Files
2026-05-24 21:15:08 -05:00
..
2026-05-24 18:35:52 -05:00
2026-05-24 21:15:08 -05:00
2026-05-24 17:04:49 -05:00
2026-05-24 17:04:49 -05:00
2026-05-24 17:04:49 -05:00
2026-05-24 17:04:49 -05:00
2026-05-24 17:04:49 -05:00
2026-05-24 17:04:49 -05:00
2026-05-24 17:04:49 -05:00

the-hub

Glance dashboard for mk-labs, deployed on fastpass (Talos/Kubernetes).
Managed by ArgoCD. All config is code. No manual kubectl required after initial bootstrap.


Repo layout

cluster/
  argocd/
    the-hub-application.yaml   # ArgoCD Application — drop this in with your platform apps
  applications/
    the-hub/
      namespace.yaml
      rbac.yaml                # ServiceAccount + ClusterRole (read-only K8s access)
      externalsecret.yaml      # ESO ExternalSecret — pulls tokens from 1Password
      deployment.yaml
      service.yaml
      ingress.yaml
      configmap.yaml           # glance.yml lives here — this is where you edit the dashboard

URL

https://the-hub.local.mk-labs.cloud

TLS via cert-manager + Cloudflare DNS-01 (letsencrypt-prod ClusterIssuer).


Secrets (1Password → ESO)

Create a 1Password vault item named the-hub with these fields:

Field Value
proxmox_token user@pam!token-name=<uuid>
pbs_token PBSAPIToken=user@pam!token-name=<uuid>
grafana_token Grafana service account token (read-only)
gitea_token Gitea personal access token (read-only)

ESO syncs these into the the-hub-secrets Kubernetes Secret. The Deployment mounts them as environment variables, which glance.yml references via ${VAR_NAME} syntax.


Proxmox API token setup

Create a read-only API token in Proxmox:

  1. Datacenter → Permissions → API Tokens → Add
  2. User: any read-only user (or root@pam for lab use)
  3. Token ID: glance
  4. Uncheck "Privilege Separation" only if you want full access
  5. Assign role PVEAuditor to the token at the / path

Token format in 1Password: user@pam!glance=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx


SSO (Authentik forward-auth)

SSO annotations are present but commented out in ingress.yaml. Uncomment when guest-relations Authentik SSO is configured for fastpass ingress.


Editing the dashboard

The entire dashboard lives in configmap.yaml under the glance.yml key.

  1. Edit cluster/applications/the-hub/configmap.yaml
  2. Commit + push
  3. ArgoCD syncs automatically (or argocd app sync the-hub)
  4. Glance hot-reloads the config — no pod restart needed for content changes (pod restarts only needed when env var secrets change)

Pages

Page Purpose
Overview Service health monitors + bookmarks + Gitea repo activity
Infrastructure Proxmox node stats, PBS status, Grafana iframe
Updates Homelab YouTuber RSS, K8s/Argo release tracking, tech news