feat(beefcake): set up k3s ingress for ad-hoc cluster apps #515

Open

lytedev wants to merge 3 commits from hearth-k8s into main

pull from: hearth-k8s

merge into: lytedev:main

lytedev:main

lytedev:push-rpwpxukqzqqn

lytedev:zulip

lytedev:push-qrvuuqmxtznv

lytedev:push-smxxyqowrpts

lytedev:push-wlyvykxxoyzl

lytedev:voxtype-per-host-model

lytedev:cleanup

lytedev:push-kanidm-opt-in

lytedev:push-voxtype-flake-fix

lytedev:push-uvqqknxvqlvy

lytedev:push-qrqsxkmlrevert

lytedev:align-daniel-uid

lytedev:fix-kanidm-uid-attr-map

lytedev:fix-hibernate

lytedev:nix-on-droid

lytedev:agent-runners

lytedev:self-hosted-dns

lytedev:fix-runner-tmpfs-revert

lytedev:github-mirror

lytedev:beefcake-email

lytedev:beefcake-immich

lytedev:firefox-nightly-devedition

lytedev:fix-bun-baseline

lytedev:fix-user-env-manifest-perms

lytedev:cleanup-home-manager

lytedev:stale-symlink-cleanup

lytedev:flab-stuff

lytedev:printer-sftp

lytedev:dragon-vr-monado

lytedev:clever-vr-game-clamshell-mode-detection

lytedev:wireguard-mesh

Conversation 0 Commits 3 Files changed 3 +55 -1

lytedev commented 2026-05-01 10:04:21 -05:00

Owner

Copy link

Enable bundled traefik on beefcake, add *.k.lyte.dev wildcard DNS record, and a Caddy wildcard virtualHost (DNS-01 via rfc2136 plugin, reuses beefcake-h TSIG key) reverse-proxying to traefik on 127.0.0.1:80. New ad-hoc cluster apps need zero repo changes after this. Existing host-Caddy apps (hearth, etc.) untouched -- their specific virtualHost blocks match before the wildcard.

Note: caddy.withPlugins uses lib.fakeHash; first build will fail and print the real hash to paste in.

Enable bundled traefik on beefcake, add *.k.lyte.dev wildcard DNS record, and a Caddy wildcard virtualHost (DNS-01 via rfc2136 plugin, reuses beefcake-h TSIG key) reverse-proxying to traefik on 127.0.0.1:80. New ad-hoc cluster apps need zero repo changes after this. Existing host-Caddy apps (hearth, etc.) untouched -- their specific virtualHost blocks match before the wildcard. Note: caddy.withPlugins uses lib.fakeHash; first build will fail and print the real hash to paste in.

lytedev added 1 commit 2026-05-01 10:04:21 -05:00

feat(beefcake): set up k3s ingress for ad-hoc cluster apps ... baaa4407c6

Enable k3s's bundled traefik, add a wildcard *.k.lyte.dev DNS record,
and a Caddy front-door wildcard virtualHost that DNS-01-issues a wildcard
cert (rfc2136 plugin, reuses the beefcake-h TSIG key) and reverse-proxies
everything to traefik on 127.0.0.1:80.

After this, deploying a new ad-hoc app to the cluster needs zero changes
in this repo: pick a hostname under *.k.lyte.dev, write k8s manifests
in the app's own repo, sideload the image, kubectl apply.

Existing host-Caddy apps (hearth, etc.) are untouched and continue to
work via their specific virtualHost blocks, which match before the
wildcard.

lytedev added 1 commit 2026-05-01 11:28:02 -05:00

fix(beefcake/caddy): pin rfc2136 plugin v1.0.0 with real hash ... be57efcd6b

v1.1.0 doesn't exist upstream; CI build was failing on the lib.fakeHash
placeholder. Pin to the latest released tag and substitute the real
sha256 surfaced by a local nix build.

lytedev force-pushed hearth-k8s from be57efcd6b to 26c27610cc 2026-05-01 11:43:07 -05:00 Compare

lytedev added 1 commit 2026-05-01 15:08:35 -05:00

refactor(beefcake/caddy): pull TSIG creds from lyte.dns-updater config ... 00d959cc34

Avoid hardcoding the pebble IP and TSIG key name in caddy.nix; read them
from the same options that configure dynamic DNS on this host so they
can't drift.

lytedev force-pushed hearth-k8s from 00d959cc34 to 3592bb29f7 2026-05-02 12:05:27 -05:00 Compare

All checks were successful

Hide all checks

/ check-format (push) Successful in 6s

Required

Details

/ build (push) Successful in 5m45s

Required

Details

This pull request can be merged automatically.

This branch is out-of-date with the base branch

You are not authorized to merge this pull request.

View command line instructions

Checkout

From your project repository, check out a new branch and test the changes.

git fetch -u origin hearth-k8s:hearth-k8s

git switch hearth-k8s

Sign in to join this conversation.

Reviewers

No reviewers

Labels

Clear labels   

bug

Something is wrong

  

enhancement

New feature

  

question

Awaiting information

  

scary

Potentially problematic change

  

upstream

Awaiting upstream changes

No labels

bug

enhancement

question

scary

upstream

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

lytedev/nix!515

No description provided.