Goals + Recap

  • Had some time yesterday and realised, I must have gotten out of Letsencrypt jail by now. So I decided to tackle my certificate situation. Figured out how to generate a cert and renew it. And put them into my Ansible tasks
  • Low hanging yet extremely important to me, my contacts and calendar moved from the old VM to the new cluster on Saturday
  • Today
    • Look at The Big Plan!, to see if anything needs adding or changing
    • Figure out to get the newly minted certificates into the cluster (Settled on traefik generating certs independantly in-cluster)
    • ~~ Move Sendy (Email list) ~~ not today
    • Move IRC (theLounge), if there is time

2025-12-15 09:10

  • Update the Big Plan to make the why more explicit do near future Jason, when he decides to tear his hair out, or tries to overengineer things
  • 2025-12-15 09:43: Break

2025-12-15 10:25

  • Back
  • While I was on the break, I was thinking about the certs, and whether I’m missing something. I need the certs on the node. At least for now. Ok. Now the question becomes, how do I convert it into a sealed secret and push it into the cluster itself? Do it on the VM? That’ll mean putting kubeseal on the VM. Do it at home on my main machine? What happens when I am not there and the machine is off? Do it on a third machine? How do I now integrate that bugger into my flow? Hmmm. Thinking a bit more …
  • 2025-12-15 10:33: Should a runner on my code forge do it? I’ll need to save the sealed-secret there then? Do I have something against having a copy of my repo on the VM? That happens with Ansible Pull anyway? Oh, but that is a different repo.
  • 2025-12-15 10:46: Taking the simplest (and most secure) route for now and doing it all locally. The only (only but BIG) con I see to this approach is if my main machine is off for a few days or I am travelling and that period coincides with a cert expiry.
  • Hmmmm. So should Traefik take over cert generation renewal stuff for the cluster then? I was trying to avoid multiple requests to Letsencrypt as much as possible, but then this seems to be the cleanest approach rather then.
  • 2025-12-15 10:52: Ok. I seem to enjoy making more work for myself. Let’s knuckle down and figure this out then. How would Traefik get certs?
  • 2025-12-15 12:05: Got my porkbun creds as a sealed secret into the cluster
  • 2025-12-15 12:44: Been reading Traefik docs. Lunch break.

2025-12-15 14:02

Back

  • 2025-12-15 15:07: Tea break. The traefik documentation is driving me nuts!
  • 2025-12-15 15:30: Back at it
  • 2025-12-15 17:05: Alright! Done! Took a lot of search, looking at examples, asking ChatGPT and fixing typos. But it got done. I had the sense this time, to try it all out with Letsencrypt staging first! :)

2025-12-15 17:30

  • cleaned stuff up as much as I could. Love Flux CD and containers now!
  • 2025-12-15 17:36: Starting with theLounge now. Hopefully this should not be hard (fingers crossed!). This is just setting up a new instance, with no data coming over.
  • 2025-12-15 17:45: Am getting pretty good at translating docker-compose files into kubernetes manifests 😂
  • 2025-12-15 18:23: Well not that good. Still miss plenty of stuff.
  • 2025-12-15 19:12: Done. I forgot to make a note of what channels I was in, before I retired the old ZNC/TheLounge setup. But never mind. The important ones I have rejoined.
  • Tomorrow: Move Sendy (Also only pick up one task a day now onwards.)

Feedback on this post?
Mail me at feedback at this domain.