Pim Widdershoven

A cluster with networking and storage still serves most of its TLS endpoints with self-signed certificates. This post wires up the trust layer: cert-manager with a bootstrapped internal CA, trust-manager to distribute the bundle to every namespace, Let’s Encrypt over Gateway API for the public edge, and a CSR approver so the kubelet finally gets a serving cert that something can verify.

Linstor with DRBD is the simplest path to replicated block storage on a homelab cluster. This post covers partitioning Talos disks, getting Piraeus running on an immutable OS, configuring StorageClasses with sensible DRBD quorum defaults, and wiring up snapshots through external-snapshotter.

Cilium replaces Flannel and kube-proxy on Talos. You get identity-based policies, kernel-level enforcement, packet-level observability through Hubble, the Gateway API for HTTP routing, and L2 announcement so you can expose Services on a bare-metal home network.

Talos Linux is a Kubernetes-only OS — minimal core, system extensions for the rest, and an API for everything. This post covers why I picked it, how I bootstrap a 3-node cluster with PXE, and the configuration files you need to follow along.

Passwords are losing their footing as the primary authentication mechanism. This post explores how cryptographic proof, hardware security keys, passkeys, digital signatures, and attestation are shifting the foundation of digital trust — and what that means for your accounts, your architecture, and Zero Trust.