only have one node, which makes this much easier, but the entire point of this is that I want to simulate some failover scenarios, which means I will have to set up a load balancer with a tunnel per node. As usual, Cloudflare foresaw this use case. They offer a load balancer that can connect to an arbitrary number of cloudflared tunnels, so you can install one on each node. Turns out I can even use origin certs with the tunnels!
We create the published application route, specify the origin server name to make sure our origin certificate is served, and voila! We are live and secure.
Up next is Kubernetes. See you soon :)