hetzner arch k8s

setup for hetzner archlinux boxes to run k8s


hetzner arch k8s

setup for hetzner archlinux boxes to run k8s


So Hetzner sells a bunch of computing stuff. I went for their dedicated servers.

note: slightly cheaper for compute+storage compared to buying committed use on GCP. free networking is +++.

Goals: setup kubernetes so I have a mini cloud to play with.

Arch Linux


Hetzner has the option to install "minimal" Arch Linux as the OS, imo, not minimal enough.

Step 1: clean out unneeded packages and install a few necessary ones

note: neovim vs vim is just preference, zsh is also preference, binutils and fakeroot are needed for installing stuff from AUR, rsync might already be installed, sudo because I don't want to be root all the time, fail2ban is not strictly necessary but helps keep logs clean.

1pacman -Rns btrfs-progs gptfdisk haveged xfsprogs wget vim net-tools cronie
2pacman -Syu sudo zsh git fail2ban neovim binutils fakeroot kubectl rsync docker
4systemctl enable --now fail2ban
5systemctl enable --now docker

Step 2: ensure needed forwarding conf:

1echo br_netfilter | sudo tee /etc/modules-load.d/br_netfilter.conf
2cat << EOF | sudo tee /etc/sysctl.d/30-ipforward.conf

Step 3: manually edit some files

 1# edit /etc/hostname
 3# edit /etc/hosts
 5# edit /etc/fstab
 6#   disable swap
 8# edit /etc/ssh/sshd_config
 9#   PermitRootLogin no
10#   PasswordAuthentication no
11#   PrintLastLog no

Step 5: create user and add to sudo group

note: the defaults are apparently different than usual like no create home?

note: docker group is root-equivalent

1echo '%sudo ALL=(ALL) ALL' > sudoers.d/sudo
2groupadd sudo
3useradd -G sudo,docker -s /bin/zsh -m arccy
4passwd arccy

from own machine copy ssh keys for login

1ssh-copy-id -i ~/.ssh/id_ecdsa_sk hetz
2ssh-copy-id -i ~/.ssh/id_ed25519_sk hetz
3ssh-copy-id -i ~/.ssh/id_ed25519 hetz

Step 6: reboot for some of the changes to take effect

1systemctl reboot

actions will be run a user, so login

Step 7: copy configs for familiarity

1git clone https://github.com/seankhliao/config .config
2ln -s .config/zsh/zshenv .zshenv
3mkdir -p /home/arccy/data/xdg

Step 8: optional create and add ssh keys for github, else disable url rewrites in gitconfig

1ssh-keygen -t ed25519
2# add key to github

Step 9: install stuff from AUR

note: not strictly necessary, maybe better to install out of band? without this, no need for yay either

1curl -LO https://github.com/Jguer/yay/releases/download/v10.0.4/yay_10.0.4_x86_64.tar.gz
2tar xf yay_10.0.4_x86_64.tar.gz
3cd yay_10.0.4_x86_64
4chmod +x yay
5./yay -Syu yay-bin kind-bin
7rm -rf yay* .bash* .viminfo

Step 10: create config and cluster

This uses kind to run a cluster, originally the plan was a kubeadm installed cluster + cilium + istio but it wasn't working out too well (dunno why, it worked last time).

Disadvantage is hostPorts need to be mapped ahead of time.

note: alternate port mapping strategy would map into the NodePortrange so services can be targeted and hostPort+DaemonSet unnecessary.

 1kind: Cluster
 2apiVersion: kind.x-k8s.io/v1alpha4
 4  apiServerAddress:
 6  - role: control-plane
 7    extraPortMappings:
 8      # http3
 9      - containerPort: 443
10        hostPort: 443
11        protocol: udp
13        # tls, https
14      - containerPort: 443
15        hostPort: 443
16        protocol: tcp
18        # http
19      - containerPort: 80
20        hostPort: 80
21        protocol: tcp
23        # ipfs swarm
24      - containerPort: 4001
25        hostPort: 4001
26        protocol: udp
27      - containerPort: 4001
28        hostPort: 4001
29        protocol: tcp
31        # wireguard
32      - containerPort: 51820
33        hostPort: 51820
34        protocol: udp