OpenTofu |https://example.com/tags/opentofu/OpenTofuHugoBlox Kit (https://hugoblox.com)en-usThu, 14 May 2026 00:00:00 +0000https://example.com/media/icon_hu_da05098ef60dc2e7.pngOpenTofuhttps://example.com/tags/opentofu/Stage I: Architecting a Bare-Metal KVM & K3s Foundationhttps://example.com/blog/stage-1-compute-foundation/Thu, 14 May 2026 00:00:00 +0000https://example.com/blog/stage-1-compute-foundation/<p>Building Kubernetes in the cloud is easy—cloud providers abstract all the hard networking and compute layers away from you. To truly understand Cloud Native architecture, I decided to build a zero-trust environment from the ground up.</p> <p>This post covers <strong>Stage I</strong> of my 10-Phase Engineering Roadmap: establishing the virtualized compute layer, deploying a zero-trust mesh VPN, bootstrapping the K3s cluster, and configuring edge routing.</p> <h2 id="table-of-contents">Table of Contents</h2> <ol> <li> </li> <li> </li> <li> </li> <li> </li> <li> </li> </ol> <h2 id="base-compute">1. The Base Compute Environment &amp; Zero-Trust Access</h2> <p>To simulate a true enterprise environment, I am running a bare-metal <strong>Kali Linux</strong> host. However, I am not running the cluster directly on the host OS. Instead, I am using <strong>KVM (Kernel-based Virtual Machine)</strong> to spin up an isolated Ubuntu server guest.</p> <p>Furthermore, to enforce zero-trust from day one, SSH port 22 is completely blocked from the public internet. Access to the Ubuntu KVM is handled exclusively via <strong>Tailscale</strong>, creating an encrypted wireguard mesh tunnel that allows me to SSH into the root environment securely from anywhere.</p> <p>To confirm the virtualized compute layer was running smoothly, here is the output verifying the KVM guest status on the Kali host:</p> <p> <figure > <div class="flex justify-center "> <div class="w-full" ><img src="virsh-output.png" alt="KVM Guest Status" loading="lazy" data-zoomable /></div> </div></figure> </p> <h2 id="opentofu">2. Declarative Infrastructure with OpenTofu</h2> <p>To eliminate manual configuration drift right from the start, I used <strong>OpenTofu</strong> with the <code>libvirt</code> provider to manage the underlying state of the Ubuntu virtual machine.</p> <p>Here is a snippet of how I structured the infrastructure provisioning:</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-hcl" data-lang="hcl"><span class="line"><span class="cl"><span class="k">terraform</span> { </span></span><span class="line"><span class="cl"> <span class="k">required_providers</span> { </span></span><span class="line"><span class="cl"><span class="n"> libvirt</span> <span class="o">=</span> { </span></span><span class="line"><span class="cl"><span class="n"> source</span> <span class="o">=</span> <span class="s2">&#34;dmacvicar/libvirt&#34;</span> </span></span><span class="line"><span class="cl"><span class="n"> version</span> <span class="o">=</span> <span class="s2">&#34;0.7.6&#34;</span> </span></span><span class="line"><span class="cl"> } </span></span><span class="line"><span class="cl"> } </span></span><span class="line"><span class="cl">} </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="k">provider</span> <span class="s2">&#34;libvirt&#34;</span> { </span></span><span class="line"><span class="cl"><span class="n"> uri</span> <span class="o">=</span> <span class="s2">&#34;qemu:///system&#34;</span> </span></span><span class="line"><span class="cl">}<span class="c1"> </span></span></span><span class="line"><span class="cl"><span class="c1"> </span></span></span><span class="line"><span class="cl"><span class="c1"># Download the official Ubuntu Cloud Image </span></span></span><span class="line"><span class="cl"><span class="c1"># 1. The Base Image (Downloads and stores the raw Ubuntu image) </span></span></span><span class="line"><span class="cl"><span class="k">resource</span> <span class="s2">&#34;libvirt_volume&#34; &#34;ubuntu_base&#34;</span> { </span></span><span class="line"><span class="cl"><span class="n"> name</span> <span class="o">=</span> <span class="s2">&#34;ubuntu-base.qcow2&#34;</span> </span></span><span class="line"><span class="cl"><span class="n"> pool</span> <span class="o">=</span> <span class="s2">&#34;default&#34;</span> </span></span><span class="line"><span class="cl"><span class="n"> source</span> <span class="o">=</span> <span class="s2">&#34;${path.module}/noble-server-cloudimg-amd64.img&#34;</span> </span></span><span class="line"><span class="cl"><span class="n"> format</span> <span class="o">=</span> <span class="s2">&#34;qcow2&#34;</span> </span></span><span class="line"><span class="cl">}<span class="c1"> </span></span></span><span class="line"><span class="cl"><span class="c1"> </span></span></span><span class="line"><span class="cl"><span class="c1"># 2. The Actual VM Drive (Clones the base and stretches it to 30GB) </span></span></span><span class="line"><span class="cl"><span class="k">resource</span> <span class="s2">&#34;libvirt_volume&#34; &#34;ubuntu_image&#34;</span> { </span></span><span class="line"><span class="cl"><span class="n"> name</span> <span class="o">=</span> <span class="s2">&#34;ubuntu-24.04.qcow2&#34;</span> </span></span><span class="line"><span class="cl"><span class="n"> pool</span> <span class="o">=</span> <span class="s2">&#34;default&#34;</span> </span></span><span class="line"><span class="cl"><span class="n"> base_volume_id</span> <span class="o">=</span> <span class="k">libvirt_volume</span><span class="p">.</span><span class="k">ubuntu_base</span><span class="p">.</span><span class="k">id</span> </span></span><span class="line"><span class="cl"><span class="n"> size</span> <span class="o">=</span> <span class="m">32212254720</span><span class="c1"> # 30GB - SSD </span></span></span><span class="line"><span class="cl"><span class="n"> format</span> <span class="o">=</span> <span class="s2">&#34;qcow2&#34;</span> </span></span><span class="line"><span class="cl">}<span class="c1"> </span></span></span><span class="line"><span class="cl"><span class="c1"> </span></span></span><span class="line"><span class="cl"><span class="c1"># Inject the cloud-init file (which now contains Tailscale) </span></span></span><span class="line"><span class="cl"><span class="k">resource</span> <span class="s2">&#34;libvirt_cloudinit_disk&#34; &#34;commoninit&#34;</span> { </span></span><span class="line"><span class="cl"><span class="n"> name</span> <span class="o">=</span> <span class="s2">&#34;commoninit.iso&#34;</span> </span></span><span class="line"><span class="cl"><span class="n"> user_data</span> <span class="o">=</span> <span class="k">file</span><span class="p">(</span><span class="s2">&#34;${path.module}/cloud_init.cfg&#34;</span><span class="p">)</span> </span></span><span class="line"><span class="cl"><span class="n"> pool</span> <span class="o">=</span> <span class="s2">&#34;default&#34;</span> </span></span><span class="line"><span class="cl">}<span class="c1"> </span></span></span><span class="line"><span class="cl"><span class="c1"> </span></span></span><span class="line"><span class="cl"><span class="c1"># Define the Virtual Machine </span></span></span><span class="line"><span class="cl"><span class="k">resource</span> <span class="s2">&#34;libvirt_domain&#34; &#34;k3s_node&#34;</span> { </span></span><span class="line"><span class="cl"><span class="n"> name</span> <span class="o">=</span> <span class="s2">&#34;k3s-server&#34;</span> </span></span><span class="line"><span class="cl"><span class="n"> memory</span> <span class="o">=</span> <span class="s2">&#34;6144&#34;</span><span class="c1"> # 6GB RAM </span></span></span><span class="line"><span class="cl"><span class="n"> vcpu</span> <span class="o">=</span> <span class="m">2</span><span class="c1"> # 2 CPU Cores </span></span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="n"> cloudinit</span> <span class="o">=</span> <span class="k">libvirt_cloudinit_disk</span><span class="p">.</span><span class="k">commoninit</span><span class="p">.</span><span class="k">id</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="k">network_interface</span> { </span></span><span class="line"><span class="cl"><span class="n"> network_name</span> <span class="o">=</span> <span class="s2">&#34;default&#34;</span> </span></span><span class="line"><span class="cl"><span class="n"> wait_for_lease</span> <span class="o">=</span> <span class="kt">true</span> </span></span><span class="line"><span class="cl"> } </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="k">disk</span> { </span></span><span class="line"><span class="cl"><span class="n"> volume_id</span> <span class="o">=</span> <span class="k">libvirt_volume</span><span class="p">.</span><span class="k">ubuntu_image</span><span class="p">.</span><span class="k">id</span> </span></span><span class="line"><span class="cl"> } </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"> <span class="k">console</span> { </span></span><span class="line"><span class="cl"><span class="n"> type</span> <span class="o">=</span> <span class="s2">&#34;pty&#34;</span> </span></span><span class="line"><span class="cl"><span class="n"> target_port</span> <span class="o">=</span> <span class="s2">&#34;0&#34;</span> </span></span><span class="line"><span class="cl"><span class="n"> target_type</span> <span class="o">=</span> <span class="s2">&#34;serial&#34;</span> </span></span><span class="line"><span class="cl"> } </span></span><span class="line"><span class="cl">} </span></span></code></pre></div><p><strong>The Challenge:</strong> The most frustrating part of this setup was dealing with libvirt socket permissions. By default, the OpenTofu provider running on the Kali host was getting <code>permission denied</code> when trying to connect to the <code>qemu:///system</code> socket. I had to properly configure the <code>libvirt</code> group policies and Polkit rules on the host to allow the declarative pipeline to automatically provision the VM without requiring interactive root prompts.</p> <h2 id="k3s-setup">3. Bootstrapping Bare-Metal K3s</h2> <p>For container orchestration, I chose <strong>K3s</strong>. It is lightweight enough to run highly efficiently on the Ubuntu guest, but fully conformant for enterprise-grade deployments.</p> <p>To install and bootstrap the cluster securely, I explicitly passed arguments to bind to my Tailscale interface and disabled the default local storage path to maintain strict control:</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">curl -sfL <span class="o">[</span>https://get.k3s.io<span class="o">](</span>https://get.k3s.io<span class="o">)</span> <span class="p">|</span> <span class="nv">INSTALL_K3S_EXEC</span><span class="o">=</span><span class="s2">&#34;--node-ip &lt;TAILSCALE_IP_ADDRESS&gt; --bind-address &lt;TAILSCALE_IP_ADDRESS&gt; --tls-san &lt;TAILSCALE_IP_ADDRESS&gt;&#34;</span> sh - </span></span></code></pre></div><p>Once the script executed, the node successfully registered itself using the secure Tailscale interface, as shown in the cluster node status:</p> <p> <figure > <div class="flex justify-center "> <div class="w-full" > <img alt="K3s Node Status showing Tailscale IP" srcset="https://example.com/blog/stage-1-compute-foundation/k3s-proof_hu_c98d0581d4185be8.webp 320w, https://example.com/blog/stage-1-compute-foundation/k3s-proof_hu_c3cfcf5f42b053dc.webp 480w, https://example.com/blog/stage-1-compute-foundation/k3s-proof_hu_4c79557933bcff55.webp 760w" sizes="(max-width: 480px) 100vw, (max-width: 768px) 90vw, (max-width: 1024px) 80vw, 760px" src="https://example.com/blog/stage-1-compute-foundation/k3s-proof_hu_c98d0581d4185be8.webp" width="760" height="166" loading="lazy" data-zoomable /></div> </div></figure> </p> <h2 id="traefik-ingress">4. Edge Routing &amp; Traefik Challenges</h2> <p>Networking on local KVM Kubernetes is drastically different than the cloud. You don&rsquo;t have AWS or GCP to automatically provision an Elastic Load Balancer (ELB) for you.</p> <p>I utilized <strong>Traefik</strong> as the primary Ingress Controller, deploying it via Helm to manage routing for my internal services.</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">networking.k8s.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">Ingress</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">n8n-ingress</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">namespace</span><span class="p">:</span><span class="w"> </span><span class="l">whatsapp-bot </span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">ingressClassName</span><span class="p">:</span><span class="w"> </span><span class="l">traefik</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">host</span><span class="p">:</span><span class="w"> </span><span class="l">&lt;Magic-DNS-FROM-TAILSCALE&gt; </span><span class="w"> </span><span class="c"># MagicDNS name</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">http</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">paths</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">path</span><span class="p">:</span><span class="w"> </span><span class="l">/</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">pathType</span><span class="p">:</span><span class="w"> </span><span class="l">Prefix</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">backend</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">service</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">n8n-service </span><span class="w"> </span><span class="c"># n8n service</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">port</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">number</span><span class="p">:</span><span class="w"> </span><span class="m">5678</span><span class="w"> </span><span class="c"># 5678 default n8n port</span><span class="w"> </span></span></span></code></pre></div><p><strong>The Fix:</strong> Originally, exposing services from an isolated KVM guest required complex iptables rules, sysctl IP forwarding, and dealing with port 80/443 conflicts on the Kali host. To completely bypass this networking headache, I utilized Tailscale MagicDNS. By binding K3s and Traefik directly to the Tailscale interface inside the VM, I created a secure overlay network. Now, Traefik routes traffic seamlessly via MagicDNS, completely bypassing the Kali host&rsquo;s physical network bridge and eliminating the need for complex port-forwarding.</p> <p>With the local DNS override in place and Traefik configured, I could securely access the internal dashboard. Here is the active HTTP routing rule proving the configuration works:</p> <p> <figure > <div class="flex justify-center "> <div class="w-full" > <img alt="Traefik Dashboard HTTP Routers" srcset="https://example.com/blog/stage-1-compute-foundation/traefik-ui_hu_3cd9aa6f9e1fbb34.webp 320w, https://example.com/blog/stage-1-compute-foundation/traefik-ui_hu_72133731afa3471f.webp 480w, https://example.com/blog/stage-1-compute-foundation/traefik-ui_hu_70a345757f62f245.webp 760w" sizes="(max-width: 480px) 100vw, (max-width: 768px) 90vw, (max-width: 1024px) 80vw, 760px" src="https://example.com/blog/stage-1-compute-foundation/traefik-ui_hu_3cd9aa6f9e1fbb34.webp" width="760" height="265" loading="lazy" data-zoomable /></div> </div></figure> </p> <h2 id="outcomes">5. Stage I Outcomes</h2> <p>By the end of Phase 4, the foundation was set:</p> <ul> <li><strong>Infrastructure is codified:</strong> The Ubuntu VM environment can be reliably rebuilt using OpenTofu.</li> <li><strong>Orchestration is live:</strong> K3s is running natively and efficiently.</li> <li><strong>Access is secured:</strong> The host and guest are protected behind a Tailscale zero-trust perimeter.</li> </ul> <p>With the base compute and networking established, the cluster was ready for application workloads.</p> <p><strong>Next up:</strong> In , I dive into how I layered <strong>GitHub Actions</strong> and <strong>ArgoCD</strong> on top of this foundation to enforce GitOps compliance, and how I secured the cluster credentials using <strong>HashiCorp Vault</strong>.</p>