Public GitOps repository for showing how I run my services on k3s
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
Renovate Bot 3fad90d9ba Update dependency renovate/renovate to v32.104.0 20 hours ago
_apps install linkding 2 months ago
_test only warn for some policies 2 years ago
acmedns disable registration 8 months ago
argocd Update dependency to v2.3.3 3 months ago
cert-manager Merge pull request 'Update dependency to v1.7.1' (#784) from renovate/ into master 3 months ago
docspell Merge pull request 'Update dependency to v0.35.0' (#831) from renovate/ into master 2 months ago
drone Update dependency to v2.11.1 4 months ago
familydb allways pull image 1 year ago
graphs Update dependency grafana/grafana to v8.5.2 2 months ago
headscale install headscale 2 months ago
healthcheck correct ns for hc 10 months ago
influxdb upgrade influxdb2 8 months ago
ioteer traccar env var 9 months ago
ipapi fix ingresses 7 months ago
k8up install k8up crds 7 months ago
kube-cleanup-operator Update Docker tag to v0.8.2 12 months ago
kube-system new config for externalTrafficPolicy 6 months ago
linkding install linkding 2 months ago
mealie Update Docker tag to v0.5.6 5 months ago
miniflux Merge pull request 'Update dependency to v2.0.36' (#772) from renovate/ into master 4 months ago
mosquitto bridge pycom ruuvi topic from ttn 5 months ago
mqttwarn drop rssi from measurement 5 months ago
owntracks use camper device 2 months ago
pylokid install pylokid 2 years ago
renovate Update dependency renovate/renovate to v32.104.0 20 hours ago
sealed-secrets Update Docker tag to v0.17.3 5 months ago
stakater-reloader Update dependency stakater/reloader to v0.0.117 2 weeks ago
system-upgrade-controller Update dependency rancher/system-upgrade-controller to v0.9.1 3 months ago
tobru-ch Update dependency ghost to v5.2.3 3 weeks ago
traccar Update dependency to v5 1 month ago
.drone.yml use kubernetes for drone build 10 months ago rshared info 10 months ago
renovate.json statping is gone 10 months ago

GitOps for tbrnt k3s hosting

Build Status

Repo structure

  • Each subdirectory is a namespace
  • _apps is the meta directory for Argo CD apps
  • Another private repo contains stuff in a more approachable format, f.e. for dealing with updating sealed-secrets: gitops-tbrnt-private
  • _tests contains some Open Policy Agent rego files which are used in the Drone CI pipeline to validate configuration.


Argo CD



sudo -E kubefwd svc -n argocd and then https://argocd-server/


kubectl port-forward svc/argocd-server -n argocd 8080:443 and then https://localhost:8080/


  • argocd login argocd-server
  • argocd app list
  • argocd app sync <name>

Kubeseal (Sealed Secrets)

See README of apps. Basically:

kubeseal --controller-namespace sealed-secrets -o yaml -n MYNS < ../../gitops-tbrnt-private/MYNS/MYSECRET.yaml > MYSECRET-secret.yaml

Bootstrap GitOps

After installing k3s, do:

# install Argo CD
kubectl create ns argocd
kubectl apply -n argocd -f
kubectl get pods -n argocd -l -o name | cut -d'/' -f 2
argocd login argocd-server

# Restore Sealed Secrets secret key
kubectl create ns sealed-secrets
kubectl apply -f ../gitops-tbrnt-private/sealed-secrets/master-key.yaml

# Instantiate Argo Root App
kubectl apply -f _apps/apps.yaml

# Let Argo CD do it's job
argocd app sync apps
argocd app sync sealed-secrets
argocd app sync -l


  • Restore PVCs via K8up

k3s on Alpine

Installing: Alpine

Basically follow the Alpine wiki.

Then install prerequisites and some essential packages:

apk add \
  vim \
  iptables \
  wireguard-virt \
  bash \

Needs community repo enabled in /etc/apk/repositories.

Tweak Sysctl in /etc/sysctl.conf:

fs.inotify.max_user_instances = 8192
fs.inotify.max_user_watches = 524288

Add rshared mount option to root filesystem for node-exporter to work correctly.

Installing: k3s

Via k3sup:

k3sup install \
  --ip= \
  --user=root \
  --local-path=~/.kube/config_knurrli2 \
  --sudo=false \
  --k3s-extra-args='--tls-san --cluster-cidr --flannel-backend wireguard'

Helpful infos


  • Volumes: /var/lib/rancher/k3s/storage/
  • Config: /etc/rancher/k3s/
  • Manifests: /var/lib/rancher/k3s/server/manifests/


Configure Wireguard


auto wg0
iface wg0 inet static
    pre-up ip link add dev wg0 type wireguard
    pre-up wg setconf wg0 /etc/wireguard/wg0.conf
    post-up ip route add dev wg0
    post-down ip link delete dev wg0