Kubernetes Cluster on Hetzner Bare Metal Servers

If you want to run your own Kubernetes Cluster, you have plenty of possibilities: You can set up a single node cluster using minikube locally or on a remote machine. You can also set up a multi node cluster on VPS or using managed cloud providers such as AWS or GCE. Alternatively, you can use hardware, e.g. Raspberry Pis or bare metal servers. However, without the functionality provided by a managed cloud provider, it is difficult to take full advantage of the complete high availability capabilities of Kubernetes. We have tried – and present here the instructions for a highly available Kubernetes cluster on Hetzner bare metal servers.

Read more “Kubernetes Cluster on Hetzner Bare Metal Servers”

GitLab on a DiskStation

Sometimes, regardless of the possibilities offered by “the cloud”, you want to host important services yourself. For me as a software and DevOp engineer, this applies to my source code. For this reason, I host my GitLab instance myself. Since the GitLab package for DSM provided by Synology is outdated, I will explain here how to install the latest version of GitLab on a DiskStation using Docker.

Read more “GitLab on a DiskStation”

2nd IEEE International Conference on Blockchain – Paper on…

Yesterday I attended the 2nd IEEE International Conference on Blockchain conference in Atlanta, Georgia. Besides many interesting and exciting lectures, I also presented my first paper there:

Matthias Lohr, Jonathan Hund, Jan Jürjens, Steffen Staab: Ensuring Genuineness for Selectively Disclosed Confidential Data using Distributed Ledgers: Applications to Rail Wayside Monitoring. In: 2nd IEEE International Conference on Blockchain, pp. 477-482, IEEE, 2019, ISBN: 978-1-7281-4693-5.

I would also like to say thanks for the interesting conversations I had at the conference.


Ansible Role for tinc VPN

When setting up Kubernetes clusters, it makes sense for the individual nodes of Kubernetes to live in the same private network. If Kubernetes is set up on bare metal machines from suppliers such as Hetzner, it may not necessarily be possible to set up a common network of this kind natively. This is where tinc comes in: it makes it very easy to set up a virtual network across all participating nodes. To keep the configuration of tinc parallel to that of Kubernetes (I use Kubespray for my Kubernetes setup), I developed an Ansible Role for tinc VPN and made it available on GitHub.


  • Installing and setting up tinc VPN service
  • In-place private key generation (private keys are never copied)
  • Support for additional nodes where host machines are not covered by the playbook
  • Support for custom routes for the VPN interface
  • Support for joining existing bridge interfaces on the host machine
  • Custom scripting for up/down hook scripts


For setup instructions or a tutorial how to use my Ansible Role for tinc VPN please check the README. It always contains the up-to-date instructions for using this role and will be updated, if new features come up.


FritzBox LAN 2 LAN VPN with StrongSwan

There are a lot of instructions available on how to connect your FritzBox to a server via VPN. But since it took me a long time to find a working tutorial myself, here again a post describing how to set up a FritzBox LAN 2 LAN VPN with StrongSwan (based on the site

Read more “FritzBox LAN 2 LAN VPN with StrongSwan”

Websockets for Synology DSM

It’s happened to me several times now that an application I run on my DS 1817+ has problems with websockets. This is because I use the reverse proxy built into DSM, which does not support websockets by default. For this reason, here’s a little tutorial on how to enable Websockets for Synology DSM reverse proxy.

Enable Websockets in DSM Reverse Proxy

Actually, it is extremely easy to enable Websockets for Synology DSM reverse proxy:

  1. Open Control Panel > Application Portal
  2. Change to the Reverse Proxy tab
  3. Select the proxy rule for which you want to enable Websockets and click on Edit
  4. Change to the Custom Headers tab
  5. Add two entries in the list:
    • Name: “Upgrade”, Value: “$http_upgrade”
    • Name: “Connection”, Value: “$connection_upgrade”

Repeat these steps for every rule where you want to enable Websockets.

In my local setup, I need this for GitLab Mattermost (running within a docker container) and DSM Virtual Machine Manager Console.