Hybrid Edge Kubernetes Cluster

The Problem

Self-hosting is appealing — free compute, full control, no recurring cloud bills. But serving public traffic from a home network traditionally means exposing your IP, opening firewall ports, and accepting the security risks that come with it. Dynamic IPs, ISP-level NAT, and residential network limitations add further complexity. This project solves all of these constraints with a hybrid architecture that keeps every port closed while still serving production traffic to the internet.

Hybrid Architecture

The cluster spans two nodes with distinct roles. The home node is a Proxmox VM (4 vCPU, 8GB RAM) running the K3s server and all application workloads — this is where the actual compute happens, for free. The cloud node is a lightweight AWS EC2 instance that serves purely as a public edge — it runs Traefik as the L7 ingress controller, pinned via Kubernetes node selectors, and forwards all traffic to the home node over an encrypted tunnel. The result: public-facing services with home-server economics.

Architecture — hybrid cluster spanning Proxmox (home) and AWS EC2 (edge) over Tailscale mesh

Zero-Trust Networking

All inter-node communication flows through a Tailscale mesh VPN, creating a zero-trust overlay network where every connection is mutually authenticated and encrypted. Neither node has any open inbound ports — public traffic enters exclusively through a Cloudflare Tunnel, which handles DDoS protection, WAF, and SSL termination before traffic ever touches the cluster. Flannel is configured to route pod-to-pod traffic over the Tailscale interface, so cross-node pod networking works seamlessly over the encrypted tunnel.

Infrastructure as Code

The infrastructure layer is fully codified. Terraform provisions both the Proxmox VM and the AWS EC2 instance with its VPC, security groups, and SSH key pairs. Ansible handles OS hardening across both nodes — configuring UFW with default-deny policies, disabling password-based SSH, enabling unattended security upgrades, and locking down SSH access to Tailscale IPs only after the mesh is established.

The entire setup is orchestrated by a single idempotent script that executes six sequential phases: Terraform provisioning, Ansible hardening, Tailscale mesh establishment, K3s cluster creation, ingress configuration, and application deployment via ArgoCD. Each phase can be resumed independently, and the script includes health checks to verify the state of each layer before proceeding.

GitOps & Application Delivery

ArgoCD manages application deployments using a GitOps workflow — pushing changes to a repository automatically triggers synchronization across the cluster. The platform currently hosts this portfolio site, a time-tracking service (Wakapi), and several backend applications. Every deployment is declarative, version-controlled, and automatically reconciled against the desired state defined in Git.

The cluster has maintained 99.9% uptime since deployment and currently serves this portfolio site to production traffic. The infrastructure is designed to scale — as new projects and services come online, they deploy through the same GitOps pipeline with zero manual intervention.