Welcome to my homelab! This repository contains my complete GitOps-driven Kubernetes infrastructure running on Talos Linux. Everything is declarative, automated, and immutable - exactly how modern infrastructure should be.
This homelab showcases enterprise-grade practices in a home environment, featuring:
- Immutable infrastructure with Talos Linux
- GitOps workflow using Flux CD
- Comprehensive monitoring with Prometheus and Grafana
- Automated dependency management via Renovate
- Security-first approach with encrypted secrets and network policies
The entire cluster is managed through Git - no manual kubectl commands, no SSH access, no exceptions.
| Component | Technology | Purpose |
|---|---|---|
| Operating System | Talos Linux | API-driven, immutable Kubernetes OS |
| GitOps | Flux CD | Continuous delivery and cluster synchronization |
| Container Network | Cilium | eBPF-based networking with BGP support |
| Storage | OpenEBS | Local persistent storage with hostPath provisioner |
| Secret Management | SOPS + Age | Encrypted secrets in Git |
| Certificates | cert-manager | Automated Let's Encrypt certificates |
| Ingress | NGINX + Cloudflare Tunnel | Internal and external application access |
| Monitoring | Prometheus + Grafana | Metrics collection and visualization |
| Logging | Loki + Promtail | Centralized log aggregation |
- π Immutable Infrastructure: Zero SSH access, all changes via GitOps
- π€ Automated Everything: Renovate handles dependency updates
- π Enterprise Monitoring: 20+ Grafana dashboards with comprehensive alerting
- π Security First: Encrypted secrets, network policies, security contexts
- π High Availability: 3-node control plane with local persistent storage
- π Zero Downtime: Rolling updates with proper health checks
- π Hybrid Networking: Internal and external application access
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β π Internet β
βββββββββββββββββββββββββββ¬ββββββββββββββββββββββββββββββββββββββββ
β
βββββββββββββββββββββββββββΌββββββββββββββββββββββββββββββββββββββββ
β βοΈ Cloudflare β
β β
β βββββββββββββββββββ βββββββββββββββββββ β
β β DNS & Proxy β β Zero Trust β β
β β β β Tunnel β β
β βββββββββββββββββββ βββββββββββββββββββ β
βββββββββββββββββββββββββββ¬ββββββββββββββββββββββββββββββββββββββββ
β
βββββββββββββββββββββββββββΌββββββββββββββββββββββββββββββββββββββββ
β π Homelab Network β
β β
β βββββββββββββββββββ βββββββββββββββββββ βββββββββββββββ β
β β Talos Node β β Talos Node β β Talos Node β β
β β (Control+Work) β β (Control+Work) β β(Control+Work)β β
β βββββββββββββββββββ βββββββββββββββββββ βββββββββββββββ β
β β
β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β
β β π¦ Kubernetes Cluster β β
β β β β
β β βββββββββββββββ βββββββββββββββ βββββββββββββββ β β
β β β Media β β Monitoring β β Networking β β β
β β β Stack β β Stack β β Stack β β β
β β βββββββββββββββ βββββββββββββββ βββββββββββββββ β β
β β β β
β β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β β
β β β ποΈ OpenEBS Local Storage β β β
β β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β β
β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
# Install development tools
mise trust && mise install
# Bootstrap the cluster
task bootstrap:talos # Install Talos Linux
task bootstrap:apps # Deploy applications# Monitor cluster health
kubectl get pods -A --watch
cilium status
flux get hr -A
# Force synchronization
task reconcile
# View logs
kubectl logs -n <namespace> <pod> -fπ homelab/
βββ π§ bootstrap/ # Initial cluster setup
βββ π kubernetes/
β βββ π apps/ # Applications by namespace
β β βββ π cert-manager/ # Certificate management
β β βββ π default/ # Media applications
β β βββ π network/ # Ingress, DNS, tunnels
β β βββ π observability/ # Monitoring stack
β β βββ π openebs-system/ # Local storage provisioner
β βββ π components/ # Reusable components
β βββ π flux/ # GitOps configuration
βββ π talos/ # OS configuration
βββ π scripts/ # Automation scripts
- Sonarr/Radarr: Automated TV show and movie management
- Prowlarr: Indexer management
- Plex: Media server with hardware transcoding
- Prometheus: Metrics collection with 20+ pre-configured alerts
- Grafana: 20+ dashboards covering infrastructure and applications
- Loki: Centralized logging with retention policies
- Alertmanager: Multi-channel alerting (Discord, email)
- Internal Access: k8s-gateway for local DNS resolution
- External Access: Cloudflare Tunnel for secure remote access
- Load Balancing: NGINX ingress controllers
- Network Security: Cilium network policies
- Local Storage: OpenEBS hostPath provisioner for persistent volumes
- Media Storage: NFS integration with TrueNAS for media files
- AI Workloads: Dedicated storage for Ollama models and inference
Every application follows a consistent pattern:
app/
βββ helmrelease.yaml # Helm chart deployment
βββ kustomization.yaml # Kustomize configuration
βββ externalsecret.yaml # SOPS-encrypted secrets
βββ resources/ # Additional K8s resources
- π Encrypted Secrets: All sensitive data encrypted with SOPS + Age
- π‘οΈ Network Policies: Micro-segmentation with Cilium
- π Security Contexts: Non-root containers with minimal privileges
- π Pod Security Standards: Enforced security policies
- π Zero Trust: Cloudflare Access for external services
- Automated Updates: Container images, Helm charts, GitHub Actions
- Grouped Dependencies: Related updates bundled together
- Scheduled Updates: Weekend update cycles
- Pre-commit Validation: flux-local ensures manifests are valid
- Manifest Validation: Pre-commit hooks with flux-local
- Diff Generation: Automated PR comments showing changes
- Security Scanning: SOPS validation for encrypted secrets
- Infrastructure: Node metrics, storage, networking
- Applications: Application-specific metrics and health
- Kubernetes: Cluster resources and workload status
- Media Stack: Download statistics and performance
- Infrastructure Alerts: Node down, disk space, memory usage
- Application Alerts: Pod crashes, certificate expiry
- Network Alerts: Ingress failures, DNS resolution issues
- Local Changes: Edit manifests in your IDE
- Validation:
flux-localvalidates changes locally - Git Push: Changes pushed to repository
- Automatic Sync: Flux applies changes to cluster
- Monitoring: Grafana dashboards show deployment status
# Flux troubleshooting
flux check
flux get sources git -A
flux get ks -A
flux get hr -A
# Application debugging
kubectl -n <namespace> describe pod <pod-name>
kubectl -n <namespace> logs <pod-name> -f
kubectl -n <namespace> get events --sort-by='.metadata.creationTimestamp'
# Network debugging
cilium status
nmap -Pn -n -p 443 <ingress-ip># Force reconciliation
task reconcile
# Restart failed pods
kubectl -n <namespace> rollout restart deployment <deployment>
# Certificate issues
kubectl -n cert-manager describe certificatesThis homelab draws inspiration from the amazing Kubernetes at Home community:
- onedr0p/home-ops - The gold standard for homelab GitOps
- bjw-s/home-ops - Excellent patterns and practices
- k8s-at-home/charts - Community Helm charts
- Home Operations Discord - Incredibly helpful community
β If you find this repository helpful, please consider giving it a star!
Built with β€οΈ using GitOps principles and powered by the Kubernetes at Home community