One physical server running a full Kubernetes cluster — secrets management, storage, TLS, SSO, photo backup, cloud storage, monitoring, and more. Every piece is a Helm chart or Kustomize overlay, versioned in Git, deployed by ArgoCD, and automatically recovered after a reboot.
01 Key facts
| Property | Value |
|---|---|
| Distribution | k3s v1.36.1+k3s1 — Traefik disabled, ingress-nginx installed instead |
| Node OS | Ubuntu 26.04 LTS — single control-plane node |
| GitOps | ArgoCD app-of-apps — root points at k8s/apps/ in this repo |
| Secrets | HashiCorp Vault (KV v2) → ESO → app namespaces |
| Storage | Longhorn (single replica) — NAS NFS backup target |
| TLS | One wildcard cert *.in.alybadawy.com via cert-manager + Let's Encrypt DNS-01 |
| Ingress | ingress-nginx — default-ssl-certificate at controller level, no per-Ingress TLS |
| Post-reboot recovery | Fully automatic — Vault unseals, ESO reconnects, apps recover (~6 min) |
02 Platform components
The platform layer — everything that supports the application stack. Each links to its reference page.
ArgoCDargocd
GitOps controller. Watches the repo and continuously reconciles all 14 apps to match Git state.
Read docs →
HashiCorp Vaultsecurity
Secrets backend. All app secrets live in Vault KV v2 and are synced to namespaces by ESO.
Read docs →
Longhornlonghorn-system
Block storage for stateful workloads. Automated recurring backups to the NAS over NFS.
Read docs →
cert-managernetworking
TLS lifecycle. Issues and renews the wildcard cert covering all *.in.alybadawy.com hostnames.
Read docs →
Ingress (nginx)networking
All inbound HTTPS traffic. Terminates TLS at the controller with the shared wildcard cert.
Read docs →
External Secretssecurity
Bridges Vault to Kubernetes. Apps declare what secrets they need; ESO fetches and keeps them in sync.
Read docs →
Monitoringmonitor
kube-prometheus-stack. Prometheus scrapes the cluster, Grafana visualizes it, Alertmanager routes alerts.
Read docs →
Applicationsvarious
Authentik, Nextcloud, Immich, PostgreSQL, pgAdmin, Redis, Immich ML, and more.
Read docs →
03 Deployment order — sync waves
ArgoCD deploys apps in wave order. The platform layer must be healthy before applications can start, because apps depend on Vault secrets and Longhorn PVCs.
Vault at wave -1. Vault must be unsealed before ESO can read secrets, and ESO must have secrets before apps can start. The
vault-auto-unseal CronJob handles unsealing automatically — no manual steps after a reboot.| Wave | Apps | Why first |
|---|---|---|
| -1 | vault | Secrets backend — everything else depends on it |
| 0 (default) | longhorn, cert-manager, ingress-nginx, external-secrets | Platform layer — storage, TLS, ingress, secret sync |
| 1+ | db, monitor, auth, cloud, immich, whoami, aly | Application layer — depend on platform being healthy |
04 Namespace layout
Namespaces are created by ArgoCD (CreateNamespace=true in sync options) and group related services together.
| Namespace | Contents |
|---|---|
| argocd | ArgoCD server, repo-server, application-controller, dex, redis |
| security | Vault StatefulSet, vault-auto-unseal CronJob, ESO operator, eso-recovery CronJob |
| networking | ingress-nginx controller, cert-manager controller, ClusterIssuer, wildcard Certificate + Secret |
| longhorn-system | Longhorn manager, driver, UI frontend, CSI components |
| monitor | Prometheus, Grafana, Alertmanager |
| db | PostgreSQL, pgAdmin, Redis |
| auth | Authentik server + worker |
| cloud | Nextcloud |
| immich | Immich server + ML worker |
last updated 2026-06-08 · view source on GitHub