coolguy1771/home-service

My home service stack running Fedora IoT. These podman services are supporting my home infrastructure including, DNS and Kubernetes clusters.

home-service

My home service stack running on a Beelink EQ12 with Fedora IoT. Applications are run as podman containers and managed by systemd to support my home infrastructure.

Core components

• direnv: Update environment per working directory.
• podman: A tool for managing OCI containers and pods with native systemd integration.
• renovate: Universal dependency automation tool.
• sops: Manage secrets which are commited to Git using Age for encryption.
• task: A task runner / simpler Make alternative written in Go.

Setup

System configuration

1. Install required system deps and reboot

   sudo rpm-ostree install --idempotent --assumeyes git go-task
   sudo systemctl reboot

2. Make a new SSH key, add it to GitHub and clone your repo

   export GITHUB_USER="coolguy1771"
   curl https://github.com/$GITHUB_USER.keys > ~/.ssh/authorized_keys
   sudo install -d -o $(logname) -g $(logname) -m 755 /var/opt/home-service
   git clone git@github.com:$GITHUB_USER/home-service.git /var/opt/home-service/.

3. Install additional system deps and reboot

   cd /var/opt/home-service
   go-task deps
   sudo systemctl reboot

4. Create an Age public/private key pair for use with sops

   age-keygen -o /var/opt/home-service/age.key

Network configuration

Note

I am using ipvlan to expose most containers on their own IP addresses on the same network as this here device, the available addresses are mentioned in the --ip-range flag below. Beware of IP addressing and interface names.

1. Create the podman containernet network

   sudo podman network create \
       --driver=ipvlan \
       --ipam-driver=host-local \
       --subnet=10.10.10.0/24
       --gateway=100.10.10.1 \
       --interface-name=bond0 \
       --ip-range=10.10.10.201-10.10.10.254 \
       containernet

Container configuration

Tip

To encrypt files with sops replace the public key in the .sops.yaml file with your Age public key. The format should look similar to the one already present.

View the apps directory for documentation on configuring an app container used here, or setup your own by reviewing the structure of this repository.

Using the included Taskfile there are helper commands to start, stop, restart containers and more. Run the command below to view all available tasks.

go-task --list

Optional configuration

Fish shell

Tip

🐟 fish is awesome, you should try fish!

chsh -s /usr/bin/fish
# IMPORTANT: Log out and log back in
go-task dotfiles

Enable Chrony as a NTP server

Tip

⌚ You can also update /etc/chrony.conf with custom NTP servers.

sudo sed -i 's/^#allow .*/allow all/g' /etc/chrony.conf
sudo systemctl restart chronyd

Tune selinux

sudo sed -i 's/SELINUX=enforcing/SELINUX=permissive/g' /etc/selinux/config
sudo systemctl reboot

Disable firewalld

sudo systemctl disable --now firewalld.service

Network topology

Name	Subnet	DHCP range	ARP reserved
LAN	192.168.1.0/24	150-254	120-149
MGMT	192.168.10.0/24	150-254	-
LAB	192.168.42.0/24	150-254	120-149
GUEST	192.168.50.0/24	150-254	-
IOT	192.168.70.0/24	150-254	-
WIREGUARD	192.168.80.0/28	-	-

Related Projects

• bjw-s/nix-config: NixOS driven configuration for running a home service machine, a nas or nix-darwin using deploy-rs and home-manager.
• truxnell/nix-config: NixOS driven configuration for running your entire homelab.
• joryirving/home-service: Docker-compose implementation of this repository.