About: The Outpost

The Outpost is an independent blog site running in a rural data center lab environment.

It is hosted using a Hybrid Rural Cloud approach. Compute is managed by a Proxmox VE server cluster hosting Kubernetes, OPNSense and Wireguard with traffic routing inbound over Starlink using Route53 defined DNS names terminating at an ElasticIP.

From the ElasticIP, acting as public ingress endpoint, traffic is then forwarded through NGINX Stream TLS Forwarding via a Wireguard Peer VPN, which tunnels from an AWS VPC to the local private OPNSense Network, thus circumventing Starlink CGNAT to provide an inbound route.

Once in the private lab network, traffic is then forwarded once again via NGINX Stream TLS Forwarding to an NGINX Ingress Controller endpoint running on a Kubernetes Cluster, advertised on a lab network IP address via MetalLB , terminating with TLS from ACME via cert-manager using the Route53 Issuer all hosted behind Starlink CGNAT using the Starlink default network setup.

Simple.

Kubernetes Clusters are deployed using Cluster Builder, now updated to support Proxmox VE deployments.

The cluster-builder Kubernetes Clusters use MetalLB for load balancing, NGINX Ingress and Longhorn.io storage over nVME for stateful workloads. The cert-manager package handles all TLS provisioning through ACME using Route53 challenges.

The Wireguard gateway in AWS, which also acts as an NGINX Stream Forwarding proxy, runs as a t3.micro, and together with the ElasticIP, cost less than $10 a month.

A cost effective Kubernetes lab because Cloud Provider Kubernetes isn't.

The approach should work for any CGNAT restricted network