feat(docs): Add troubleshooting guide for k3s, Traefik, cert-manager, and monitoring

- Created troubleshooting.md with common issues and resolutions for k3s, Traefik, and cert-manager.
- Added detailed sections for node readiness, certificate errors, and worker node issues.
- Included troubleshooting steps for Grafana and Prometheus in the monitoring section.

feat(docs): Document cert-manager installation and usage

- Added cert-manager.md detailing automatic TLS certificate issuance and renewal.
- Explained the architecture, installation process, and usage of ClusterIssuers.
- Included examples for using certificates in IngressRoutes and checking certificate status.

feat(docs): Introduce k3s documentation

- Created k3s.md outlining the lightweight Kubernetes distribution.
- Explained architecture, prerequisites, installation flags, and firewall rules.
- Documented the installation workflow for master and worker nodes.

feat(docs): Add monitoring and observability documentation

- Created monitoring.md detailing the observability stack components and architecture.
- Documented deployment steps for kube-prometheus-stack, Loki, and Promtail.
- Included Grafana access instructions and available dashboards.

feat(docs): Document Traefik ingress controller setup

- Added traefik.md explaining Traefik's role as the ingress controller.
- Documented Helm installation, entry points, and TLS hardening.
- Included instructions for creating the Traefik dashboard and deploying services.

fix(makefiles): Update paths for k3s-lab

- Changed references from k3s-homelab to k3s-lab in makefiles for consistency.
- Updated paths in k3s installation, kubeconfig fetching, and stack deployment scripts.

Author: KevinDeBenedetti

.env.example

@@ -8,7 +8,7 @@ MASTER_IP=1.2.3.4           # Public IP of the master (control-plane) VPS
 WORKER_IP=5.6.7.8           # Public IP of the worker VPS
 
 # --- SSH ---
-SSH_USER=kevin               # SSH user AFTER bootstrap (regular user, not root)
+SSH_USER=debian              # SSH user AFTER bootstrap (regular user, not root)
 SSH_KEY=~/.ssh/id_ed25519   # Path to your private key
 INITIAL_USER=root            # User for the first connection (before bootstrap)
 

.github/workflows/ci-cd.yml

@@ -1,5 +1,5 @@
 # =============================================================================
-# CI — k3s-homelab lint, tests & security
+# CI — k3s-lab lint, tests & security
 #
 # Runs on every push and PR to main.
 # Does NOT require a real cluster — all checks are static/offline.

Makefile

@@ -6,18 +6,18 @@ SHELL         := /bin/bash
 export
 
 # Defaults (overridable via .env or environment)
-SSH_USER            ?= kevin
+SSH_USER            ?= debian
 SSH_PORT            ?= 22
 SSH_KEY             ?= $(HOME)/.ssh/id_ed25519
 SSH_KEY             := $(subst ~,$(HOME),$(SSH_KEY))
 INITIAL_USER        ?= root
 MASTER_IP           ?=
 WORKER_IP           ?=
-KUBECONFIG_CONTEXT  ?= k3s-homelab
+KUBECONFIG_CONTEXT  ?= k3s-lab
 K3S_VERSION         ?= v1.32.2+k3s1
 
 # Root of this repo (works whether used standalone or as a submodule)
-K3S_HOMELAB := $(abspath $(dir $(MAKEFILE_LIST)))
+K3S_LAB := $(abspath $(dir $(MAKEFILE_LIST)))
 
 # Terminal colors
 GREEN  := \033[0;32m

README.md

@@ -1,106 +1,59 @@
-# k3s-homelab
+# k3s-lab
 
-> Reusable k3s cluster setup — scripts, Kubernetes manifests, and Makefile targets for a production-ready lightweight Kubernetes cluster on VPS nodes.
+> Production-ready k3s cluster on VPS — automated setup with Traefik, cert-manager, Prometheus, Grafana, Loki, and Promtail.
+
+[![CI / CD](https://github.com/KevinDeBenedetti/k3s-lab/actions/workflows/ci-cd.yml/badge.svg)](https://github.com/KevinDeBenedetti/k3s-lab/actions/workflows/ci-cd.yml)
 
 ## Stack
 
 | Tool | Role |
-|------|------|
+|---|---|
 | [k3s](https://k3s.io) | Lightweight Kubernetes distribution |
-| [Traefik](https://traefik.io) | Ingress controller + HTTPS reverse proxy |
+| [Traefik](https://traefik.io) | Ingress controller + HTTPS |
 | [cert-manager](https://cert-manager.io) | Automatic TLS via Let's Encrypt |
+| [kube-prometheus-stack](https://github.com/prometheus-community/helm-charts) | Prometheus + Grafana + Alertmanager |
 | [Loki](https://grafana.com/oss/loki/) | Centralized log storage |
-| [Promtail](https://grafana.com/docs/loki/latest/send-data/promtail/) | Kubernetes log collector |
-| [kube-prometheus-stack](https://github.com/prometheus-community/helm-charts) | Prometheus + Grafana monitoring |
-
-## Repository Layout
-
-```
-.
-├── .env.example             # Environment variables template — copy to .env
-├── k3s/
-│   ├── install-master.sh    # Bootstrap the control-plane node
-│   ├── install-worker.sh    # Join a worker node to the cluster
-│   └── uninstall.sh         # Remove k3s from a node
-├── kubernetes/
-│   ├── namespaces/          # apps, ingress, cert-manager, monitoring
-│   ├── ingress/             # Traefik Helm values + secured dashboard
-│   ├── cert-manager/        # Let's Encrypt ClusterIssuers
-│   ├── monitoring/          # Prometheus, Grafana, Loki, Promtail
-│   └── apps/                # Example app deployment + ingress
-├── lib/
-│   ├── load-env.sh          # .env loader (no-overwrite semantics)
-│   ├── log.sh               # Coloured logging helpers
-│   └── ssh-opts.sh          # SSH_OPTS array builder
-├── makefiles/               # Modular Makefile targets
-│   ├── 10-help.mk           # Auto-generated help
-│   ├── 30-k3s.mk            # k3s install / uninstall
-│   ├── 40-kubeconfig.mk     # Fetch & merge kubeconfig
-│   ├── 50-deploy.mk         # Deploy base + monitoring stack
-│   ├── 60-status.mk         # Cluster status helpers
-│   └── 70-ssh.mk            # SSH shortcuts
-└── scripts/
-    ├── deploy-stack.sh      # Deploy Traefik + cert-manager (local machine)
-    ├── deploy-monitoring.sh # Deploy Prometheus + Grafana + Loki + Promtail
-    └── get-kubeconfig.sh    # Fetch & merge kubeconfig from master
-```
+| [Promtail](https://grafana.com/docs/loki/latest/send-data/promtail/) | Log collector |
 
-## Quick Start
+## Quick start
 
 ```bash
-# 1. Copy and fill in your values
-cp .env.example .env
-
-# 2. Install k3s on the master node
-make k3s-master
-
-# 3. Fetch kubeconfig
-make kubeconfig
-
-# 4. Deploy the base stack (Traefik + cert-manager)
-make deploy
-
-# 5. Deploy monitoring (Prometheus + Grafana + Loki)
-make deploy-monitoring
+cp .env.example .env        # Fill in your values
+make k3s-master             # Bootstrap control plane (~5 min)
+make k3s-worker             # Join worker node (~3 min)
+make kubeconfig             # Fetch kubeconfig
+make deploy-dashboard-secret
+make deploy                 # Traefik + cert-manager (~3 min)
+make deploy-grafana-secret
+make deploy-monitoring      # Prometheus + Grafana + Loki (~10 min)
 ```
 
-## Available Targets
+## Documentation
 
-```
-make help
-```
+📖 **[kevindebenedetti.github.io/k3s-lab](https://kevindebenedetti.github.io/k3s-lab)**
 
-## Usage as a Git Submodule
+| | |
+|---|---|
+| [Getting started](https://kevindebenedetti.github.io/k3s-lab/getting-started) | Prerequisites, step-by-step deploy |
+| [Configuration](https://kevindebenedetti.github.io/k3s-lab/configuration) | All `.env` variables |
+| [k3s](https://kevindebenedetti.github.io/k3s-lab/stack/k3s) | Install flags, sysctl, firewall |
+| [Traefik](https://kevindebenedetti.github.io/k3s-lab/stack/traefik) | Ingress, TLS, dashboard |
+| [cert-manager](https://kevindebenedetti.github.io/k3s-lab/stack/cert-manager) | Let's Encrypt, HTTP-01 |
+| [Monitoring](https://kevindebenedetti.github.io/k3s-lab/stack/monitoring) | Prometheus, Grafana, Loki |
+| [Make targets](https://kevindebenedetti.github.io/k3s-lab/operations/make-targets) | Full `make` reference |
+| [Troubleshooting](https://kevindebenedetti.github.io/k3s-lab/operations/troubleshooting) | Common issues |
 
-This repo is designed to be embedded in a private infra repo:
+## Submodule usage
 
 ```bash
-git submodule add git@github.com:KevinDeBenedetti/k3s-homelab.git k3s-homelab
+git submodule add https://github.com/KevinDeBenedetti/k3s-lab.git k3s-lab
 ```
 
-In the parent `Makefile`:
-
 ```makefile
-K3S_HOMELAB := $(ROOT_DIR)/k3s-homelab
-include $(K3S_HOMELAB)/makefiles/30-k3s.mk
-include $(K3S_HOMELAB)/makefiles/40-kubeconfig.mk
-include $(K3S_HOMELAB)/makefiles/50-deploy.mk
-include $(K3S_HOMELAB)/makefiles/60-status.mk
-include $(K3S_HOMELAB)/makefiles/70-ssh.mk
+K3S_LAB := $(ROOT_DIR)/k3s-lab
+include $(K3S_LAB)/makefiles/30-k3s.mk
+include $(K3S_LAB)/makefiles/40-kubeconfig.mk
+include $(K3S_LAB)/makefiles/50-deploy.mk
+include $(K3S_LAB)/makefiles/60-status.mk
+include $(K3S_LAB)/makefiles/70-ssh.mk
 ```
-
-## Environment Variables
-
-See [.env.example](.env.example) for the full list. Key variables:
-
-| Variable | Description |
-|----------|-------------|
-| `MASTER_IP` | Public IP of the master VPS |
-| `WORKER_IP` | Public IP of the worker VPS |
-| `SSH_USER` | SSH user (default: `kevin`) |
-| `SSH_KEY` | Path to SSH private key |
-| `K3S_VERSION` | Pinned k3s version |
-| `DOMAIN` | Primary domain (e.g. `example.com`) |
-| `EMAIL` | Let's Encrypt registration email |
-| `GRAFANA_DOMAIN` | Grafana dashboard domain |
-| `KUBECONFIG_CONTEXT` | kubectl context name |

docs/.vitepressrc.json

@@ -1,7 +1,7 @@
 {
-  "title": "k3s-homelab",
-  "description": "Reusable GitHub automation scripts, stack makefile fragments, Docker templates, and a Rust CLI for developer workflows.",
-  "icon": "🛠️",
+  "title": "k3s-lab",
+  "description": "Production-ready k3s cluster on VPS — automated setup with Traefik, cert-manager, Prometheus, Grafana, Loki, and Promtail.",
+  "icon": "☸️",
   "order": 5,
-  "repo": "KevinDeBenedetti/k3s-homelab"
+  "repo": "KevinDeBenedetti/k3s-lab"
 }

docs/configuration.md

@@ -0,0 +1,125 @@
+# Configuration Reference
+
+All configuration is managed through a `.env` file at the repository root. Copy the template and fill in your values:
+
+```bash
+cp .env.example .env
+```
+
+> ⚠️ **Never commit `.env` to git.** It is listed in `.gitignore`. The `.env.example` file (with placeholder values) is committed instead.
+
+---
+
+## All variables
+
+### VPS nodes
+
+| Variable | Example | Required | Description |
+|---|---|---|---|
+| `MASTER_IP` | `1.2.3.4` | ✅ | Public IP of the control-plane VPS |
+| `WORKER_IP` | `5.6.7.8` | ✅ | Public IP of the worker VPS |
+
+### SSH
+
+| Variable | Default | Required | Description |
+|---|---|---|---|
+| `SSH_USER` | `ubuntu` | ✅ | SSH user after bootstrap (regular user, not root) |
+| `SSH_KEY` | `~/.ssh/id_ed25519` | ✅ | Path to your SSH private key |
+| `INITIAL_USER` | `root` | — | User for the very first connection (before bootstrap creates `SSH_USER`) |
+| `SSH_PORT` | `22` | — | SSH port (Makefile default, not in `.env.example`) |
+
+> `INITIAL_USER` is only used for the first `make k3s-master` run. After the VPS is bootstrapped with your regular user, `SSH_USER` takes over.
+
+### k3s
+
+| Variable | Example | Required | Description |
+|---|---|---|---|
+| `K3S_VERSION` | `v1.32.2+k3s1` | ✅ | Pinned k3s version — must match on master and worker |
+| `K3S_NODE_TOKEN` | *(auto-filled)* | ✅ | Shared secret for worker join — auto-saved by `make k3s-master` |
+
+> `K3S_NODE_TOKEN` is automatically written to `.env` after `make k3s-master` completes. You do not need to generate it manually.
+
+### Helm chart versions
+
+| Variable | Default | Description |
+|---|---|---|
+| `TRAEFIK_CHART_VERSION` | `34.4.0` | Traefik Helm chart version |
+| `CERT_MANAGER_VERSION` | `v1.17.1` | cert-manager Helm chart version |
+| `KUBE_PROMETHEUS_VERSION` | `82.10.3` | kube-prometheus-stack chart version |
+| `LOKI_VERSION` | `6.35.1` | Loki Helm chart version |
+| `PROMTAIL_VERSION` | `6.17.1` | Promtail Helm chart version |
+
+Helm chart versions are pinned and managed by [Renovate](https://docs.renovatebot.com/) via the shared preset in `renovate.json`.
+
+### Application
+
+| Variable | Example | Required | Description |
+|---|---|---|---|
+| `DOMAIN` | `example.com` | ✅ | Primary domain (used for app subdomains) |
+| `EMAIL` | `admin@example.com` | ✅ | Email for Let's Encrypt ACME registration |
+
+### Traefik dashboard
+
+| Variable | Example | Required | Description |
+|---|---|---|---|
+| `DASHBOARD_DOMAIN` | `dashboard.example.com` | ✅ | Subdomain for the Traefik admin dashboard |
+| `DASHBOARD_PASSWORD` | *(htpasswd hash)* | ✅ | BasicAuth password — set via `make deploy-dashboard-secret` |
+
+> `DASHBOARD_PASSWORD` is the **plain text** password. `make deploy-dashboard-secret` hashes it with `htpasswd -nb admin <password>` before storing it in the Kubernetes Secret.
+
+### Grafana
+
+| Variable | Example | Required | Description |
+|---|---|---|---|
+| `GRAFANA_DOMAIN` | `grafana.example.com` | ✅ | Subdomain for Grafana |
+| `GRAFANA_PASSWORD` | *(your password)* | ✅ | Grafana admin password |
+
+### Kubeconfig
+
+| Variable | Default | Required | Description |
+|---|---|---|---|
+| `KUBECONFIG_CONTEXT` | `k3s-lab` | ✅ | kubectl context name created by `make kubeconfig` |
+
+---
+
+## Variable precedence
+
+Variables are loaded with **no-overwrite semantics**: a value already set in the shell environment takes precedence over the `.env` file.
+
+This allows Makefile targets to override `.env` at call time:
+
+```bash
+make deploy DOMAIN=staging.example.com
+```
+
+---
+
+## Minimal `.env` for a first deploy
+
+```bash
+# Nodes
+MASTER_IP=1.2.3.4
+WORKER_IP=5.6.7.8
+
+# SSH
+SSH_USER=ubuntu
+SSH_KEY=~/.ssh/id_ed25519
+
+# k3s
+K3S_VERSION=v1.32.2+k3s1
+
+# Application
+DOMAIN=example.com
+EMAIL=you@example.com
+
+# Traefik dashboard
+DASHBOARD_DOMAIN=dashboard.example.com
+DASHBOARD_PASSWORD=changeme
+
+# Grafana
+GRAFANA_DOMAIN=grafana.example.com
+GRAFANA_PASSWORD=changeme
+
+# Kubeconfig
+KUBECONFIG_CONTEXT=k3s-lab
+```