File Map
This is a reference of important files on the cluster nodes, what they do, and when you would need to touch them.
System configuration (all nodes)
/etc/hostname
The node's hostname. Should be nst-n1, nst-n2, etc.
cat /etc/hostnameYou set this during OS installation or with hostnamectl set-hostname.
/etc/hosts
Local hostname resolution. Should contain entries for all cluster nodes:
192.168.136.145 nst-n1
192.168.136.146 nst-n2
192.168.136.147 nst-n3
192.168.136.148 nst-n4
192.168.136.149 nst-n5/etc/netplan/
Network configuration. Each node has a YAML file here defining its static IP, gateway, and DNS.
When to edit: Adding a new node, changing a node's IP, fixing network issues.
After editing: Run sudo netplan apply. Be careful over SSH.
/etc/ssh/sshd_config
SSH server configuration. Controls who can SSH in, which authentication methods are allowed, and security settings.
/etc/sudoers and /etc/sudoers.d/
Controls which users can run commands as root. The cluster admin user has NOPASSWD sudo access.
Never edit /etc/sudoers directly. Use sudo visudo or drop files in /etc/sudoers.d/.
Cloudflare Tunnel (nst-n1 only)
/etc/cloudflared/config.yml
The tunnel routing configuration. Defines which hostnames map to which local services.
When to edit: Adding a new non-HTTP service, changing SSH endpoints, adding special origin settings.
After editing: sudo systemctl restart cloudflared
/etc/cloudflared/<UUID>.json
Tunnel credentials. Generated when the tunnel was created. Contains the tunnel ID and secret.
Do not share or commit this file.
/etc/cloudflared/cert.pem
Cloudflare origin certificate. Used for cloudflared tunnel route dns commands.
Do not share or commit this file.
K3s (control plane — nst-n1)
/etc/rancher/k3s/k3s.yaml
The kubeconfig file generated by K3s. Contains the API server address and admin credentials.
When to use: Copy to ~/.kube/config for kubectl access. Change the server: field from 127.0.0.1 to 192.168.136.145 if accessing from another machine.
/var/lib/rancher/k3s/server/node-token
The join token for adding worker nodes. Workers use this to authenticate with the control plane.
sudo cat /var/lib/rancher/k3s/server/node-token/var/lib/rancher/k3s/server/manifests/
Auto-deploy directory. K3s watches this directory and applies any YAML or Helm chart it finds. This is how Traefik gets installed automatically.
When to use: Drop a manifest here if you want K3s to auto-apply it on every restart.
K3s (workers — nst-n2 through nst-n5)
/etc/systemd/system/k3s-agent.service.env
Environment variables for the K3s agent, including the server URL and join token.
When to edit: If the control plane IP changes or the token needs updating.
User configuration (nst-n1)
~/.kube/config
kubectl configuration. Points to the K3s API server.
kubectl config view --minify | grep server
# Should show: https://192.168.136.145:6443~/bin/allnodes
Helper script for running commands across all nodes. Add ~/bin to your PATH in ~/.zshrc.local:
export PATH="$HOME/bin:$PATH"Systemd services
/etc/systemd/system/k3s.service (nst-n1)
K3s server service definition. Starts the control plane on boot.
/etc/systemd/system/k3s-agent.service (workers)
K3s agent service definition. Joins the worker to the cluster on boot.
/etc/systemd/system/cloudflared.service (nst-n1)
Cloudflare Tunnel daemon. Starts the tunnel on boot.
Managing systemd services
# Check status
sudo systemctl status <service-name>
# Start/stop/restart
sudo systemctl start <service-name>
sudo systemctl stop <service-name>
sudo systemctl restart <service-name>
# Enable/disable on boot
sudo systemctl enable <service-name>
sudo systemctl disable <service-name>
# View logs
sudo journalctl -u <service-name> -f