· 11 min read · infrastructure
SealedSecrets: Storing Secrets in Git Without the Risk
How SealedSecrets lets you commit encrypted secrets to Git safely, why the real risk is losing the controller's private key, and how to back it up.
sealed-secretskubernetesgitopssecrets-managementargocdsecurity
· 12 min read · kubernetes
MetalLB on Bare Metal: LoadBalancer Without a Cloud Provider
Your bare-metal LoadBalancer Service is stuck Pending. Here's how MetalLB hands out real LAN IPs, why L2 mode works, and the traps that cost me hours.
metallbkubernetesbare-metalnetworkingload-balancerlayer-2
· 12 min read · infrastructure
CloudNativePG: Running PostgreSQL in Kubernetes Without the Pain
Running PostgreSQL on Kubernetes with CloudNativePG: the Kyverno policy traps, SSL gotchas, read/write splitting, and the 16.4 segfault to avoid.
kubernetespostgresqlcloudnativepgdatabaseskyvernoinfrastructure
· 11 min read · kubernetes
Network Policies with Calico: Default Deny and Namespace Isolation
Rolling out default-deny NetworkPolicies and namespace isolation with Calico without breaking DNS, ingress, or admission webhooks.
caliconetwork-policieskubernetessecuritynamespace-isolationnetworking
· 7 min read · ai-agents
Agent Glass-Break Patterns: Controlled Escalation for Production
How to implement controlled escalation for AI agents using safeBins and network-level constraints to prevent production catastrophes.
ai-agentssecuritymcp-serverskubernetesorchestration
· 7 min read · kubernetes
Velero + MinIO: Kubernetes Backup Strategy for Bare Metal
Moving beyond cloud S3 to a bare-metal backup strategy using Velero, MinIO, and Longhorn. Lessons on CSI snapshots and ETCD persistence.
kubernetesvelerominiobare-metalbackuplonghorn
· 6 min read · tools
Grafana Dashboards: Information Density vs Readability
Stop cramming every metric into one screen. A practical look at balancing information density and performance in Grafana dashboards.
grafanaprometheusmonitoringkubernetesobservabilitydashboards
· 7 min read · kubernetes
Kubernetes RBAC: Building Least-Privilege Service Accounts
Moving beyond cluster-admin for everything. A practical approach to scoping ServiceAccount permissions for production workloads and AI agents.
kubernetesrbacsecurityservice-accountsleast-privilege
· 6 min read · kubernetes
Longhorn Volume Health: The Gap Between 'Healthy' and Actually Working
Stop trusting the Longhorn UI blindly. Learn to monitor replication, fix stale mounts, and manage snapshot bloat in production K8s storage.
kuberneteslonghornstoragebare-metalmonitoringpvc
· 8 min read · ai-agents
Privacy-Routed LLM Inference: Keeping Sensitive Data Out of the Cloud
How to build a routing layer for AI agents that ensures sensitive data stays on local hardware while leveraging cloud LLMs for non-private tasks.
ai-agentslocal-llmprivacyollamakubernetessecurity
· 9 min read · kubernetes
Kyverno Admission Controllers: Policy-as-Code That Actually Works
Moving beyond the happy path of Kubernetes policy enforcement. Real-world Kyverno pitfalls, mutation loops, and the gap between docs and production.
kuberneteskyvernopolicy-as-codesecuritygitopsadmission-controllers
· 2 min read · infrastructure
AdGuard Home: Network-Wide DNS Filtering with Failover
Setting up AdGuard Home for network-wide DNS filtering with a robust failover strategy to prevent total internet outages.
dnsadguard-homeinfrastructurekubernetesnetworkingfailover
· 2 min read · infrastructure
Stop Merging Broken YAML: Kubernetes Manifest Validation in CI
Don't let invalid manifests break your GitOps pipeline. Learn how to use kubeconform and Kyverno exclusions to catch errors before they hit production.
kubernetesgitopsci-cdinfrastructurekubeconformkyverno
· 7 min read · kubernetes
cert-manager + Cloudflare DNS-01: Automated TLS for Everything
Automating TLS with cert-manager and Cloudflare DNS-01 in Kubernetes
cert-managercloudflarekubernetestlsdns01homelabinfrastructure
· 2 min read · kubernetes
SealedSecrets Key Backup: Don't Lose Your Encryption Keys
How to back up and recover SealedSecrets encryption keys in Kubernetes
kubernetessealed-secretsencryptionkey-managementgitopsargocdsecurity
· 3 min read · ai-agents
Ollama on Kubernetes: Recreate Strategy and Single-GPU Deadlock
Deploying Ollama on Kubernetes can lead to GPU deadlocks. Here's how to avoid them.
ollamakubernetesgpu-deadlockrecreate-strategynvidia-runtimepvc-sizing
· 4 min read · infrastructure
Wildcard DNS + ndots:5: The TLS Nightmare and How to Fix It
Kubernetes default DNS settings can cause TLS certificate mismatches when using wildcard DNS. Here is how to debug and fix it.
kubernetesdnstlsnetworkinginfrastructure
· 5 min read · ai-agents
Self-Improving AI Infrastructure: How Your Homelab Wiki Updates Itself
How to automate your homelab wiki with self-improving AI infrastructure
ai-agentsself-improving-systemshomelabautomationinfrastructurekuberneteslonghorn
· 6 min read · ai-agents
The 6-Layer Memory Architecture I Run for Claude Code
Open-sourcing the memory system behind my Claude Code setup: CLAUDE.md, path-scoped rules, wiki, vector search, cognitive memory. With the mistakes.
ai-agentsclaude-codememoryragllm-wikimcphomelabkubernetes
· 6 min read · ai-agents
Building Karpathy's LLM Wiki: A Production Homelab Implementation
Implementing Karpathy's LLM Wiki in a homelab with real-world lessons and gotchas
ai-agentsllm-wikihomelabkubernetesproxmoxinfrastructure
· 3 min read · homelab
AMD iGPU Stealing Your RAM: UMA Frame Buffer on Headless Servers
AMD iGPU steals RAM on headless servers, here's how to fix it
headless-serversamd-igpuram-leakumf-frame-bufferproxmoxhomelabkubernetes
· 5 min read · ai-agents
Agent Credential Management: Two-Tier Service Accounts for Secure AI Agent Workflows
Managing agent credentials with two-tier service accounts: a secure approach for AI agent orchestration
ai-agentscredential-managementsecurityservice-accountsmulti-agent-systemskubernetes
· 3 min read · kubernetes
Pod Disruption Budgets: Why kubectl drain Gets Stuck on Longhorn
Pod Disruption Budgets can block kubectl drain on Longhorn. Here's how to avoid it.
kuberneteslonghornpod-disruption-budgetsnode-drainstorage
· 1 min read · kubernetes
Helm fullnameOverride: Naming Sanity in ArgoCD
Avoid naming chaos in ArgoCD by using Helm fullnameOverride effectively
helmargocdkubernetesnamingcharts
· 3 min read · ai-agents
NVIDIA Container Toolkit: Why the Default Runtime Matters
Fixing default runtime misconfigurations in NVIDIA Container Toolkit for GPU workloads
nvidia-runtimecontainerdkubernetesai-agentsgpu-container
· 3 min read · homelab
AMD Ryzen C-State Freezes: How `processor.max_cstate=1` Saved My Proxmox Node
Ryzen freezes in Proxmox? Learn how to disable deep C-states and stop random system lockups.
proxmoxryzenhomelabc-statekubernetes
· 7 min read · homelab
GPU Passthrough on Proxmox: A Field Guide to the Gotchas That Bit Me
The documentation won't warn you about D3cold bricking, PCIe bus renumbering, or why the NVIDIA device plugin silently fails. This is that guide.
proxmoxgpu-passthroughhomelabnvidiakubernetespci-passthrough
· 7 min read · kubernetes
GitOps for Homelabs: How ArgoCD App-of-Apps Scales Your Cluster
How the ArgoCD app-of-apps pattern brings real GitOps discipline to homelab Kubernetes — repo structure, examples, and what I'd do differently.
gitopsargocdkuberneteshomelabcontinuous-delivery
· 9 min read · homelab
Building a Production Homelab: Multi-Node Proxmox Cluster with Kubernetes
How I built a multi-node Proxmox cluster running Kubernetes with GPU passthrough, GitOps, and dozens of services — and what broke along the way.
proxmoxkuberneteshomelabgitopsgpu-passthroughlonghornargocd