Here is my Nomad cluster, spread around Oracle Cloud and my basement.

Actually, “basement” is not really the case as of today, since we are still converting it into fitness+movie room, so my remote-working office (in the attict) is the actual “basement” in this story, temporarily

Nodes I use:

• cloud4 is a big arm64 that Oracle gives for free

• cloud5 is a small free amd64 that Oracle gives for free

• ixion and pluto are RPi 4s

• oberon is a RPi 5

• io is a VM on my Proxmox (explained later).

What are the steps I made so far in the migration process?

Introduce an empty k8s cluster

This has been done. I got myself a Ryzen 7 mini PC last year, configured ProxMox on it and segmented its 64GB/16 vCPUs into:

1. one more Linux VM for Nomad since I was short on the resources already (that’s the io from the screenshot)

2. one “control” k3s node (using Proxmox support for LXC);

3. one “worker” k3s node where work will be scheduled (LXC).

Basic infra setup

Some steps I did so far, after configuring k3s nodes on my Proxmox using a tutorial I found, follow. In not really realistic order, but close to reality enough that it makes sense…

I installed the latest Helm as of today. It's pretty important part of the modern k8s experience and it just makes sense to have if from the start.

I installed then the cert-manager using Helm as well. Very cool, but took couple of hairs out until I made it work. It made me rethink the entire damn migration since so many sources talked about different aspects/approaches/ingresses. But, I persevered and it… just works now. Certificates are provided via Cloudflare which was there already, so I can easily access the server.

Then I installed an ArgoCD with nginx ingress since my understanding is that it basically became super-popular for GitOps. I think there's also Flux, but we're using ArgoCD on my work, so I thought “no, Milan, you will not again choose another non-mainstream approach just for the sake of a principal”.

In hindsight, I should’ve used Helm for setting up ArgoCD. I just used their default install scripts. I will migrate later, I guess

Gitea remains my personal self-hosted git VCS, also for this new use case for ArgoCD - so that's where Argo will find its CRDs. It's still deployed in my homelab, just using Ansible as one of those core things, that for some specific reason I couldn't configure in Nomad job (I forgot why, it’s like that for years in my homelab, which translates in centuries in normal people).

I then added the latest HashiCorp Vault as well using Helm. I am still not happy about this since I simplified helm values probably too much and at this time it still can’t provide secrets inllfor other pods, but that’s just because I needed to learn Vault for a project at work (I needed a service ip and running with exposed API on ingress, and that's it).

Interesting tidbit: I used Cursor for the first time in my life for Vault Helm setup 🎉.

I added tailscale operator so that I can access the cluster out of home as well. This is a cool thing since I can access it even from my Androind smartphone using e.g. kubenav app. This is where I was saying to myself actually

I added Grafana Alloy so that it can push all the logs into my existing Grafana Loki (self-hosted in my main Nomad cluster). I used Promtail already in my (deprecating) cluster for system stuff and Vector for nomad logs, but apparently Alloy is the new future-safe thing in Grafana stack so I went with it.

Finally, I thought what to do with my Grafana and my InfluxDB. I thought for a long time about these… the decision I made is: migrate Grafana just as any other app into k8s gradually, but don’t go with InfluxDB. I have already Prometheus so I will go with that for my k8s metrics monitoring. I just exposed it on the internal ingress and registered it in the existing Grafana as a data source.

Setup PoC with a small service

I wasn't sure what to migrate. Simple thing? At some point, nothing is simple, even stateless services appear in my ingress Caddyfile via Consul Templates and get registered into Cloudflare DNS for Tailscale IPs and local dnsmasque for LAN IP overrides.

I decided to go with n8n service since it is just complex enough to holistically check many things:

• logs must appear in my Grafana Loki;

• certificate needs to be issued;

• external DNS and Caddy should forward webhooks into n8n;

• internal DNS should expose the Web UI;

• deployment should work automatically using ArgoCD;

• bugs like this one should be fixed by renaming the service from n8n;

• NFS on my ancient Synology should be used for the persistent volume;

I still have a small but important optimization: instead of using NFS as a backup destination (to which I push the locally mounted files once per day), I should “just trust the cluster” and let it use NFS always.

Future plan

The master plan is to drain the ixion node of all Nomad jobs and introduce it into the cluster as a new k3s node. Basically, let it disappear from Consul and from Nomad node listings.

To do that, I will have to migrate complex work into another node (there’s still space for that extra work, luckily) and migrate simple work into k8s just as I did with n8n service. Finally, I will then be able to introduce ixion as a new worker k3s node into the Kubernetes cluster.

Then, one by one, all the rest. I think this will be done gradually during 2025 when I find time, but the idea is to go into 2026 without consul/nomad. That’s the plan at least…

TL;DR
The article discusses connectivity issues between Docker Compose and services exposed via Tailscale after the OS package updates. After troubleshooting, the issue was identified as Docker Compose not running container in bridged mode. The solution involved modifying the docker-compose.yml file and using the docker compose command.

I had a very old Caddy service setup using docker-compose that was "just working" for years, and after the weekly GH Actions Ansible-driven update of all apps (including docker / docker-compose / tailscale) I've noticed all sorts of alerts popping up since Caddy couldn't access services exposed via Tailscale on other nodes.

Apparently couple of things changed:

1. Tailscale was updated

2. Docker was updated

3. Docker Compose was updated

Now, the first reaction was to restart docker on all nodes, but that helped fix other services (probably some kind of breaking change), but no amount of restarting didn't help to recover the Caddy.

It was a very simple docker compose setup, just this:

version: '3'

services:
  caddy:
    image: milanaleksic/caddy-cloudflare:2.7.6
    ports:
      - 80:80
      - 443:443
    volumes:
      - ./data/caddy-config:/config
      - ./data/caddy-data:/data
      - ./config:/etc/caddy

And Caddy was reporting bunch of (for each attempt to access URLs which were proxied into somewhere internally within the Tailscale network):

... dial tcp 100.85.131.92:22487: i/o timeout ...

What made this issue extremely interesting is that I had to try various things until I have figured out what is going on:

From this node a normal curl 100.85.131.92:22487 just worked.

When I start a simple docker container it also just worked.

Even when I manually start the docker image from above: milanaleksic/caddy-cloudflare:2.7.6 also curl just worked!

I thought I was going crazy but then I had to get the big guns and run diff analysis of the outputs of docker inspect container1 and docker inspect container2 commands (where the 2 containers were the one that I started manually vs the one compose started). And the problem exposed it self: the docker-compose didn't run network in bridged mode. That was the difference between manually started container and the one started by docker-compose.

Solution

What I ended up doing was changing the docker-compose.yml to:

- version: '3'
- 
services:
  caddy:
    image: milanaleksic/caddy-cloudflare:2.7.6
+     networks:
+       - caddy
    ports:
      - 80:80
      - 443:443
    volumes:
      - ./data/caddy-config:/config
      - ./data/caddy-data:/data
      - ./config:/etc/caddy
+ 
+ networks:
+   caddy:
+     driver: bridge

To make this new docker-compose.yml file work I had to actually stop using docker-compose to run it since it was deprecated for a while now and just ran the docker compose command (the former was still written in Python, and the feature was migrated into Go CLI docker command).

💣, it just works now!

Well, it took me forever to figure it out, but apparently during the winter months I have problems with my nose not because I became super-sensitive as I age, but simply because humidity at my home office is not as good as it is was in the "real" office.

I, therefore, bought a simple smart diffuser by a company "Gologi" which looks cool I guess and fits well into my office. So, basically, how do I turn it on/off? No fancy scheduling required, mind you, just a small on/off switch on my stream deck (I don't want to use their smartphone app).

TL;DR

You need to:

1. rewire this IoT device into Tuya cloud via Tuya smart app to get the remote access capability

2. connect Home Assistant with Tuya smart app (not via the Tuya cloud API, that's enterprise-level pricing)

3. add Home Assistant control buttons to Stream Deck

4. profit!

Step by step

Tuya smart app

Gologi has a smart app already that can control the humidifer, but if you use that one you can't actually do anything in regards to the cloud-driven control.

You need to install another smartphone app: Tuya Smart App. Then, you need to go through the "add the device" flow to be able to get control over it from the Tuya app.

Interestingly, even after I have uninstalled the Gologi app I got the same interface on my smartphone to handle the Gologi humidifier from within Tuya 💣 . This brings me to the conclusion that Gologi is just one of the brands that built their IoT integration on the Tuya cloud and that's why it was so easy to add it into the Tuya app.

Now, do you see the "Stop diffuser" and "Start diffuser" buttons on the top? Those are there since I have added Tuya "Scenes" that trigger On/Off buttons of the diffuser. These will become important momentarily, since they will allow the actions from the Home Assistant even though HA doesn't support this type of Tuya devices, so you better add them:

1. Open Tuya App

2. Go to "Scene"

3. Add a "Tap-to-run" action

4. Choose "Control Single Device" -> Smart diffuser -> "Switch" -> "ON"

5. Do the same thing for "OFF" switch

Home Assistant integration

You don't necessarily have to use HA, but it's the thing I have found is so ubiquitous these days that you might be probably missing a lot if you don't have it in your home network and still want to play around with IoT devices. YMMV if you are using some other hub.

Within Home Assistant you just need to add Tuya integration. That's it.

Important: If your HA is older than 2024.0 please upgrade, since earlier versions demanded more complex setup using Tuya Cloud and developer accounts; newer version integrates on a higher level without any need to go into the cloud - it just uses the Tuya Smart app QR code scanner to integrate, easy-peasy!Scene

Scene after adding the Tuya integration shows "2 entities" which are the 2 scenes we've added in the Tuya smart app!

Stream Deck setup

Stream Deck is amazing since, even though it was meant for the streamers (obviously) it's an extremely hack-friendly device and can execute anything you can think of. In this case I want to have a panel setup like shown on the screenshot below, one for ON and one for OFF button.

Some important parts:

1. you need to install official HA plugin for the stream deck

2. you need to provide a "long-lived access token" from HA and expose (if you haven't already) the home assistant websocket URL

3. both Keypad Appearance and the Keypad Action need to be selected and configured, otherwise button will do nothing

Note: in my case the HA is behind Tailscale, but since Stream Deck talks to the server software within your connected computer, and then that software talks to the HA, you do not need to expose HA to Stream Deck via a public API, you can just use internal IP

And the "Short press" Keypad action is configured like this:

Conclusion

This was kind of a multi-day exercise to figure out what works and what doesn't work. There are, like with any integration, many moving pieces, expecting no breaking API changes on Tuya Cloud (cloud service... I hope it remains stable), smartphone app, HA plugin, HA itself... but that's just normal day in IT I guess.

It's amazing how little thing like Stream Deck button helps removing context-switching tasks out of your daily life. I'm very happy with my Stream Deck and are continuously thinking "what else can I use it for" and definitely would recommend it for your homelab / office setup since it is very extensible tool that is super useful.

What I have noticed, though (actually, for a while already, just didn't bother to investigate) is the following mystery:

1. One node receives a lot of work to do (think: request for multi-platform Docker build via Gitea Actions)

2. Docker containers got restarted on that node amass

3. Nomad restarts all the jobs and everything "just works" again

Now, because of point 3) I never really had an incentive to find and fix the problem since Nomad just stabilizes the system rather quickly (1 min for example). This problem was occurring and reoccurring for months, but I didn't care much (pets vs cattle and all that).

What eventually turned me around is the fact that this problem occurred during my introduction of a new CI/CD platform (I am replacing Drone CI with Gitea Actions), and debugging long builds that also fail because Docker containers running those builds die is not the most optimal use case of my free time.

Now, my assumption was that the node would just work with the basic Linux (Debian) setup without any system tinkering (Ansible sets up the ssh server, my user account with a bunch of dotfiles, etc, but that's all just normal customization everyone does). That was a standard, but a lousy assumption.

Down the rabbit hole, we go...

Is it OOM?

I've noticed in my dmesg output [1] that some Docker processes were taken down by the OOM manager and immediately added swap to the system.

It's not that hard to add a swap file to a Debian system, for example, Digital Ocean has nice and very readable articles that handle basic administration tasks for standard Linux packages, so they have an article for the swap as well.

Now, it is said that in the cloud age one shouldn't really depend on swap and the machine workload should just be stable enough to work out of RAM (because of various reasons), but we are talking about a small 16GB laptop [2] so it makes sense for me to still resort to the swap for those peak moments.

This helped a bit and I had the docker work much more stable. Containers still disappeared, though, so it definitely wasn't the root cause, it was just a reason for the failures to happen (even) more often.

Is it the Docker service?

Now, the next suspect was Docker Daemon itself.

I've noticed this strange message appearing over and over again in the logs:

Your kernel does not support memory swappiness capabilities or the cgroup is not mounted. Memory swappiness discarded

But this is a standard Debian Linux, why wouldn't that cgroup be enabled/mounted? Weird. But, diving into the Net we find indeed that Docker says this is a normal thing, they even have part of the docs only for this specific message.

Needless to say, their attempt didn't work unfortunately for the current stable Debian (11). I had to research further and found this great thread for microk8s that exposed a change in Debian and later in the thread the way how to work around it until cgroups v2 are supported finally my hero who had the same exact problem and the solution presented itself to finally get read of the message in the logs:

# set in /etc/default/grub
GRUB_CMDLINE_LINUX="cgroup_enable=memory cgroup_memory=1 systemd.unified_cgroup_hierarchy=0"

Then just do an update-grub and restart the laptop [3]. Of course, this removed the predominant error message, but (you guessed probably), the containers continue to die under large pressure.

Is it Nomad?

But then, I figured out something (at that time, completely obvious): the containers that were restarted were all Nomad jobs. So, no other container running in that Docker container was ever restarted. 🤦

I refocused now on the Nomad setup: what could have gone wrong there?

Nomad has very complex machinery behind the job scheduling simplicity and they have great documentation.

What I have missed so far is the fact that although no containers failed, there were effectively killed by the scheduler. If the Nomad agent on that node doesn't communicate with the server using a heartbeat mechanism.

Another research and another great Github issue thread and here we go: Nomad team lead simply says that there is a way to go around this problem:

Just curious is there any way to increase heartbeat manually?

There are a few heartbeat related settings on the server: https://www.nomadproject.io/docs/agent/configuration/server.html#heartbeat_grace

So, the solution on my network setup is that I had to increase the heartbeat to something longer than the default (default value of 10s for the heartbeat_grace in the server block of the server Nomad configuration was replaced with extremely large 120s, but I'm all down with tiny hammers at this point).

Increasing the grace setting is probably the most straightforward way to give clients more time to recover in the cases when CPU is under a very heavy load. In this case, I also assume that the heartbeat going over Tailscale VPN and the server being a rather old and weak Intel chip also doesn't help.

Many Gitea Actions later with very heavy CPU & memory workloads, and Nomad still didn't decide to shut any node down.

So, so far, so good: no more restarts noticed. Let's hope it stays stable! I definitely don't want to see this problem again & hope will not see it occurring ever again.

1. Or was it journalctl -xn? Not sure - this was a long time ago at this point. But, definitely, there were oom strings in the logs and I had that problem

2. I know, I should replace it with an Intel NUC. I am just waiting for the damn thing to fail... it's working well enough for 6 years already and I don't like replacing stuff that just works

3. Or, in my case, use my Telegram bot that runs laptop-booter to go through Intel AMT for a power cycle and then Dropbear SSH port to run cryptroot-unlock for my full-disk-encryption setup (but you know, that's just me)

Let's say, for the sake of this short note, that you have:

• Cloudflare DNS which you use to expose your service to the world (or to your internal tailscale/VPN/home network)
• Caddy is your reverse proxy of choice
• Nomad is your deployment system of choice

Well, now, here is how I synchronize DNS records on Cloudflare based on the service discovery in Nomad / Consul using some shortcuts and a very small Python script...

Result of this process is that if I have a service with name "chronograf" my DNS record chronograf.mycooldomain.com gets updated.

How

First, the nomad job definition:

job "internal-proxy" {
  datacenters = ["DC1"]
  type        = "service"

  constraint {
    attribute = "${attr.unique.hostname}"
    value     = "pluto"
  }

  group "main" {
    ephemeral_disk {
      migrate = true
      size    = 150
      sticky  = true
    }

    task "caddy" {
        # define the Caddy task. not relevant for this short note, 
        #perhaps a nice topic for another one
    }

    task "syncer" {
      driver = "docker"

      config {
        image   = "python:3.10.4-slim-bullseye"
        volumes = [
          "local/:/etc/dns-sync"
        ]
        command = "python3"
        args    = ["/etc/dns-sync/syncer.py"]
      }

      env {
        ZONE_ID_FILE      = "/etc/dns-sync/cf_zone_id"
        CF_API_TOKEN_FILE = "/etc/dns-sync/cf_api_key"
        DNS_MAPPING_FILE  = "/etc/dns-sync/records.txt"
      }

      template {
        data        = <<EOF
[[ fileContents "syncer.py" ]]
EOF
        destination = "local/syncer.py"
      }

      template {
        data          = "{{ key \"cloudFlare/zoneId\" }}"
        destination   = "local/cf_zone_id"
        change_mode   = "signal"
        change_signal = "SIGUSR1"
      }

      template {
        data          = "{{ key \"cloudFlare/cfApi\" }}"
        destination   = "local/cf_api_key"
        change_mode   = "signal"
        change_signal = "SIGUSR1"
      }

      template {
        data          = <<EOF
{{range $tag, $services := services | byTag}}{{ if eq $tag "expose-internal" }}{{range $services}}{{ .Name }}.{{ key "cloudFlare/domain" }}|{{ with node "pluto" }}{{ .Node.Address }}{{ end }}
{{end}}{{end}}{{end}}
EOF
        destination   = "local/records.txt"
        change_mode   = "signal"
        change_signal = "SIGUSR1"
      }

      resources {
        cpu    = 100
        memory = 100
      }
    }
  }
}

Some assumptions I took in the job above:

• I am using Consul as key/value store and utilizing it to get the services I am interested in and I am using Consul Templating to get this going
• I only want to expose services that are tagged with expose-internal
• operationally, I "know" that this will be deployed only on a node with name pluto,
• my personal Cloudflare API token and the zone ID which I plan on syncing are stored in Consul K/V storage
• also, my domain under which I am exposing services is also in Consul K/V storage
• I construct files which are updated automatically by Consul when/if K/V settings change OR if a new service mapping becomes available

Now, the script that does the syncing Nomad -> Cloudflare using pure Python 3.

import argparse
import json
import logging
import os
import signal
import sys
import urllib.parse
import urllib.request
from typing import Dict, List, Optional


def read_secret_multi(secret_name_file: str) -> List[str]:
    with open(read_env_or_fail(secret_name_file), 'r') as env_file_file:
        return [x.strip() for x in env_file_file.readlines()]


def read_secret(secret_name_file: str) -> str:
    with open(read_env_or_fail(secret_name_file), 'r') as env_file_file:
        return env_file_file.readline()


def read_env_or_fail(secret_name_file):
    env_file = os.getenv(secret_name_file, None)
    if env_file is None:
        logging.error(f"Environment variable {secret_name_file} was not present, giving up")
        sys.exit(1)
    return env_file


class Syncer:
    def __init__(self, zone_id: str, cf_api_token: str, dns_records: List[str]):
        self.zone_id = zone_id
        self.cf_api_token = cf_api_token
        self.mappings = {x.split('|')[0]: x.split('|')[1] for x in dns_records if x}

    def cf_api(self, path: str, method: Optional[str] = 'GET', data: Optional[Dict] = None):
        req = urllib.request.Request(
            url=f'https://api.cloudflare.com/client/v4/{path}',
            headers={
                "Authorization": f"Bearer {self.cf_api_token}",
                "Content-Type": "application/json",
            },
            data=json.dumps(data).encode('utf-8') if data else None,
            method=method,
        )
        with urllib.request.urlopen(req) as f:
            return json.loads(f.read().decode('utf-8'))

    def sync(self):
        logging.info("Syncing records...")
        records = self.cf_api(f'zones/{self.zone_id}/dns_records')['result']
        cf_records = {rec['name']: rec for rec in records}
        for our_mapping, target in self.mappings.items():
            cf_mapping: Dict = cf_records.get(our_mapping, None)
            if cf_mapping:
                if cf_mapping['content'] == target and cf_mapping['type'] == 'A':
                    logging.info(f"Identical mapping on CF for: {our_mapping}, ignoring")
                else:
                    logging.info(f"Updating existing mapping on CF for: {our_mapping} -> {target}")
                    self.cf_api(path=f"zones/{self.zone_id}/dns_records/{cf_mapping['id']}", method='PATCH',
                                data=self.make_cf_record_dto(our_mapping, target))
            else:
                logging.info(f"Adding new mapping on CF for: {our_mapping} -> {target}")
                self.cf_api(path=f'zones/{self.zone_id}/dns_records', method='POST',
                            data=self.make_cf_record_dto(our_mapping, target))

    @staticmethod
    def make_cf_record_dto(our_mapping, target):
        return {
            "type": "A",
            "name": our_mapping,
            "content": target,
            "proxied": False
        }


def run():
    Syncer(
        zone_id=read_secret("ZONE_ID_FILE"),
        cf_api_token=read_secret("CF_API_TOKEN_FILE"),
        dns_records=read_secret_multi("DNS_MAPPING_FILE"),
    ).sync()


if __name__ == '__main__':
    parser = argparse.ArgumentParser(prog='syncer.py', description="Automation script for Cloudflare record syncing")
    parser.add_argument('--debug', default=False, required=False, action='store_true', dest="debug",
                        help='debug flag')
    args = parser.parse_args()
    if args.debug:
        logging.getLogger().setLevel(logging.DEBUG)
    else:
        logging.getLogger().setLevel(logging.INFO)

    # initial run
    run()
    # subsequent run
    signal.signal(signal.SIGUSR1, lambda sig, frame: run())
    # exit gracefully
    signal.signal(signal.SIGINT, lambda sig, frame: sys.exit(0))
    signal.signal(signal.SIGTERM, lambda sig, frame: sys.exit(0))
    while True:
        logging.info('Waiting for signals...')
        signal.pause()

Nomad

Nomad is a well-known workload orchestrator. I have decided to automate my homelab cluster using it. I will through this blog post try to walk you through some discoveries I made on the way during the previous couple of months.

Features that drove me to Nomad:

• Conciseness,
• Evolvable setup (constraints, static ports are there for simple setups for example),
• I already had knowledge of kubernetes and wanted to try something else
• I had experience with Terraform and Consul so I was sure Nomad is probably a good choice to at least try it out.

I wanted to share with you how I configured couple of different services, just so you can get a feeling of the freedom that Nomad gives.

For experienced DevOps people some of the choices will be painful because of the shortcuts taken - but that is exactly the point: what I will try to prove is that Nomad is a perfect match for an ad-hoc homelab and that it allows you to evolve it into the more and more serious setup as your knowledge of the principals of workload orchestration in Nomad grows.

I chose a path of explaining the principles by showing some code examples from my own homelab and following the path of the most trivial examples towards the more complicated ones, expanding the coverage of possibilities as we go. So, I tried to make a story out of it instead of just showing you the end result :) But, if you want to visualize the end result - here it is, as of 16/03/2022 the topology of the deployed homelab:

.

So, without any further ado let's start...

Example: a cron bash script

It can't be any simpler than this: you have some bash script that you want to be executed from time to time. In my case, I have some background processes I need to kill (workaround, until I fix the go app that creates those zombie processes, ... somewhere in this decade I guess).

Nomad has a concept of a sysbatch that is basically a glorified cron executor. In combination with a raw_exec driver which is meant to run the lowest possible native OS code (no chroot, fast startup, surely some kind of protection but still the least recommended approach from all the drivers).

When moving things from conf management tools (like Chef/Ansible) into Nomad that's probably a very nice thing to have. Later on, you'd probably want to lower the number of jobs defined in this way and go more into a fully managed approach (which we will shortly touch), though. Still, the freedom of just defining it like this and then, later on, evolving it into the proper approach is the reason why I chose Nomad over k8s.

job "batler_cleanup_periodic" {
  datacenters = ["KOEK1"]
  type        = "sysbatch"

  periodic {
    cron             = "25 21 * * * *"
    prohibit_overlap = true
    time_zone        = "UTC"
  }

  constraint {
    attribute = "${attr.unique.hostname}"
    value     = "pluto"
  }

  group "main" {
    task "script" {
      driver = "raw_exec"

      config {
        command  = "/usr/bin/bash"
        args     = ["-c", "pkill -u batler_remoteexec || true"]
      }

      resources {
        cpu    = 500
        memory = 128
      }
    }
  }
}

You might have also noticed the "constraint" stanza, where I fix the location of the script into the place I have it currently defined in Chef. This way I was able to evolve node by node from the old solution into the new one. Therefore the migration process was:

1. move all the stuff that can't be put into Nomad into Ansible (including the Nomad itself);
2. for all other things that can be moved to Nomad, move them into the simplest possible abstraction in Nomad (lowest possible hanging fruit being raw_exec task type);
3. remove chef-client, Ruby, git repo for chef-zero execution etc etc;
4. move to another node, repeat 1-3;
5. look how to improve migrated jobs into "better" / more professional implementations, learning as you go.

Example: excalidraw

Excalidraw is a very nice drawing tool I like using from time to time. It's open source and even has a free online version of it. I thought it was awesome and just decided on deploying it myself in the homelab! It's just a simple completely stateless service with a docker container, it can't be easier than that.

Here it is:

job "excalidraw" {

  # ... superfluous things, already presented previously, commented out

  group "main" {
    network {
      port "http" {
        static       = 2734
        to           = 80
        host_network = "tailscale"
      }
    }

    task "excalidraw" {
      driver = "docker"

      config {
        # SHA of what was latest on 04/11/2022
        image   = "excalidraw/excalidraw:sha-4bfc5bb"
        ports = [
          "http"
        ]
      }

      service {
        name = "excalidraw"
        port = "http"

        check {
          type     = "tcp"
          port     = "http"
          interval = "10s"
          timeout  = "2s"
        }
      }
    }
  }
}

What you can see here is the following step: how to deploy an online service in Nomad. Since it was deployed as a docker-compose service managed by systemD previously, it was only natural to use the docker driver and put it on the same machine.

You will notice that the stanza network hardcodes the port occupied by the service on the tailscale network, defined inside the Nomad configuration on that node as:

client {
  host_network "tailscale" {
    cidr = "100.65.51.119/32"
    reserved_ports = "22"
  }
  // other non-relevant configuration options
}

This makes sure that the port will be exposed only on the Tailscale network. Obviously, the Tailscale agent is installed and fully operational at this point, but I used Ansible to set up that part before I even tried running any Nomad job on the machine.

The service is registered on Consul via the service stanza and is nicely exposed in the consul listing

Consul and Nomad work together to make sure that the service is always online via Consul checks and if anything goes bad (like OOM in docker because of over-provisioning which may or may have not happened) the services will just be restarted as nothing happened. This example just does a raw TCP connection test, but you should try to go an extra mile to add a full HTTP verification path that the application exposes (if possible, only locally) and which, behind the curtains, makes sure the application is running in a stable fashion.

Example: Resilio

Next example represents my Resilio File Sync job installation. Now, this one has its share of new concepts I had to understand and apply:

job "resilio" {

  # ... superfluous things, already presented previously, commented out

  group "main" {
    ephemeral_disk {
      migrate = true
      size    = 150
      sticky  = true
    }

    volume "btsync" {
      type      = "host"
      read_only = false
      source    = "btsync"
    }

    task "download" {
      driver = "raw_exec"

      lifecycle {
        hook = "prestart"
        sidecar = false
      }

      artifact {
        source = "https://download-cdn.resilio.com/[[ consulKey "resilio/version" ]]/Debian/resilio-sync_[[ consulKey "resilio/version" ]]-1_arm64.deb"
      }

      config {
        command  = "/usr/bin/bash"
        args     = ["-c", "7z x -y local/resilio-sync_[[ consulKey "resilio/version" ]]-1_arm64.deb && tar xvf data.tar ./usr/bin/rslsync && rm data.tar && mv usr/bin/rslsync ../alloc/data/"]
      }
    }

    task "main" {
      driver = "raw_exec"

      config {
        command  = "../alloc/data/rslsync"
        args     = ["--nodaemon", "--config", "local/config.json"]
      }

      template {
        data = <<EOF
[[ fileContents "config.json.tpl" ]]
        EOF
        destination = "local/config.json"
      }
    }
  }
}

Job uses ephemeral_disk stanza to try (best-effort, so don't count on it 100% of the time) to maintain filesystem state across job re-deployments. I have learned indeed not to depend on it, but to use my NFS share from my NAS for anything

Little digression, albeit an important one, now: I hope you have a NAS? I mean, what kind of homelab cluster do you think you have if you haven't bought (or, in case you are an adventurous type, self-built a RaspberryPi-based system, soldered to your wall, or whatever else rocks your boat) a network-attached storage device, aka NAS? I bought my ancient Synology DS413j many years ago and am just from time to time extending/buying new disks. Of course, it's ancient, which means I have a chroot Debian Wheezy (that's version 7) folks, 2016 got the last update), but it does its job still well enough that it doesn't deserve any kind of upgrade. Probably my best buy ever because it enables so many uses cases of the homelab...

Further, you can see how I leverage here volume stanza to mount a host directory (backed by Ansible-driven NFS share) defined like this inside the Nomad config file:

client {
  host_volume "btsync" {
    path      = "/mnt/btsync"
    read_only = false
  }
}

This basically allows the Nomad job to access files stored remotely on a shared NAS drive.

Off-topic, but perhaps relevant to complete the picture, if you'd like to know how this mount is set up in my Ansible part of the setup, it's basically a dumb-down variant of an open-source ansible role from the OpenStack project.

Now, since this job doesn't use Docker (yet), I chose to utilize an init container sidecar pattern in the form of "Nomad prestart task" that just fetches a binary for this system architecture from the official web site and store it in alloc/data (backed by ephemeral disk). Then, the real service starts the service and keeps it online.

Astute reader might ask why I am not doing a check if the identical file wasn't already downloaded, but I think I will just move to Docker later anyway.

Finally, you might have noticed weird constructs in the job file: [[ consulKey ... ]]. What are those now? Well, I am using levant tool which is a layer around the nomad CLI. I have found this tool very useful since it, at least:

• allows for CI/CD setup (you externalize parts you want to be pushed from CI/CD, like image version for a docker image),
• allows templating parts of job definition that would otherwise have to be hardcoded or embedded, (like file contents - in case of files that span hundreds of lines you really want them out of the job file).

Config file for Resilio sync

Just to complete the picture here, here is the attached config.json.tpl file to see how I have configured one of my Resilio sync target directories:

{
    "device_name": "{{ env "attr.unique.hostname" }}",
    "use_gui": false,
    "log_size": 30,
    "listening_port": {{ env "NOMAD_PORT_http" }},
    "shared_folders": [
      {
        "dir": "{{ key "resilio/syncs/haumea/dir" }}",
        "overwrite_changes": false,
        "search_lan": true,
        "secret": "{{ key "resilio/syncs/haumea/secret" }}",
        "use_dht": false,
        "use_relay_server": true,
        "use_sync_trash": true,
        "use_tracker": true
      }
    ],
    "storage_path": "../alloc/data"
}

I could've chosen the path of just embedding the template in the Nomad job, but my preference is to always lower the noise in the Nomad job if I can help it, and, therefore, levant provides a nice fileContents template function.

In that file there will be no special surprises, but you can see how you I combined both:

• environmental settings (dynamically changed by Nomad when (re)deploying) using env template variables; and
• consul-driven keys, like the location and secret needed for the Resilio to handshake through its system with all the other clients about the state of my files - my phone, laptop etc.

By the way, using Consul keys lets me easily issue a redeployment of this Nomad job just by changing the key in consul KV store. Although, in this case, it makes no sense since both directory and secrets are there for the reasons of "externalization from the template", not because of security purposes.

Example: ThoughtTrain

So far, the nomad job files were based on well-known off-the-shelf software packages. ThoughTrain is my own OSS Go app hosted on Github which is totally unknown to broader audience but in short it's my own variant of "Read it Later".

Deployment is done using levant from within the code repository of that project. This is, thus, different from the previously mentioned jobs since they are part of the homelab repo. But, if you are maintaining the source code of a project it simply makes sense to keep the infra part inside that same repository.

This time I will not share code of a nomad job since it's open source & inside that project, I just wanted to share the mechanics of deployment, built on previous concepts.

The CI platform is Github Actions workflow, build is driven by make so it might not be the easiest to follow, but effectively it all boils down to a simple concept: when I push a tag to GH this command is executed.

export VERSION=<TAG> && ./levant deploy \
    -log-level=WARN \
    -consul-address=<consul location> 
    .github/workflows/thoughttrain.nomad

I use the log level WARN so the secrets read from Consul are not put in the output.

I put the "consul location" as a secret into my Consul server.

Of course, this can only work if GH Actions connects temporarily to my homelab network as a temporary node using ephemeral tailscale nodes in combination with the Tailscale GH Actions action.

Example: internal-proxy

Finally, the crown jewel for a homelab is a single centralized place where all your services get exposed using domain names. I have chosen Caddy since it's so easy to setup and has very rich ecosystem of support of various flows:

• I prefer using Let's Encrypt (even for the internal homelab services) and Caddy just supports it out of the box!
• Cloudflare is also supported, albeit with a need to build custom ARM docker image (details shortly)
• all my markdown notes are just exposed as a readable web site.

I am actually so happy with what Caddy does for me after 7-8 years of using nginx that I even plan on writing a mini-blog post in the future to go through my favorite features of Caddy

Here is my Caddyfile template I use in the inverse-proxy nomad job, shortened a bit to remove redundancy and non-critical parts:

*.milanaleksic.net {
  encode gzip
  tls milanaleksic@gmail.com {
    dns cloudflare {{ key "cloudFlare/cfApiMilanaleksicNet" }}
  }

  @chronograf host chronograf.milanaleksic.net
  reverse_proxy @chronograf {{range service "chronograf"}} {{.Address}}:{{.Port}} {{end}}
}

Why do I need Cloudflare integration? Well, Let's Encrypt uses DNS verification process to verify I am a domain owner, therefore there is a need for a short handshake between Let's Encrypt servers and my own DNS records, and Caddy does it all by itself. Just this fact removed a need for a cron job, python script and more complex setup to handle certificate renewal process in nginx I had to do while in Chef.

Additionally, please observe how I refer to the location of Chronograf service: I do not reserve the port statically in chronograf.nomad:

job "chronograf" {
  // ...
  group "main" {
      port "http" {
        to           = 8888
        host_network = "tailscale"
      }
    // ...
    task "chronograf" {
      // ...
      service {
        name = "chronograf"
        port = "http"

        check {
          type     = "tcp"
          port     = "http"
          interval = "10s"
          timeout  = "2s"
        }
      }
    }
  }
}

and I just let Consul and Nomad negotiate which port should be taken. Each time chronograf gets (re)deployed this port is chosen a new and reverse-proxy gets restarted. Easy-peasy, nothing for me to do there, just like in k8s.

Here is the job specification for inverse-proxy:

job "internal-proxy" {

    task "caddy" {
      driver = "docker"

      config {
        image   = "milanaleksic/caddy-cloudflare:2.4.6"
        volumes = [
          "../alloc/data/caddy-config:/config",
          "../alloc/data/caddy-data:/data",
          "local/Caddyfile:/etc/caddy/Caddyfile"
        ]
        ports   = ["http", "https"]
      }

      env {
        ACME_AGREE = "true"
      }

      template {
        data = <<EOF
[[ fileContents "Caddyfile.tpl" ]]
        EOF
        destination = "local/Caddyfile"
      }

      service {
        name = "internal-proxy-http"
        port = "http"

        check {
          type         = "tcp"
          port         = "80"
          interval     = "10s"
          timeout      = "2s"
          address_mode = "driver"
        }
      }

      service {
        name = "internal-proxy-https"
        port = "https"

        check {
          type         = "tcp"
          port         = "443"
          interval     = "10s"
          timeout      = "2s"
          address_mode = "driver"
        }
      }
    }
  }
}

Now, this job spec is interesting because of couple of reasons.

Building ARM Docker images

This is a custom (public) Docker image built for aarch64 architecture on my Mac Book Pro.

by the way, you get to use aarch64 architecture not only on modern cloud ARM servers, but also if you install 64bit ARM OS on a Raspberry Pi 4, for example.

To build and push this I have utilized the Docker Desktop for Mac "buildx" feature. My build script for this image is basically this:

#!/usr/bin/env bash

# latest on 10/02/2022
export CADDY_VERSION=2.4.6
# This depends on Docker for Desktop (Mac), because that one supports multi-arch output
# Create that builder with "docker buildx create --name multiarch"
# Alternative: use DOCKER_HOST to point to a remote arm / x64 node
docker buildx use multiarch
docker buildx build \
  --platform linux/amd64,linux/arm64 \
  --build-arg CADDY_VERSION=${CADDY_VERSION} \
  -t milanaleksic/caddy-cloudflare:${CADDY_VERSION} \
  --push .

and my Dockerfile is:

ARG CADDY_VERSION=0.0.0

FROM caddy:builder AS builder

RUN caddy-builder \
    github.com/caddy-dns/cloudflare

FROM caddy:${CADDY_VERSION}

COPY --from=builder /usr/bin/caddy /usr/bin/caddy

I was previously very spectical about using Docker containers on a Raspberry Pi. But, these new 4s don't mind. Things just work, even backed by cheap SD card. Very nice. I plan on changing all my binary and script jobs with ARM / x64 Docker images in the future.

But, as I have said many times above - the nice thing with Nomad is that it allows you to start with low-hanging fruits and build slowely more professional setup.

Conclusion

We have reached the ending of what I thought was reasonable enough to follow. I have actually cut quite a few points on the road, but hopefully this blog post was enough to get you interested. I got brand new interest in my homelab after doing this migration. I don't dred any more logging in into the nodes just to discover my Chef scripts got again broken after OS upgrade.

All in all, I think this migration was a very good exercise in complexity with a lot of things I have learned on the way. Would definitely recommend for devops enthusiasts as an alternative to fully-managed k8s cluster.

Actually, even fully acknowledging the likes of k3s allowing a single binary/SQlite setup, I still prefer Nomad path just because of simplicity and clarity of the job specification format instead of YAMLs. But that's just a personal preference, there is nothing stopping you in doing this entire exercise using SaltStack+k8s if you prefer it. But, just don't forget about there being perhaps a simpler approach that has all the benefits.

Bad sides of Nomad

There are plenty. Nothing comes without bad sides, there is no perfection.

I, for once, really disliked the fact that I can't expose job's task port statically on IP 0.0.0.0 (this exposes the port on all IPs). It's impossible, try it (if you find a way, please reach out!). It is a must for cloud deployments when you can't know the public IP of your node. Nomad just defaults to a first network interface it encounters (or specific ones if you set it up like that). There are some issues and discussions but no definitive answer yet. You just have to use consul gateway ingress, which I didn't have a time to explore (yet). Currently, I just start another out-of-Nomad Caddy reverse proxy using Ansible that then pokes into services deployed inside Nomad (sad 🐼).

Personally, I would prefer also that levant gets merged into nomad binary. It just seems that there is no need to externalize that functionality, just like kustomize got merged into kubectl as a subcommand kubectl kustomize. I know HashiCorp guys know what they're doing and am aware of a concept of splitting of concerns, but as an end-user I'd just prefer that I don't need 2 binaries.

Further work ideas

Where will I go further from these examples? Well, I see at least these avenues of improvement:

1. utilize Vault instead of Consul for secrets
   • this is more for learning purposes than it is for security reasons since we are still talking just about a homelab
2. expose metrics from nomad jobs into grafana
   • still not sure what's the best way here, I did notice at least one attempt using Prometheus either directly or via Telegraf intermediary in front of InfluxDB which I already have in the cluster...
3. expose Nomad jobs' logs into loki
   • currently I only push ansible apps and system logs into Loki
4. try out all the interesting services now when workload management is in place: Redis, PlantUML, Grist, PiHole, private Docker repository...
   • this is now way less work than before since, while building all the above examples and some more I haven't mentioned, I gathered enough know-how to add more quickly new things
5. try out Consul Connect service mesh

This article will be split into 2:

1. one about the motivation for the migration away from Chef and how I did it using Ansible;
2. another one about Nomad, hopefully soon.

What?

I have a small cluster of computers which I have been maintaining over the last 10 years. I've learned an amazing amount of Linux operations thanks to those first Raspberry Pi's but most of all the biggest learning asset I acquired was understanding of the pain of making stuff work manually.

Back then I decided to use Chef as my Config Management (I remember I considered Puppet as well). Don't get me wrong, Ruby is still alive and well (I wouldn't say it's exactly thriving but there are for sure millions of Ruby programmers) - but my engineering career path took me more into direction Java as the main language (with short but interesting excursions into Go and Rust) and Python for everything else.

So, the writings on the wall were there for a long time:

• my Chef cookbooks had to be vendored and manually maintained,
• weird Ruby concoctions had to be used more and more often because I hated maintaining the chef-repo,
• it got harder and harder to match the target Chef version with the available system Ruby version (rvm helped there with unnatural life extension),
• I simply didn't have time to maintain my personal deployment framework BADUC.

It stood for "Bastion/Drone/Usher/Consul" where distributes consul locks were used with node agents and ingress token-driven service triggered deployment. BTW, don't do this. Don't waste time doing something like that, unless you have an abundant amount of free time. It was a major mistake on my side, albeit a nice learning experience. I deleted it all with a laugh on my face - I spent many hours on maintaining it, knowing it will be thrown at some moment in time anyway. Just use off-the-shelf platforms like Nomad or K8s.

I waited for a long time, but finally, I did it: the last remnants of Chef code and setup have been removed and the cluster has moved to Ansible foundation. It took me around 2 months (a couple of hours per week, as much as family life can provide, I guess).

Cluster is hybrid in every sense (unusual for companies but quite a normal thing for home labs):

• part is in the cloud and part on my premises (basement and office);
• there are ARM servers (arm5, aarch64, arm7) and there are the "normal" x64 machines
• some software is set up using Ansible, but mostly I try to target Nomad for new services
• some services are deployed from Github Actions and some from within the network using self-hosted Drone.

The path

Here is my attempt in explaining what I figured out to be the path:

• figure out reasonable Linux OS distribution
• define foundational aspects and deploy them using Ansible
• everything else should work as Nomad job(s).

Linux distribution

There is not a lot of thinking here - if you wish to mix arm servers with x64... you just have to go with Debian (or its derivatives, like Ubuntu).

I know you can set up Ansible to work with any distribution, but for a home lab... it just makes no sense to do it: just expect apt, systemd, and the friends are all there.

This also drastically relaxed Ansible role expectations: my roles are mostly trivial because of this decision.

Foundations

I considered the following things as the most inner ring (or the castle foundations if you like metaphors) of the setup:

• ability to access the SSH port via the default user provided by the distribution using Ansible
• run Ansible roles
• seal the system (no public SSH ever again).

Your cloud provider or your ISP might provide you with direct public IP access which is nice. But it makes no sense for a home lab anymore in 2022 with Cloudflare tunnel, Twingate, Tailscale, etc.

My cloud nodes are currently in the Oracle cloud because of their generous "always free" offering. But, that's just me being a cheap ass.

Standard roles

How to prepare a node for the seal? What are the needed steps to make it happen? For me, the minimum list of the things that must be present on any node in the home lab cluster are:

• add the new system user for Ansible,
• checkout dotfiles from internal Git (this step might fail so it's important to allow for it in case the git server itself is part of the cluster)
• add some "default" packages, (from ncdu to tcpdump, everyone has their favorites here I guess);
• change some system files, like motd messages just to mark the territory and point out which node you are connected to after SSH login or sshd config to block password login and all the other system configurations;
• start Tailscale agent and join my tailnet using auto-join feature;
• add promtail to push logs (Loki will be used as the centralized logging service);
• use collectd for metric publishing (InfluxDB will be used for the metrics);
• start Consul agent;
• start Nomad agent.

The actions listed above must be done on all the servers as Ansible roles and only if they are applied can a server be declared as the "homelab cluster member node".

Monitoring

You might ask yourself why would I consider monitoring foundational.

Well, for me as a backend engineer, observability is a paramount concern when building systems. You don't guess what the system is doing, you observe it.

Logging seems like a first thing to look at, for sure, but I find metrics way more interesting for a home lab. You get to see the usage and problems first-hand, like for example situations where a node is over-committed and some swap is needed or when network partitioning shows itself, and so on.

I was focused on lightweight processes and figured out that the smallest footprint comes from Go-driven apps, so I prefer the Grafana stack (Tempo, Loki, Grafana itself), with InfluxDB for metric storage using a 30 days retention period. I'm quite happy and would suggest this stack to everyone.

These Go services are deployed using Nomad, but the agents themselves are for me foundational layer since they should be available and running even when collector services are down. But of course, if you want to throw money at the problem you can avoid collectd/promtail and the monitoring collector services by using their managed offering or just go for Datadog - that's an amazing monitoring suite.

Collectd is something I chose simply because it can be installed on any machine, even my old arm5 Debian. And InfluxDB has support out of the box without any need for additional converters or transformers. Easy on those Raspberry Pi or low-cost cloud node CPUs.

Tailscale

The magic here is Tailscale - after the nodes join the tailnet all of them can talk to each other, regardless of their physical location of NAT or whatever you in front of them.

Nothing comes into the nodes unless it's via the Tailscale network.

If nodes talk to each other, it's via Tailscale.

If there are ingress, publicly open ports, they are quite limited and only on specially marked and isolated nodes. But SSH or other administration ports are never left open for the public.

Thank you Tailscale for such an amazing product!

From the HackerNews geeks I've learned about "Headscale" that is an OSS implementation of the Tailscale server (the only thing which is closed-source in Tailscale setup). I will surely check it out at some point but for now... Tailscale has generous enough free offering that is more than enough for me. For now 😀

Consul/Nomad

I guess you might as why not K8s, right? Well, I know K8s enough, have been using it with one of my previous employers, and am OK with it. But, I wanted something simple for my home lab. Nomad was just a clear winner because of its simplicity, a no-brainer. But, more about how I use it in the next post.

Introducing Nomad demands a Consul cluster up and running, with the agents deployed across the servers.

I knew Consul for a long period and I consider it a nice building block for distributed computing:

• consistent quorum-driven Key/Value storage;
• service discovery;
• Connect service mesh (still not using it, yet).

Non-foundational Ansible services

Some services simply could not be migrated efficiently to Nomad jobs and then they were pushed into a "foundational" setup.

I could choose to force them into Nomad, but I decided to cut my losses here - instead of targeting purity, I decided to have something running and come back later to rethink the approach if the services themselves and/or Nomad further evolve to allow me to fix the problems that blocked me from declaring these workloads as Nomad jobs.

Gitea

This is a popular small-scale self-hosted Git server.

There were too many things that ended up being weird when I tried to put it into a Nomad job:

• creators blocking the idea of the job turning as a root user (even leaving messages in the source code for the smart asses) which is such a pain if you have to use exec / raw_exec Nomad drivers
• git hooks auto-created by gitea hardcode the physical location of the binary (there is an admin action to update the location, but that was just a bit ridiculous and the last drop in the glass full of problems so I just gave up)

PostgreSQL

I prefer running the system packaged version for that platform, although in theory, I should be able to just run a Docker container. PostgreSQL is a database that is suitable for wide number of use cases, from Raspberry Pis to huge RAM-rich sharded cloud clusters.

Public ingress reverse proxy

This will be replaced by an official nomad/Consul gateway envoy proxy at some moment, but for now, I simply had to timebox things in the cluster to non-Connect setup.

I chose Caddy proxy instead of Nginx with which I have more operational experience since it handled HTTPS certificate maintenance without any scripts by me.

To be continued...

In the next installment: some Nomad remarks and personal experiences, including both the good and the bad parts!