Edge cluster
The edge cluster is the homelab's public-facing Kubernetes cluster. Single-node, single-purpose: terminate inbound traffic from the internet, then forward it to the production cluster over the NetBird mesh using PROXY-protocol-v2 to preserve the real client IP.
Stack
┌──────────────────────────────────┐
│ Public-facing apps + sidecars │ ← docs/apps (the small set)
└──────────────┬───────────────────┘
│
┌──────────────▼───────────────────┐
│ Platform controllers │
│ Cilium · Envoy · CNPG · cert-mgr│
└──────────────┬───────────────────┘
│
┌──────────────▼───────────────────┐
│ Talos Linux on a single VM │ ← docs/foundation/talos
└──────────────┬───────────────────┘
│
┌──────────────▼───────────────────┐
│ Hetzner Cloud (cx33, nbg1) │ ← docs/foundation/hetzner
│ VPC + floating IP │
└──────────────────────────────────┘
Layers at a glance
| Layer | What | Doc |
|---|---|---|
| Compute | 1× cx33 Hetzner instance (control-plane-1), nbg1 | foundation/hetzner |
| Cluster OS | Talos Linux, single-node config | foundation/talos |
| GitOps | Flux pulling from the same Gitea repo, separate clusters/edge/ path | foundation/flux |
| Network | Cilium (CNI + kube-proxy replacement) | platform/cilium |
| Ingress | Envoy Gateway terminating TLS; forwards to production via PROXY-protocol-v2 | platform/envoy-gateway · topics/envoy-gateway-proxy-protocol-v2 |
| Certs | cert-manager + ACME via cert-manager-webhook-all-inkl | platform/cert-manager |
| Database | CNPG (small, only for sidecar app state) | platform/cloudnative-pg |
| Inter-site | NetBird edge peer routes back to production over WireGuard | fabric/netbird |
Cluster machine
| Role | Name | Spec | Network |
|---|---|---|---|
| Control + worker | control-plane-1 | cx33, Talos image | Public IP + floating IP (edge-1); private 172.30.0.11/24 |
A single node is intentional — the edge cluster's blast radius is its own. If it dies, the production cluster carries on; only public traffic is interrupted.
Networking summary
| Plane | What |
|---|---|
| VPC | edge (172.30.0.0/16), subnet k8s (172.30.0.0/24 in eu-central) |
| Public IP | Floating IP edge-1 — survives instance replacement |
| Inter-site | NetBird edge network — control-plane-1 acts as routing peer |
| Cross-network | edge_sidecar_envoy ↔ production public subnet for upstream |
Cloud firewalls are label-selected: talos-control, talos-internal, allow-http, allow-ssh. See Hetzner for ports.
What runs here
- Public ingress — the Envoy Gateway that the world hits.
- TLS termination + ACME — cert-manager + the
all-inklwebhook (DNS-01). - Sidecar apps that need an internet entry point but back-end state in production (Gatus, Homepage in their public-edge variants).
Apps with persistent state never live here — that's production's job.
Lifecycle commands
# Render & apply Talos config (uses talos/edge/)
talhelper -f talos/edge/talconfig.yaml genconfig
talhelper -f talos/edge/talconfig.yaml gencommand apply | sh
# Reconcile Flux
flux reconcile kustomization flux-system --kubeconfig ~/.kube/edge
# Provision / drift-check the underlying Hetzner resources
cd tofu/environment/edge && tofu plan
Recovery
If the cx33 instance is lost:
tofu applyre-creates the instance with the same name + label set; cloud firewalls reattach automatically.talhelper gencommand applypushes the Talos config; the new node bootstraps.- Re-attach the floating IP if it didn't follow.
- Flux reconciles everything else from Git.
End-to-end recovery is in the order of minutes — there's nothing stateful on the box that can't be regenerated.
See also
- Foundation → Hetzner — provider details
- Foundation → Talos — OS configuration workflow
- Topics → Real client IPs across the chain — the PPv2 wiring this cluster anchors
- Cluster — talos — the bigger sister cluster