Build Your Own
kldload is a re-packer. It gives you the base — a bootable ISO with ZFS on root, WireGuard, eBPF observability, and your choice of nine distributions — and you build what you need on top. Not a pre-baked appliance. Not a black-box image. A starting point that respects your judgment about what your infrastructure should look like.
The re-packer philosophy. Traditional infrastructure tools give you a finished product and hope it fits. kldload gives you tested components — ZFS pools, WireGuard tunnels, eBPF probes, container runtimes, KVM hypervisors — and a simple mechanism to compose them into whatever you need. An edge server for a remote warehouse. A CI runner that resets itself between jobs. A classroom lab that snapshots student environments. A disaster recovery target that pulls replicas from across the continent.
Every build starts the same way: pick a profile, pick a distro, set environment variables, and run the installer. What you layer on top is entirely up to you. The pages in this section give you the blueprints, the answer files, and the postinstall scripts to get there fast.
This hub page is your map to the entire Build Your Own section. Start with the Getting Started guides if you are new, jump to an Infrastructure or Services recipe if you know what you want, or use the Quick Start Paths and Architecture Decision Tree further down to find the right approach for your situation.
15 recipes and counting
From edge servers to classroom labs, from Firecracker serverless to PostgreSQL on ZFS — each recipe includes a complete answer file, a postinstall script, and operational notes. Copy, modify, deploy.
8 distributions, 4 profiles
CentOS, Debian, Ubuntu, Fedora, RHEL, Rocky, Arch, and Alpine. Desktop, server, kvm, and core profiles. Mix and match any distro with any profile to build exactly what you need.
Offline or online
Install in air-gapped environments using embedded darksites, or install over the network for rolling-release distributions. No internet dependency for production deployments.
How Build Your Own Works
Every kldload build follows the same three-step loop: configure, install, customize. You express your intent through environment variables and answer files. The installer reads those variables, partitions your disk, lays down ZFS, bootstraps the target distro, and hands off to your postinstall scripts. The entire process is deterministic — the same inputs always produce the same system.
1. Configure
Set environment variables or fill out the web UI. Choose a profile (desktop, server, core, kvm), a target distro (CentOS, Debian, Ubuntu, Fedora, RHEL, Rocky, Arch, Alpine), disk layout, hostname, network, and optional features like WireGuard, encryption, and eBPF. Every option has a sane default — you only set what you want to change.
2. Install
Run kldload-install-target (or click "Install" in the web UI). The installer partitions the disk, creates a ZFS pool with your chosen topology, bootstraps the target distribution using its native package manager (dnf, debootstrap, or pacstrap), installs the kernel, configures the bootloader, and sets up networking. No custom formats, no proprietary layers — a standard Linux system with ZFS on root.
3. Customize
Postinstall scripts run after the base OS is ready. They install application packages, configure services, apply hardening, and set up monitoring. You write these scripts — or use the ones from the recipes in this section. When the postinstaller finishes, the system reboots into your custom appliance.
The beauty of this loop is that it is repeatable. Check your answer file and postinstall script into git. Run the same build on bare metal, in a VM, or through Packer. Deploy ten identical edge servers or a hundred CI runners. Every build is auditable, diffable, and version-controlled.
Getting Started
New to Build Your Own? Start here. These five guides take you from zero to a fully customized system — understanding the concepts, writing your first answer file, integrating with infrastructure-as-code tooling, writing postinstall scripts, and knowing every variable at your disposal.
Overview
The complete picture of how Build Your Own works — answer files, profiles, the build-deploy cycle, and how kldload's installer dispatches to different distro bootstrappers. Explains the relationship between profiles, editions, and environment variables. Start here if you want to understand the system before touching it.
Zero to Hero
A complete walkthrough from nothing to a running appliance. Download the ISO, boot it on hardware or a VM, fill out the web UI (or write an answer file by hand), run the installer, and reboot into your custom system. Covers both the interactive web UI path and the fully automated CLI path. By the end you will have a working ZFS-on-root system with your chosen distro installed and configured.
IaC Quickstart
Infrastructure as Code with kldload — version-controlled answer files, Packer templates for golden images, Terraform modules for VM provisioning, and Ansible playbooks for post-deploy configuration. Shows how to integrate kldload into existing CI/CD pipelines (GitHub Actions, GitLab CI, Jenkins) and how to manage fleets of identical machines from a single git repository.
Postinstallers
Post-install scripts are where your custom build diverges from the base. This guide covers the postinstaller API — what environment variables are available, how to access the target filesystem, how to install packages, configure services, and handle errors. Includes a library of reusable snippets for common tasks: hardening, monitoring agents, Docker setup, WireGuard configuration, and user provisioning.
Environment Reference
Complete reference for every environment variable accepted by kldload-install-target. Organized by category — disk and partitioning, ZFS pool topology, network configuration, distro selection, profile options, WireGuard, eBPF, encryption, export formats, and postinstall hooks. Each variable lists its type, default value, valid options, and an example. This is the page you keep open while writing answer files.
Infrastructure Recipes
Production-tested blueprints for common infrastructure roles. Each recipe includes a complete answer file, a postinstall script, a bill of materials (hardware or VM specs), and operational notes. These are not toy examples — they are the configurations we run and the configurations our users deploy in production.
Edge Server
Compact, autonomous edge deployment for remote sites — branch offices, retail stores, warehouses, cell towers, and field operations. WireGuard uplink to headquarters for management and log shipping. Local ZFS storage with encrypted datasets for sensitive data. Designed to operate unattended for months — automated snapshots, self-healing ZFS scrubs, and watchdog timers bring the system back if anything goes wrong. Minimal attack surface with nftables firewall and SELinux enforcing.
CI Runner
Self-hosted CI runner with ZFS-backed build caches, Docker or Podman executor, and instant rollback between jobs. Every CI job starts from a pristine ZFS snapshot — no leftover state from previous builds, no cache pollution, no "works on my machine" failures. Build artifacts land on ZFS datasets with compression enabled, cutting storage costs for large binary outputs. Integrates with GitHub Actions, GitLab CI, and Jenkins via standard runner protocols.
Dev Workstation
Developer workstation with GNOME desktop, ZFS home directories with per-project datasets, Docker and Podman for container development, and a full toolchain (compilers, debuggers, language runtimes). ZFS snapshots before every major operation — snapshot before a risky git rebase, roll back if it goes wrong. Includes GPU passthrough configuration for CUDA/ML workloads and a local KVM environment for testing deployments before pushing to production.
Security Appliance
Hardened security appliance for intrusion detection, log aggregation, forensic analysis, and incident response. ZFS encryption for evidence storage with chain-of-custody snapshots that cannot be silently modified. Includes Suricata IDS, OSSEC HIDS, Wazuh agent, and log collectors for syslog, journald, and auditd. nftables firewall with strict default-deny policy. SELinux in enforcing mode. Tamper-evident logging with append-only ZFS datasets.
Classroom Lab
Multi-seat classroom lab with per-student ZFS datasets, snapshot-based resets between classes, and centralized management. Each student gets an isolated environment that can be rolled back to a clean state in seconds. Instructors can snapshot the entire lab before an exercise and restore it after. Supports both physical multi-seat setups (multiple keyboards/mice/monitors on one machine) and VDI-style thin client deployments with KVM backends.
Disaster Recovery
Disaster recovery target with ZFS receive for incremental replication, automated failover testing, and cross-site data protection. Receives ZFS send streams from production systems over WireGuard, maintaining consistent point-in-time copies. Automated weekly failover drills boot the replicated datasets in KVM to verify they are bootable and services start correctly. Generates DR compliance reports with RPO/RTO measurements for auditors.
Services Recipes
Purpose-built service stacks that take advantage of ZFS features most traditional deployments ignore. Instant snapshots for consistent database backups. Clones for zero-cost staging environments. Compression that halves your storage bill. These recipes show how to deploy common services the kldload way.
Serverless / Firecracker
Firecracker microVMs on ZFS — sub-second cold starts via ZFS clone, snapshot-based boot images, and per-function network isolation with eBPF. Each function invocation boots a fresh microVM from a ZFS snapshot, runs the workload, and destroys itself. No container escape surface, no shared kernel namespaces, full VM isolation at near-container speed. Includes an API gateway that routes requests to microVMs and collects metrics via eBPF tracepoints.
Grafana / Monitoring
Complete observability stack — Grafana for dashboards, Prometheus for metrics, Loki for logs, and Alertmanager for notifications. All data lands on ZFS datasets with tuned recordsizes (128K for Prometheus TSDB, 1M for Loki chunks) and LZ4 compression. Automated snapshots before Prometheus compaction cycles protect against data corruption. Pre-configured dashboards for ZFS pool health, WireGuard tunnel status, eBPF probe metrics, and system essentials.
Databases on ZFS
PostgreSQL, MySQL/MariaDB, and Redis on ZFS with workload-tuned dataset properties. PostgreSQL gets 8K recordsize matching its page size, logbias=throughput, and a dedicated SLOG for synchronous writes. MySQL gets similar treatment with InnoDB-specific tuning. Redis gets a tmpfs-backed dataset for volatile caches and a persistent dataset for AOF logs. Point-in-time recovery via ZFS snapshots — consistent, instant, and free. Includes replication setup for primary/replica topologies.
Containers on ZFS
Docker and Podman with ZFS as the storage driver — every container layer is a ZFS dataset, every volume is a ZFS filesystem. Image pulls deduplicate at the block level. Container snapshots are instant and free. Volume backups use ZFS send/receive instead of slow tar exports. Includes Compose stacks for common self-hosted services (Gitea, Nextcloud, Keycloak, Traefik) with ZFS-optimized volume mounts and automated snapshot schedules via Sanoid.
Quick Start Paths
Not sure where to begin? Find your goal below and follow the recommended path. Each path lists the pages to read in order, the profile and distro to choose, and the key environment variables to set.
"I want to replace my NAS with something better"
You want ZFS storage with snapshots, replication, and NFS/SMB shares. Start with Zero to Hero to build your first system, then follow the NAS Server appliance recipe. Use the server profile with CentOS or Rocky for long-term stability.
"I want a development workstation with ZFS snapshots"
You want a daily driver with GNOME, Docker, and the safety net of ZFS snapshots on your home directory. Start with Zero to Hero, then read Dev Workstation. Use the desktop profile with Fedora or Ubuntu for the latest packages.
"I want to automate infrastructure deployments with Packer"
You want golden images that deploy identically across clouds and hypervisors. Start with Overview to understand answer files, then IaC Quickstart for Packer/Terraform integration, and Environment Reference for the export-format variables. Use the server profile with your org's preferred distro.
"I want self-hosted CI with clean environments per build"
You want CI runners that reset to a pristine state between jobs using ZFS snapshots. Read Zero to Hero first, then CI Runner for the recipe. Use the server profile with Ubuntu (most CI tooling targets Ubuntu). Pair with Postinstallers to install your CI agent and toolchain.
"I want a monitoring stack with Grafana and Prometheus"
You want dashboards, metrics, and alerts with ZFS-protected storage underneath. Start with Zero to Hero, then Grafana / Monitoring. Use the server profile. For the observability deep-dive, continue to the Observability tutorials.
"I want a KVM hypervisor with ZFS-backed VMs"
You want to run virtual machines on ZFS zvols with instant cloning, snapshots, and GPU passthrough. Start with Zero to Hero using the kvm profile, then read the KVM + ZFS Hypervisor wiki page and the KVM tutorial.
"I want just ZFS on root, nothing else"
You want a stock Linux distribution with ZFS on root and none of the kldload tools. Use the core profile — it installs the base distro with ZFS and nothing more. No web UI, no kldload CLI tools, no darksites, no Sanoid. Just Linux + ZFS. Read Overview and Environment Reference.
"I want edge servers at remote sites with central management"
You want autonomous systems that phone home over WireGuard. Start with Zero to Hero, then Edge Server for the recipe, and IaC Quickstart for fleet-scale deployment. Use the server profile with Rocky or CentOS for 10-year support cycles.
Architecture Decision Tree
kldload has four profiles that determine what gets installed. Choosing the right one is the single most important decision in your build. Use this decision tree to find yours.
Do you need a graphical desktop?
Yes → Use the desktop profile. Installs GNOME, display manager, audio, GPU drivers, and all kldload tools. Best for developer workstations, classroom labs, and kiosk/signage systems. Supports NVIDIA GPU passthrough for CUDA workloads.
Headless server with the full kldload toolset?
Yes → Use the server profile. SSH access, all kldload CLI tools, Sanoid for automated snapshots, WireGuard, eBPF probes, and darksite package mirrors. Best for edge servers, CI runners, monitoring stacks, database servers, and general-purpose infrastructure.
KVM hypervisor with ZFS storage backend?
Yes → Use the kvm profile. Everything in the server profile plus libvirt, QEMU/KVM, bridge networking, and the kvm-* management tools. ZFS zvols as VM disk backends with instant clone and snapshot. Best for building your own cloud, running Kubernetes on VMs, or consolidating workloads.
Just ZFS on root, stock distro, nothing extra?
Yes → Use the core profile. Installs the bare distribution with ZFS on root and nothing else. No kldload tools, no web UI, no Sanoid, no darksites, no WireGuard configuration. You get a clean Linux system with ZFS and full control over everything else. Best for users who want ZFS bootstrapping only and will manage everything else themselves.
Not sure? Start with server. It is the most versatile profile — you get everything kldload offers without the overhead of a GUI. You can always add GNOME later with a single package group install, or strip tools you do not need. The server profile is the default for a reason.
Choosing a Distribution
kldload supports nine distributions. Each uses its native package manager and bootstrap tool — there is no abstraction layer, no custom package format. The OS you install is the same OS you would get from the vendor, plus ZFS on root.
CentOS Stream 9
The default. Tracks ahead of RHEL — you get features before they land in enterprise releases. Excellent for servers that need stability without the rigidity of RHEL. 5+ year support window. Uses dnf. Best for: general infrastructure, edge servers, CI runners.
RHEL 9
Red Hat Enterprise Linux. The gold standard for regulated environments that require vendor support contracts and certified software stacks. Uses dnf with subscription-manager for entitlements. Best for: compliance-heavy environments, government, finance.
Rocky Linux 9
Community-driven RHEL rebuild. Binary-compatible with RHEL without the subscription cost. Best for: production servers that need RHEL compatibility and long-term stability without vendor lock-in.
Debian 13 (Trixie)
The universal operating system. Legendary stability, massive package repository, and a conservative upgrade philosophy. Uses apt/debootstrap. Offline install via embedded APT darksite. Best for: long-lived servers, network appliances, embedded systems.
Ubuntu 24.04 LTS
The most popular Linux distribution for cloud and desktop. Huge ecosystem of third-party software, PPAs, and snap packages. Uses apt/debootstrap. Offline install via embedded APT darksite. Best for: developer workstations, CI runners, cloud-native services.
Fedora 41
The cutting edge. Newest kernels, newest packages, newest everything. Ideal for workstations and development environments that need the latest tools. Uses dnf. Best for: developer workstations, testing new technology, staying current.
Arch Linux
Rolling release. Always the latest version of everything. Requires internet access during install (no darksite — rolling releases cannot be cached). Uses pacstrap. Best for: power users who want complete control and the absolute latest packages.
Alpine Linux
Minimal, musl-based, security-oriented. Tiny footprint — base install under 200MB. Uses apk. Best for: containers, embedded systems, security appliances, and anywhere resource constraints matter.
Offline vs. Online Installs
One of kldload's defining features is the ability to install completely offline. The ISO ships with embedded package mirrors ("darksites") for RPM distributions (CentOS, RHEL, Rocky, Fedora), Debian, and Ubuntu. These mirrors contain every package needed for a full installation — base system, ZFS DKMS modules, kernel, firmware, and all kldload tools. No network required.
Offline Install (Darksite)
The default for most distributions. The ISO contains a local package repository that the installer uses instead of reaching out to the internet. RPM distros use file:///root/darksite/ directly. Debian and Ubuntu run local APT mirrors on ports 3142 and 3143 respectively. This means you can install in air-gapped environments, on aircraft, in submarines, in server rooms with no uplink — anywhere you can boot a USB stick.
Online Install (Network)
Arch Linux and Alpine Linux require internet access during installation. Arch is a rolling release — there is no stable package set to cache. Alpine is similar in philosophy. For these distributions, the installer uses the upstream package repositories directly. Ensure your network is configured (DHCP or static) before starting the install.
Offline capability is not just a convenience — it is a security property. When you install from the darksite, you know exactly which packages are being installed because they were baked into the ISO at build time. No supply-chain surprises, no CDN compromises, no man-in-the-middle on package downloads. The ISO is your bill of materials.
Answer Files In Depth
An answer file is a shell-sourceable file of environment variables. It completely describes a build. When you pass an answer file to kldload-install-target, the installer reads every variable and uses it to drive the installation. No interactive prompts, no ambiguity, no "it depends on the phase of the moon" surprises.
Minimal Answer File
The smallest useful answer file sets three variables: the target disk, the profile, and the distro. Everything else uses defaults — single-disk ZFS pool, standard partitioning, DHCP networking, default hostname. This is enough to get a working system.
Production Answer File
A production answer file adds networking (static IP, gateway, DNS), hostname, ZFS pool topology (mirror or raidz), encryption, WireGuard configuration, and a postinstall script URL. It is typically 15-30 lines and lives in a git repository alongside your infrastructure code.
Golden Image Answer File
For Packer workflows, the answer file includes export-format variables that tell the installer to seal the image for cloning after installation — clearing machine-id, removing SSH host keys, enabling cloud-init, and exporting to qcow2/vmdk/vhd/ova/raw. The result is a cloud-init-ready template you can stamp out across hypervisors or cloud providers.
See the Environment Reference for the complete list of variables, or browse the recipes in this section for real-world examples you can copy and modify.
Common Postinstall Patterns
Postinstall scripts are the extension point where your build becomes yours. The installer calls your script after the base OS is installed and configured but before the first reboot. Here are the patterns that appear across most production builds.
Package Installation
Install additional packages from the distro's package manager. The darksite is available during postinstall for offline builds, or the network for online ones. Use the distro-native tool — dnf install for RPM distros, apt install for Debian/Ubuntu, pacman -S for Arch, apk add for Alpine.
Service Configuration
Drop configuration files into the target filesystem and enable systemd units. Common examples: configuring Prometheus scrape targets, setting up Grafana datasources, writing WireGuard peer configs, and tuning sshd for security. Use systemctl --root=/target enable to enable services for first boot.
Security Hardening
Apply CIS benchmarks, configure SELinux/AppArmor policies, set up audit rules, disable unused services, configure nftables firewall rules, and rotate default credentials. The security appliance recipe demonstrates a comprehensive hardening postinstaller.
User Provisioning
Create service accounts and human user accounts with SSH keys, sudo rules, and ZFS home datasets. Each user can get their own ZFS dataset with per-user snapshot policies — daily snapshots retained for 30 days, with no impact on other users' quotas.
Monitoring Agent
Install and configure a monitoring agent (node_exporter, Telegraf, Datadog agent, or similar) that reports to your central monitoring stack. Set up ZFS-specific exporters for pool health, snapshot counts, and replication lag. Configure eBPF probes for deep kernel-level observability.
Container Runtime Setup
Configure Docker or Podman to use ZFS as the storage driver, set up registries (including private registries over WireGuard), deploy initial container stacks via Compose, and configure log drivers to ship container logs to your monitoring stack.
For a complete treatment of the postinstaller API and more patterns, see the Postinstallers guide.
Build Your Own vs. Appliance Recipes
This section (Build Your Own) and the Appliance Recipes section serve different audiences. Understanding the distinction helps you find the right starting point.
Build Your Own
For builders. You understand your requirements and want the tools to construct a system that fits them exactly. The pages here teach you the mechanisms — answer files, postinstallers, environment variables, profiles — and provide infrastructure blueprints you will customize. You are expected to modify the answer files, write your own postinstall scripts, and make architectural decisions. The recipes here are starting points, not finished products.
Appliance Recipes
For operators. You want a specific appliance — a NAS, a firewall, a Plex server, a game server — and you want it working with minimal configuration. The appliance recipes are closer to finished products. Copy the answer file, set your disk and network variables, run the installer, and you have a working appliance. Less flexibility, faster time to running system.
In practice, many users start with an appliance recipe and evolve it into a custom Build Your Own configuration as their needs grow. The two approaches use the same underlying mechanisms — the difference is in how much you customize.
Fleet Management
Build Your Own scales from one machine to thousands. The same answer file that installs a single edge server can deploy a fleet of identical systems when combined with Packer, Terraform, and Ansible. Here is how the pieces fit together at scale.
Git as the Source of Truth
Check your answer files and postinstall scripts into a git repository. Every change is tracked, reviewed, and auditable. Tag releases to mark known-good configurations. Use branches for staging vs. production variants. When something breaks, git diff tells you exactly what changed.
Packer for Golden Images
Packer boots the kldload ISO in a VM, feeds it your answer file, waits for the installation to complete, and exports the result as a qcow2/vmdk/ova image. Run Packer in CI to rebuild golden images on every merge to main. The IaC Quickstart guide covers this workflow in detail.
Terraform for Provisioning
Terraform creates VMs from your golden images across Proxmox, vSphere, AWS, Azure, GCP, or any provider with a Terraform plugin. Each VM boots from the image, cloud-init applies host-specific configuration (hostname, IP, SSH keys), and the system is ready in minutes.
Ansible for Day-Two Operations
Ansible handles ongoing configuration — rotating certificates, updating firewall rules, deploying new application versions, and managing ZFS snapshot policies. The kldload CLI tools are idempotent and scriptable, making Ansible playbooks clean and predictable.
WireGuard for Fleet Connectivity
Every kldload system can join a WireGuard mesh at install time. Edge servers, CI runners, monitoring targets, and database replicas all communicate over encrypted tunnels without exposing services to the public internet. Pair with the WireGuard Mesh & Multi-Site tutorial for hub-and-spoke or full-mesh topologies across data centers, cloud regions, and remote sites.
ZFS Replication for Fleet Backup
Use ZFS send/receive over WireGuard to replicate critical datasets from every machine in the fleet to a central DR target. Incremental sends are efficient — only changed blocks are transmitted. Combined with Sanoid's automated snapshot policies, you get continuous backup with point-in-time recovery across the entire fleet. The Disaster Recovery recipe shows this pattern in production.
Next Steps
You have the map. Now pick a path and start building.
Start Building
First time? The Zero to Hero guide walks you through your first build from start to finish. You will have a running system in under an hour.
Browse the Variables
Already familiar with kldload? Go straight to the Environment Reference and start writing answer files. Every variable is documented with types, defaults, and examples.
Automate Everything
Ready for scale? The IaC Quickstart shows you how to integrate kldload with Packer, Terraform, and Ansible for fully automated fleet deployment.
Build a Cloud
Ambitious? The Homelab Cloud recipe combines KVM, ZFS, WireGuard, and the kldload tools into a self-hosted cloud platform that rivals the hyperscalers for small-to-medium workloads.