Keyboard shortcuts

Press or to navigate between chapters

Press S or / to search in the book

Press ? to show this help

Press Esc to hide this help

Implementation Selection

Purpose

Move from architectural roles to concrete implementation choices by evaluating how different options compose into functional platform stacks.

1) Role Implementation Matrix

The following matrix summarizes the primary implementation options for each architectural role. For detailed trade-offs and integration notes, refer to the individual role documents.

RoleImplementation OptionsPrimary Best-Fit Stacks
Edge & BoundaryTraefik, NGINX Ingress, CaddyK3s, K8s, Nomad
Identity & AccessAuthentik, Keycloak, AutheliaAll Stacks
Connectivity & NamingCoreDNS, ExternalDNS, Pi-hole, ConsulK8s, Nomad
Storage & PersistenceLonghorn, Rook-Ceph, ZFS, NFSK3s, K8s, Nomad
Compute & OrchestrationK3s, K8s (Talos), Nomad-
OperationsProm/Grafana/Loki, GitOps, Velero, ResticAll Stacks

2) Stack Assemblies

Instead of starting with pre-baked bundles, we derive platform “stacks” as compatible sets of implementations that naturally compose together.

The Pragmatic Homelab (K3s-based)

Focuses on ease of use and low overhead while maintaining Kubernetes compatibility.

  • Orchestrator: K3s
  • Ingress: Traefik (Forward-auth)
  • LB (L4): Klipper (bundled) or MetalLB
  • Identity: Authentik
  • Storage: Longhorn
  • Backups: Velero + Restic
  • Observability: Prometheus + Grafana + Loki

The Appliance Cluster (Talos/K8s-based)

Focuses on HA, security, and immutability.

  • Orchestrator: Kubernetes on Talos
  • Ingress: NGINX Ingress (OAuth2-proxy)
  • LB (L4): Kube-vip (Layer 2)
  • Identity: Authentik or Keycloak
  • Storage: Rook-Ceph
  • Backups: Velero (CSI Snapshots)
  • Observability: Prometheus + Grafana + Loki

The Flexible Scheduler (Nomad-based)

Focuses on simplicity and host-integrated storage.

  • Orchestrator: Nomad
  • Ingress: Traefik or Caddy
  • Discovery/LB: Consul + Fabio/Traefik
  • Identity: Authentik (Forward-auth)
  • Storage: ZFS (Host volumes + Replication)
  • Backups: Restic
  • Observability: Prometheus + Grafana + Loki

3) Selection Criteria & Validation

We evaluate these stacks against our Non-Functional Requirements and Policies.

Hard Gates

These are non-negotiable policy checks.

  • No Inbound NAT: Must support exposure via tunnels or relay Exposure Policy.
  • Identity-First: All exposure points must enforce IdP-backed auth Identity Policy.
  • Cluster Reachability: Load balancing (L4/L7) must be addressed at Day 1; “floating” workloads require a stable entry point to be usable.
  • Durability: Must meet RPO 1h / RTO 4h for critical data Backup Policy.

Acceptance Tests

  1. Internal DNS: internal.service.risu.tech resolves internally and is unreachable from WAN.
  2. VPN access: VPN client resolves internal names and can access internal ingress.
  3. Public isolation: public ingress serves only public services, never internal.
  4. Identity flow: auth proxy + IdP flow works end-to-end for internal and public routes.
  5. Stateful proof: dummy stateful service gets storage, replica, backup job signal, and a restore test plan.