I’m starting a project to make my home hosted services exposure to the internet a little easier to keep secure.
I have various web services such as Immich, JellyFin, and a few other services that either have high storage needs and this would be expensive in the cloud, or things that use more private data. Many of these are exposed to the internet. This network has a domain assigned and each service is assigned a subdomain. These are running in a K0s Kubernetes cluster on a separate VLAN from my home devoces on a couple of NUCs and a raspberry pi. And use Traefik reverse proxy and Keycloak OIDC.
I also have a few VPS’s running things that need faster responses or don’t store as much data. This has a separate domain.
Right now I have an OPNSense router that is the target of all the home domain’s traffic using dynamic DNS and that forwards it to Traefik on the Kubernetes cluster.
I’d like to instead close off the home network a bit more so I don’t have to devote so much to security and can just drop a lot of the malicious connections coming in regularly. I also have the problem that my ISP still only offers 6rd for IPv6 which is basically useless. So I was considering several tunneling technologies that would have the exit node on a VPS. But also need to be able to access the services while at home without the traffic exiting the network.
I’ve narrowed in on headscale/tailscale and pangolin. I really like that pangolin uses traefik because I’m already familiar with it and it’s already in use in both my domains.
So I’m going to start working on setting up pangolin to see how it goes, but I haven’t seen many examples and I haven’t seen any that use Kubernetes on the internal network side. Sure I could set up a separate docker instance to host the services, but I really like that kubernetes is able to load balance so that one of my NUCs is almost always in low power mode during off hours when no maintenance tasks are running. So I don’t want to put other non-kubernetes services on there nor do I want to have to set up a totally separate server if not necessary.
I haven’t dug in too deep yet, so I was hoping to see if anyone else had any experience with setting up pangolin with kubernetes on the internal network side?
I recently installed Pangolin in Hetzner and spun up a statefulset in my k3s cluster for the Newt container. It works beautifully. With it you can proxy Pangolin to the cluster address of your service very easily.
For example: sonarr.media.svc.cluster.local:8989 Format being: deploymentName.namespace.svc.cluster.local
Internally I still use Traefik for my services and just left all the CNAMEs in PiHole pointed to Traefik but if you are external your DNS would look at what’s public on my domain and route through Pangolin.