Public GitOps repository for showing how I run my services on k3s
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
Renovate Bot 5156ee3b28 Update ghost Docker tag to v4.10.1 2 days ago
_apps install familydb 3 months ago
_test only warn for some policies 1 year ago
argocd Update Docker tag to v2.0.4 1 month ago
cert-manager upgrade cert manager 11 months ago
docspell Update Docker tag to v13.3 2 months ago
drone Update Docker tag to v1.10.1 7 months ago
familydb allways pull image 3 months ago
graphs Merge pull request 'Update busybox Docker tag to v1.33.1' (#454) from renovate/docker-busybox-1.x into master 3 days ago
influxdb Update influxdb Docker tag to v1.8.6 2 months ago
ioteer update credentials for rising sensor 1 year ago
ipapi use default echoip template 3 months ago
jitsi fix jitsi 3 months ago
k8up Update Docker tag to v1.1.0 2 months ago
kube-cleanup-operator Update Docker tag to v0.8.2 2 weeks ago
kube-system Update Docker tag to v0.9.2 6 months ago
monitoring major monitoring upgrade 3 months ago
mosquitto upgrade mosquitto 3 months ago
owntracks Update Docker tag to v2.9.0 3 months ago
pylokid install pylokid 1 year ago
renovate Update renovate/renovate Docker tag to v19.239 1 year ago
sealed-secrets enable status on sealed secrets 3 months ago
stakater-reloader Update stakater/reloader Docker tag to v0.0.97 2 weeks ago
system-upgrade-controller Update rancher/system-upgrade-controller Docker tag to v0.7.1 3 weeks ago
tobru-ch Update ghost Docker tag to v4.10.1 2 days ago
traccar Update Docker tag to v4.13 2 months ago
.drone.yml colorful output ftw 1 year ago update README with rego hint 1 year ago
renovate.json auto update statping 1 year ago

GitOps for tbrnt k3s hosting

Build Status

Repo structure

  • Each subdirectory is a namespace
  • _apps is the meta directory for Argo CD apps
  • Another private repo contains stuff in a more approachable format, f.e. for dealing with updating sealed-secrets: gitops-tbrnt-private
  • _tests contains some Open Policy Agent rego files which are used in the Drone CI pipeline to validate configuration.


Argo CD



sudo -E kubefwd svc -n argocd and then https://argocd-server/


kubectl port-forward svc/argocd-server -n argocd 8080:443 and then https://localhost:8080/


  • argocd login argocd-server
  • argocd app list
  • argocd app sync <name>

Kubeseal (Sealed Secrets)

See README of apps. Basically:

kubeseal --controller-namespace sealed-secrets -o yaml -n MYNS < ../../gitops-tbrnt-private/MYNS/MYSECRET.yaml > MYSECRET-secret.yaml

Bootstrap GitOps

After installing k3s, do:

# install Argo CD
kubectl create ns argocd
kubectl apply -n argocd -f
kubectl get pods -n argocd -l -o name | cut -d'/' -f 2
argocd login argocd-server

# Restore Sealed Secrets secret key
kubectl create ns sealed-secrets
kubectl apply -f ../gitops-tbrnt-private/sealed-secrets/master-key.yaml

# Instantiate Argo Root App
kubectl apply -f _apps/apps.yaml

# Let Argo CD do it's job
argocd app sync apps
argocd app sync sealed-secrets
argocd app sync -l


  • Restore PVCs via K8up

k3s on Alpine

Installing: Alpine

Basically follow the Alpine wiki.

Then install prerequisites and some essential packages:

apk add \
  vim \
  iptables \
  wireguard-virt \
  bash \

Needs community repo enabled in /etc/apk/repositories.

Tweak Sysctl in /etc/sysctl.conf:

fs.inotify.max_user_instances = 8192
fs.inotify.max_user_watches = 524288

Installing: k3s

Via k3sup:

k3sup install \
  --ip= \
  --user=root \
  --local-path=~/.kube/config_knurrli2 \
  --sudo=false \
  --k3s-extra-args='--tls-san --cluster-cidr --flannel-backend wireguard'

Helpful infos


  • Volumes: /var/lib/rancher/k3s/storage/
  • Config: /etc/rancher/k3s/
  • Manifests: /var/lib/rancher/k3s/server/manifests/


Configure Wireguard


auto wg0
iface wg0 inet static
    pre-up ip link add dev wg0 type wireguard
    pre-up wg setconf wg0 /etc/wireguard/wg0.conf
    post-up ip route add dev wg0
    post-down ip link delete dev wg0