Public GitOps repository for showing how I run my services on k3s
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
Renovate Bot 67baafdfb5 Update ghost Docker tag to v3.42.0 2 days ago
_apps docspell no autosync 2 months ago
_test only warn for some policies 10 months ago
argocd Update redis Docker tag to v5.0.11 2 weeks ago
botkube Update infracloudio/botkube Docker tag to v0.12.0 1 month ago
cert-manager upgrade cert manager 7 months ago
docspell Merge pull request 'Update Docker tag to v13.2' (#416) from renovate/ into master 2 weeks ago
drone Update Docker tag to v1.10.1 2 months ago
goldilocks one replica is enough 8 months ago
graphs Update grafana/grafana Docker tag to v7.4.3 1 week ago
influxdb Update influxdb Docker tag to v1.8.4 1 month ago
ioteer update credentials for rising sensor 9 months ago
ipapi small improvement 9 months ago
jitsi update jitsi 5 months ago
k8up Update Docker tag to v0.1.10 9 months ago
kube-cleanup-operator Update Docker tag to v0.8.1 7 months ago
kube-system Update Docker tag to v0.9.2 2 months ago
monitoring remove status from secret 3 months ago
mosquitto add mqtt sensor creds 2 months ago
owntracks Update Docker tag to v2.8.0 2 weeks ago
pylokid install pylokid 1 year ago
renovate Update renovate/renovate Docker tag to v19.239 10 months ago
sealed-secrets upgrade sealed secret manifests 7 months ago
stakater-reloader Update stakater/reloader Docker tag to v0.0.81 2 weeks ago
statping Update Docker tag to v0.90.74 3 months ago
system-upgrade-controller Update rancher/system-upgrade-controller Docker tag to v0.6.2 8 months ago
tbrntmon Update Docker tag to v2.25.0 2 weeks ago
tobru-ch Update ghost Docker tag to v3.42.0 2 days ago
.drone.yml colorful output ftw 10 months ago update README with rego hint 10 months ago
renovate.json auto update statping 11 months ago

GitOps for tbrnt k3s hosting

Build Status

Repo structure

  • Each subdirectory is a namespace
  • _apps is the meta directory for Argo CD apps
  • Another private repo contains stuff in a more approachable format, f.e. for dealing with updating sealed-secrets: gitops-tbrnt-private
  • _tests contains some Open Policy Agent rego files which are used in the Drone CI pipeline to validate configuration.


Argo CD



sudo -E kubefwd svc -n argocd and then https://argocd-server/


kubectl port-forward svc/argocd-server -n argocd 8080:443 and then https://localhost:8080/


  • argocd login argocd-server
  • argocd app list
  • argocd app sync <name>

Kubeseal (Sealed Secrets)

See README of apps. Basically:

kubeseal --controller-namespace sealed-secrets -o yaml -n MYNS < ../../gitops-tbrnt-private/MYNS/MYSECRET.yaml > MYSECRET-secret.yaml

Bootstrap GitOps

After installing k3s, do:

# install Argo CD
kubectl create ns argocd
kubectl apply -n argocd -f
kubectl get pods -n argocd -l -o name | cut -d'/' -f 2
argocd login argocd-server

# Restore Sealed Secrets secret key
kubectl create ns sealed-secrets
kubectl apply -f ../gitops-tbrnt-private/sealed-secrets/master-key.yaml

# Instantiate Argo Root App
kubectl apply -f _apps/apps.yaml

# Let Argo CD do it's job
argocd app sync apps
argocd app sync sealed-secrets
argocd app sync -l


  • Restore PVCs via K8up

k3s on Alpine

Installing: Alpine

Basically follow the Alpine wiki.

Then install prerequisites and some essential packages:

apk add \
  vim \
  iptables \
  wireguard-virt \
  bash \

Needs community repo enabled in /etc/apk/repositories.

Tweak Sysctl in /etc/sysctl.conf:

fs.inotify.max_user_instances = 8192
fs.inotify.max_user_watches = 524288

Installing: k3s

Via k3sup:

k3sup install \
  --ip= \
  --user=root \
  --local-path=~/.kube/config_knurrli2 \
  --sudo=false \
  --k3s-extra-args='--tls-san --cluster-cidr --flannel-backend wireguard'

Helpful infos


  • Volumes: /var/lib/rancher/k3s/storage/
  • Config: /etc/rancher/k3s/
  • Manifests: /var/lib/rancher/k3s/server/manifests/


Configure Wireguard


auto wg0
iface wg0 inet static
    pre-up ip link add dev wg0 type wireguard
    pre-up wg setconf wg0 /etc/wireguard/wg0.conf
    post-up ip route add dev wg0
    post-down ip link delete dev wg0