decisions

debian 13 for both edge and lab

use the same os family on the edge vps and lab machine to reduce operational variance.

haproxy tcp passthrough

edge vps is only a tcp router. no tls material lives on the vps.

wildcard public dns at the edge

use one Cloudflare wildcard record, *.k3x.dev, pointing at the edge vps public ipv4. new app hostnames do not require new Cloudflare records; Caddy decides whether a hostname is actually served. exact records can still override the wildcard, and the apex k3x.dev needs its own record if used.

cert-manager dns-01

only port 443 is required. no http-01 challenge path or public port 80 dependency.

caddy inside k3s

prefer caddy over traefik. bundled traefik is disabled during k3s install.

local storage first

for one node, use k3s local-path provisioner by default. openebs local pv is documented as a future option if we want more structured local disks across multiple nodes. neither option gives replication; longhorn/rook become relevant only when we add nodes and want replicated storage.

flux + kustomize, no helm by default

avoid helm charts unless the cost of raw manifests becomes clearly worse. flux can apply kustomizations directly.

sops + age

secrets belong in git only when encrypted. age identity management is part of the backup plan.