| your Linux re-packer
kldload — your platform, your way, anywhere, free
Source
Masterclass

The kldload Masterclass Collection

This site is 100% dedicated to open source software. Every technology referenced, every configuration demonstrated, every architecture described — all of it is free, open source, and available to anyone.

These masterclasses connect the dots. They show you how OpenZFS, WireGuard, eBPF, Cilium, BGP, nftables, systemd, Prometheus, Vault, and the rest of the open source ecosystem work together to build infrastructure that rivals anything the enterprise vendors sell — without the vendor. You can build whatever you like, with a clear understanding of the scope, the limits, the challenges, and the possibilities.

24 masterclasses. Each starts from zero and builds to production-grade. Read them in order and you'll build: encrypted storage → invisible backplanes → firewalled perimeters → dynamic routing → overlay fabric → programmable dataplane → container orchestration → service discovery → full observability → automated image pipeline → certificate infrastructure → secrets management → security hardening → compliance validation → database tuning → load balancing → site reliability engineering → and a re-packer for building anything else.

The foundation is OpenZFS — not as a storage add-on, but as the root filesystem. Your OS, your VMs, your databases, your containers — everything sits on a filesystem that snapshots in milliseconds, clones at zero cost, replicates at the block level, and verifies every byte with checksums.

The fabric is WireGuard — not as a VPN, but as the network itself. Services bind to encrypted interfaces. The physical NIC carries UDP. Everything else is invisible.

The intelligence is eBPF — not as an observability tool, but as a programmable layer inside the kernel. Every syscall, every connection, every I/O operation — visible, filterable, actionable at wire speed.

This is the battle-hardened open source backbone of the enterprise world. OpenZFS protects petabytes at CERN and Lawrence Livermore. WireGuard secures Cloudflare's edge network. eBPF runs Meta's load balancers. BGP connects 80,000 networks on the internet. Prometheus monitors millions of servers at companies you've heard of. These aren't experimental projects — they're the infrastructure that runs the modern internet. The enterprises already use them. They just wrap them in proprietary products and sell them back to you.

Now it's your re-packer. Not one proprietary component. Not one license fee. Not one vendor lock-in. Just open source software — properly documented, honestly assessed, and ready to deploy. Do with it as you wish.

What the collection covers

Six sections. Each one builds on the last. Together they cover the full stack from boot to production ops.

Section 1

Infrastructure

the foundation layer

OpenZFS as the root filesystem. Encrypted backplane networks that make your services invisible. nftables firewall policies that follow interfaces, not IPs. systemd as the service layer, done properly. This section is the bedrock — skip it and nothing else makes sense.

ZFS Backplane Networks nftables systemd
Section 2

Networking

the fabric layer

WireGuard as the encrypted substrate. BIRD and BGP for dynamic routing between sites. VXLAN and EVPN to extend layer-2 over layer-3. Unbound and CoreDNS for service discovery at the network layer. This is how your machines find each other and stay found.

WireGuard BIRD & BGP VXLAN & EVPN DNS
Section 3

Platform

the intelligence layer

eBPF to see and filter every packet, syscall, and kernel event without a sidecar. Cilium to bring that power to Kubernetes pod networking. Full observability with Prometheus and Grafana wired to eBPF metrics. Packer to build golden images and deploy them everywhere. This is the layer that makes your platform programmable.

eBPF Cilium Observability Packer & IaC
Section 4

Security

the trust layer

TLS and PKI from scratch — your own CA, certificate automation, mTLS between services. Security hardening with SELinux, systemd sandboxing, and compliance baselines. Not bolt-on security. Designed in from the start, so it doesn't break things when you add it.

TLS & PKI Security Hardening
Section 5

Workloads

the application layer

Kubernetes scheduled on OpenZFS-backed KVM nodes. PostgreSQL, MySQL, and Redis tuned specifically for OpenZFS characteristics. HAProxy, keepalived, and Traefik for the front door. The part where your platform actually runs things.

Kubernetes Databases on ZFS Load Balancing & HA
Section 6

Operations

the human layer

The Construction Kit to build your own appliance from first principles. Blue/green deployments and SRE practices with real SLOs and error budgets. Asset labeling and inventory so your infrastructure is self-describing. The Operations Guide for daily, weekly, and monthly playbooks. First-Class Infrastructure — the paradigm shift that ties it all together.

Construction Kit Blue/Green & SRE Labeling & Assets Operations Guide
Section 7

Testing

the verification layer

kldload tests itself. A 15-combo VM matrix runs on every change — five distros × three profiles, install + reboot + post-install validation, two hours wall-clock. The OpenZFS Test Lab adds five distro × three test-suite combinations with eBPF + Tetragon + Hubble observability layered on every run. The framework teaches a baseline-and-trigger pattern that you then apply to any workload — Kubernetes pods, web stacks, file servers — via the same machinery that proves the lab itself is sound.

Testing & CI ZFS Test Lab

How to read the collection

Three ways in, depending on where you're starting from.

Path 1 — I want to understand everything

Read in order. Each masterclass builds on what came before. The ZFS masterclass assumes nothing. The Construction Kit assumes you've read everything else. By the end you'll have a complete mental model of how a production Linux infrastructure platform fits together.

ZFS → WireGuard → Backplane Networks → nftables → systemd → DNS → BIRD & BGP → VXLAN & EVPN → eBPF → Cilium → Observability → TLS & PKI → Security Hardening → Kubernetes → Databases → Load Balancing → Packer & IaC → Labeling & Assets → Operations Guide → Blue/Green & SRE → First-Class Infrastructure → Construction Kit

Path 2 — I want to build something specific

Jump directly to the relevant masterclass. Each one is written to stand alone — it references other masterclasses where there are dependencies, but you don't need to read the whole collection first. If you want WireGuard running today, start with WireGuard. If you want your databases tuned for OpenZFS, start with Databases. The cross-links will take you deeper when you need it.

Path 3 — I want the operations playbook

Start at the ops end and work backward. The Operations Guide tells you what to do every day, week, and month. The SRE masterclass tells you how to think about reliability. Labeling tells you how to keep your inventory sane. The Construction Kit tells you how to build new things without starting from scratch. When you want to understand why a procedure exists, follow the links back to the relevant foundation masterclass.

Operations Guide → Blue/Green & SRE → Labeling & Assets → Construction Kit

The philosophy

There are a few ideas that run through every masterclass. They're worth naming up front.

OpenZFS makes the hardest operations trivial

Rollback a bad deployment? Snapshot before, rollback after, done in seconds. Clone a production database for testing? Zero-copy, near-instant. Replicate a server to another site? Incremental ZFS send over the storage plane, automated by sanoid. Verify your data hasn't silently corrupted? Checksums on every block, scrubs on a schedule. These aren't features you have to build — they're properties of the filesystem.

WireGuard makes every network encrypted by default

When your services bind to WireGuard interfaces, you get end-to-end encryption for free. No TLS certificates to manage between internal services. No "but it's behind the firewall" security model that collapses the moment one machine is compromised. The encrypted channel is the network. Services that aren't on a WireGuard interface aren't reachable, period.

Image-based deployment eliminates configuration drift

When you deploy a Packer-built golden image, every machine that runs that image is byte-for-byte identical. There's no "this server has slightly different packages because someone ran an update six months ago." The image is the unit of deployment. Rolling back means swapping the image. Scaling means cloning the image. Auditing means inspecting the image.

The filesystem IS the state — no separate files that lie

OpenZFS snapshots capture the entire filesystem state at a point in time. Not a dump of some tables. Not a backup of /etc. The actual state of every file, every directory, every metadata attribute. When you need to know what a system looked like three days ago, you look at the snapshot from three days ago. The state is in the filesystem, which means it's always consistent and it's always there.

Every masterclass follows zero-to-hero

Start with nothing — a freshly installed kldload system. End with production-grade. No "as an exercise, configure the rest yourself." Every command is shown. Every config file is complete. Every test to verify it's working is included. The goal is that you can follow along on a real machine and have a working system at the end, not just an understanding of the concepts.

This collection exists because infrastructure knowledge is scattered across a thousand blog posts, Stack Overflow answers, and tribal knowledge locked inside ops teams who learned things the hard way and never wrote them down. We gathered it into one place, tested it on real systems, and wrote it in a way that someone starting from scratch can actually follow. If you read the whole collection, you'll know more about running production Linux infrastructure than most people learn in a decade of doing it the hard way. That's not hyperbole. It's just that the knowledge has never been assembled in one place before.

Reading order — all 22 masterclasses

The recommended sequence, with one sentence per masterclass explaining what it teaches and what it builds on.

  1. ZFS The foundation. Pool design, datasets, encryption, snapshots, send/receive, sanoid automation, and OpenZFS as the root filesystem. Everything else sits on this.depends on: nothing — start here
  2. WireGuard The fabric. Key generation, peer configuration, routing, multi-interface mesh, and WireGuard as the network primitive rather than an add-on VPN.depends on: ZFS (for the host environment)
  3. Backplane Networks The architecture. How to design a four-plane encrypted network where services are invisible to the outside world and reachable only through typed, firewall-controlled planes.depends on: WireGuard
  4. nftables The perimeter. Per-interface firewall policies using nftables sets and chains, blocking everything that didn't come through a WireGuard interface.depends on: Backplane Networks
  5. systemd The service layer. Unit files, socket activation, sandboxing, hardening directives, resource control, and using systemd to manage every process on the system correctly.depends on: nftables (service startup ordering)
  6. DNS The name layer. Unbound for recursive resolution, CoreDNS for service discovery, split-horizon DNS for backplane names, and how services find each other without hardcoded IPs.depends on: Backplane Networks, systemd
  7. BIRD & BGP The routing brain. BIRD2 configuration, iBGP and eBGP peering, route redistribution, BFD for fast failover, and dynamic routing between sites over WireGuard tunnels.depends on: Backplane Networks, DNS
  8. VXLAN & EVPN The overlay. VXLAN tunnels for layer-2 over layer-3, EVPN control plane via BGP, MAC/IP distribution, and building virtual networks on top of the WireGuard fabric.depends on: BIRD & BGP
  9. eBPF The programmable kernel. Writing and loading eBPF programs, XDP for wire-speed packet filtering, TC for traffic shaping, kprobes and tracepoints for deep visibility, and bpftool.depends on: systemd (for loading programs), nftables (comparison)
  10. Cilium The Kubernetes fabric. eBPF-powered pod networking, network policies without iptables, Hubble for flow visibility, and Cilium as the replacement for kube-proxy.depends on: eBPF, Kubernetes
  11. Observability The eyes. Prometheus scraping over the monitoring plane, Grafana dashboards, eBPF-sourced metrics, alerting rules, and what to actually measure in a production OpenZFS system.depends on: Backplane Networks, eBPF, systemd
  12. TLS & PKI The trust layer. Building your own CA with step-ca, issuing certificates automatically, configuring mTLS between services, and certificate rotation without downtime.depends on: DNS, systemd
  13. Security Hardening The armor. SELinux policy, systemd sandboxing, kernel parameter tuning, audit rules, compliance baselines, and hardening a kldload system to production security standards.depends on: systemd, TLS & PKI
  14. Kubernetes The orchestrator. Deploying Kubernetes on OpenZFS-backed KVM nodes, persistent volumes on ZFS datasets, network policies via Cilium, and day-2 operations for a real cluster.depends on: ZFS, Backplane Networks, DNS
  15. Databases on ZFS The data layer. PostgreSQL, MySQL, and Redis tuned for OpenZFS — recordsize, compression, sync settings, ARC sizing, snapshot-based backup, and point-in-time recovery.depends on: ZFS, systemd
  16. Load Balancing & HA The front door. HAProxy for layer-4 and layer-7 load balancing, keepalived for VRRP failover, Traefik for dynamic routing, and building a front door that doesn't go down.depends on: Backplane Networks, TLS & PKI, DNS
  17. Packer & IaC The factory. Building golden images with Packer on OpenZFS-backed KVM, image export formats, deploying to Proxmox or cloud, and eliminating configuration drift at the image layer.depends on: ZFS, systemd, Backplane Networks
  18. Labeling & Assets The inventory. Naming conventions, asset tagging, ZFS property-based metadata, IPAM integration, and making your infrastructure self-describing so you can find anything fast.depends on: ZFS, DNS
  19. Operations Guide The playbook. Daily, weekly, and monthly operational procedures for a kldload platform — ZFS scrubs, snapshot pruning, certificate rotation, backup verification, and incident response.depends on: all foundation masterclasses
  20. Blue/Green & SRE The reliability framework. SLOs, error budgets, blue/green deployments using OpenZFS clones, rollback procedures, and the SRE discipline applied to a single-operator infrastructure platform.depends on: ZFS, Packer & IaC, Operations Guide
  21. First-Class Infrastructure The paradigm shift. What changes operationally when OpenZFS is the root filesystem and WireGuard is the network — and why the old mental models for storage and networking don't apply.depends on: ZFS, Backplane Networks, Blue/Green & SRE
  22. Construction Kit The meta-guide. How to use everything in this collection as a set of primitives to build your own appliance, service, or platform from scratch, without starting over each time.depends on: all masterclasses — read this last

Start

Every masterclass is free. Every configuration is real. Every command has been tested. The source is open. The community is on Discord.

Start anywhere. Build anything.

Start with ZFS → Discord GitHub Download kldload