Homelab Cookbook

The Homelab Cookbook

My playbook for running real services out of my house — sites, a database, logs, CI/CD.

This isn't a "spin up Kubernetes in 5 minutes" post. It's the actual operational playbook: what to install, what order to do it in, what breaks, and how to put it back together at 11pm when you'd rather be asleep. Every recipe ends with a When it breaks section, because everything eventually does.

Who this is for

You've got a spare machine, a domain you're not really using, and the itch to stop paying for things you could host yourself. You're comfortable in a terminal — you need the specific decisions and gotchas the official docs leave out. The example domain throughout is otterpond.dev; swap in your own.

What we're building

A single-node Kubernetes cluster on a Mac Mini, reachable from the public internet without exposing your home IP, with private-only admin surfaces, automated TLS, off-site backups, and logs you can actually search.

Bill of materials

Thing	Role	Notes
Mac Mini (Apple Silicon)	The cluster host	Any always-on machine works; these recipes assume macOS
UPS / battery backup	Rides out power blips	A brownout shouldn't take down your database
Firewall appliance	Router, dual-WAN failover, VLANs	These recipes use a Firewalla; concepts port to anything
Primary ISP (fiber)	Day-to-day connectivity	—
Backup ISP (5G)	Failover when fiber drops	CGNAT is fine — the network-topology recipe explains why
Cloudflare account	DNS, Tunnels, R2 storage	Free tier covers all of this
Tailscale account	Private network for admin + CI	Free tier is generous
GitHub account	Source, Actions CI/CD, container registry	—
1Password account	Secret vault, synced into the cluster	Any vault with a CLI works

Software, all via Homebrew: colima · k3d · kubectl · helm · k9s · cloudflared · tailscale · 1password-cli · awscli · postgresql · gh

The recipes

Ten recipes, in build order.

A working collection, not a finished set — it grows as the homelab does. They build on each other roughly in order, but each one stands alone.

Twelve-Factor on a Homelab Budget

Which of the twelve factors hold, bend, or get ignored when you are the entire ops team for a single-node homelab.

Twelve-Factor · Architecture · Philosophy

Provisioning the Cluster Host

Turning a bare Mac Mini into a Kubernetes cluster host with Homebrew, Colima, and k3d — one that survives reboots and power blips.

Kubernetes · Colima · k3d +1

TLS Certificates with Let's Encrypt

Automatic, auto-renewing HTTPS with cert-manager and Cloudflare DNS-01, including real certificates for VPN-only internal sites.

TLS · cert-manager · Let's Encrypt +1

Homelab Network Topology

Dual-WAN failover, VLAN segmentation, and battery backup — and why an outbound Cloudflare Tunnel makes ISP failover invisible.

Networking · VLANs · Dual-WAN +1

Public Ingress with Cloudflare Tunnels

Serving public sites from home with no port forwarding and no exposed IP, plus how to add a new site to the tunnel.

Cloudflare · Tunnels · Ingress

Private Access with Tailscale

A private mesh network for SSH and admin UIs, with a Tailscale OAuth client set up the right way for ephemeral CI.

Tailscale · VPN · WireGuard +1

CI/CD with GitHub Actions

Push-to-deploy into a private cluster — runner options, ephemeral Tailscale, and a staging environment that runs on real data.

CI/CD · GitHub Actions · Kubernetes

1Password as a Secret Vault

One source of truth for secrets, synced into Kubernetes on demand — and why you never put a secret on the command line.

Secrets · 1Password · Kubernetes

PostgreSQL and Backups

Running PostgreSQL for a homelab, with hourly off-site backups, tiered retention, and a restore you have actually tested.

PostgreSQL · Backups · Cloudflare R2 +1

Log Aggregation with OpenObserve

Searchable logs from every pod with Fluent Bit and OpenObserve — 30-day retention, SQL queries, and the k3d volume gotcha.

Logging · OpenObserve · Fluent Bit +1

A note on scope

This is a homelab, not a datacenter. Single node, single region, single person on call (you). The recipes lean on managed edges — Cloudflare for the front door, GitHub for CI, 1Password for secrets — because the alternative is running more infrastructure to support your infrastructure, and that road has no end. The twelve-factor recipe is the argument for where to draw that line.