K3s cluster running on mini-PCs

K3s Cluster Setup on Refurbished Mini-PCs

Three mini-PCs sit on a shelf in my house. Together they run my GitLab, my monitoring stack, home automation, file sync, password manager, and a pile of other things I refuse to hand to someone else’s computer. The whole setup cost less than a single month of the equivalent managed Kubernetes bill, and I understand every layer of it because I built it myself. You can have the same thing. No cloud account, no rack, no five-figure budget. You need three second-hand machines and an afternoon where nobody bothers you. This is the cluster I keep coming back to when I talk about sovereign infrastructure, and here is exactly how it goes together. ...

April 24, 2026 · 11 min read · Tom Meurs
Longhorn vs Rook-Ceph storage comparison

Longhorn vs Rook-Ceph: Kubernetes Storage Compared

The first time you run a stateful workload on a self-hosted cluster, you hit a wall. No cloud provider storage class to lean on. Just your nodes, their disks, and a Postgres pod that refuses to schedule because nothing can give it a PersistentVolume. So you start reading, and within an hour you’ve narrowed it down to two names that keep coming up: Longhorn and Rook-Ceph. I’ve run both in production. So let me get my bias out of the way before anything else: I default to Longhorn on small clusters, and I’ll explain exactly why later. Keep that in mind as you read, because it colours how I weigh things. Both are CNCF projects, both give you replicated block storage that survives a node dying, and both are good software. They just disagree about how much complexity you should be signing up for. ...

April 20, 2026 · 11 min read · Tom Meurs
Isometric illustration of a central key with three identity branches shielded by a quantum barrier

Quantum-safe GPG identity with multiple aliases

A cryptographic signature is one of the few things online that still means exactly what it says. If the key is yours and the signature verifies, the content came from you. Full stop. No vendor handed you this identity, no CA can pull it, no platform can suspend it. It exists because you generated the key, and it stays yours for exactly as long as you hold the private half. Most of what we casually call “online identity” is borrowed: a handle someone can ban, a checkmark someone can strip, an email address a domain owner can take back the day they feel like it. A GPG signature lives outside all of that. The key that signed this paragraph is either yours or it belongs to someone else, and nobody gets a vote. ...

April 18, 2026 · 14 min read · Tom Meurs
Effective alerting strategy visualization

Alerting That Works: From Alert Fatigue to Actionable Notifications

For a while my alerting worked fine. A handful of rules, pages were rare, and when one came in it meant something. Then the cluster grew, I bolted on the Prometheus Operator defaults, and “fine” quietly turned into noise. The tipping point was a 3 AM page. My phone buzzed, I groggily checked it: “High CPU usage on node-worker-3.” I looked at the graph, saw it had been sitting at 75% for ten minutes, and went back to sleep. Next night, same alert. A week later I’d stopped checking at all. ...

April 16, 2026 · 11 min read · Tom Meurs
cert-manager automatic TLS certificate flow

cert-manager: Automatic TLS Certificates in Kubernetes

For a long time my certificates renewed the way most people’s do: a calendar reminder, a manual certbot run, and a quiet hope that I’d remember before the thing actually expired. It worked. It worked right up until the morning a service threw cert errors at me and I had no idea why, because the renewal cron had been silently failing for weeks. That’s the part nobody tells you about manual TLS. The failure doesn’t announce itself. The cert just expires, usually at the worst possible moment, and you find out because a browser is yelling at someone. Renewal knowledge ends up living in one person’s head. Teams skip HTTPS on internal services because wiring it up by hand is annoying enough to put off. ...

April 12, 2026 · 11 min read · Tom Meurs