home-ops

mirror of https://github.com/vrozaksen/home-ops.git synced 2026-04-28 02:51:01 +02:00

Another Kubernetes repo — because one more won’t hurt.

flux gitops home-operations kubernetes kubesearch mise renovate rook-ceph self-hosted selfhosted talos taskfile terraform

YAML 79.5%
HCL 6.1%
JSON 5.9%
MARKDOWN 5.4%
SHELL 2.2%
Other 0.8%

Find a file

repo-killer[bot] 8cd526249a ci(github-tag): update tag aquasecurity/trivy-action (0.35.0 → v0.36.0) \| datasource \| package \| from \| to \| \| ----------- \| ------------------------- \| ------ \| ------- \| \| github-tags \| aquasecurity/trivy-action \| 0.35.0 \| v0.36.0 \|		2026-04-23 12:55:13 +00:00
.archive	chore: save some power!	2026-04-02 19:34:48 +02:00
.github	ci(github-tag): update tag aquasecurity/trivy-action (0.35.0 → v0.36.0)	2026-04-23 12:55:13 +00:00
.renovate	feat: Spin Tekton!	2026-04-19 18:24:10 +02:00
.taskfiles	chore: rewrite tasks and scripts for Infisical (and have hope it works when needed)	2026-03-16 17:18:29 +01:00
.vscode	fix(settings): remove unused fontFamily setting from VSCode configuration	2025-11-09 17:18:10 +01:00
bootstrap	Merge pull request #1988 from vrozaksen/renovate/secrets-operator-0.10.x	2026-04-11 16:48:54 +02:00
docs	feat: migrate certificate retrieval from Bitwarden to Infisical API	2026-03-13 23:38:39 +01:00
kubernetes	fix(renovate): set RENOVATE_AUTODISCOVER_FILTER for forgejo	2026-04-23 04:25:28 +00:00
scripts	chore: rewrite tasks and scripts for Infisical (and have hope it works when needed)	2026-03-16 17:18:29 +01:00
talos	chore: update talos configs	2026-02-15 09:20:02 +01:00
terraform	feat: Prepare tekton-results bucket in S3	2026-04-19 12:56:30 +02:00
vps	fix(container): update image ghcr.io/goauthentik/proxy (2026.2.1 → 2026.2.2)	2026-04-07 17:04:05 +00:00
.editorconfig	refactor: update editorconfig and gitattributes for justfile support; add yamlfmt configuration	2026-01-20 23:07:50 +01:00
.gitattributes	refactor: update editorconfig and gitattributes for justfile support; add yamlfmt configuration	2026-01-20 23:07:50 +01:00
.gitignore	feat: add Claude Code and migration job entries to .gitignore	2025-11-09 16:43:27 +01:00
.lefthook.toml	refactor: update editorconfig and gitattributes for justfile support; add yamlfmt configuration	2026-01-20 23:07:50 +01:00
.minijinja.toml	Stolen from joryirving	2024-12-29 21:26:39 +01:00
.mise.toml	refactor: update editorconfig and gitattributes for justfile support; add yamlfmt configuration	2026-01-20 23:07:50 +01:00
.renovaterc.json5	feat(monitoring): add Prometheus service and update docker-compose configurations for vps	2026-03-16 19:42:03 +01:00
.shellcheckrc	join single cluster gang!	2025-03-01 21:05:02 +01:00
.yamlfmt.yaml	refactor: update editorconfig and gitattributes for justfile support; add yamlfmt configuration	2026-01-20 23:07:50 +01:00
LICENSE	feat: modernize development workflow with Task-based automation	2025-07-20 14:03:44 +02:00
README.md	update README.md: fix status page link and enhance overview section with detailed hardware specifications	2025-11-01 09:35:17 +01:00
Taskfile.yaml	chore: rewrite tasks and scripts for Infisical (and have hope it works when needed)	2026-03-16 17:18:29 +01:00

README.md

My Home Operations Repository

... managed with Flux, Renovate, and GitHub Actions

📖 Overview

This is a monorepository is for my home kubernetes clusters. I try to adhere to Infrastructure as Code (IaC) and GitOps practices using tools like Terraform, Kubernetes, Flux, Renovate, and GitHub Actions.

The purpose here is to learn k8s, while practicing Gitops.

⛵ Kubernetes

My Kubernetes cluster is deployed with Talos - a semi-hyper-converged setup where workloads and block storage share resources on the nodes, with a separate NAS providing NFS/SMB shares and backups.

Core Components

actions-runner-controller: Self-hosted GitHub runners
cilium: Internal Kubernetes networking (CNI)
cert-manager: SSL certificates management
envoy-gateway: Ingress controller (Gateway API)
external-dns: Automatic DNS records management
external-secrets: Kubernetes secrets from Bitwarden Secrets Manager
rook-ceph: Distributed block storage
spegel: Stateless cluster local OCI registry mirror
tofu-controller: Terraform/OpenTofu controller for Flux
volsync: Backup and recovery of PVCs

GitOps with Flux

Flux continuously reconciles this Git repository with the cluster state. Renovate automatically creates PRs for dependency updates. Learn more about Flux at fluxcd.io/docs.

Flux Workflow

This diagram shows how Flux handles complex application dependencies. In this example, Authentik deployment waits for:

PostgreSQL and Dragonfly operators to be installed
Database and cache instances to be provisioned and healthy

graph TD
    %% Operator Installation
    A[Kustomization: crunchy-postgres-operator] -->|Creates| B[HelmRelease: crunchy-postgres-operator]
    C[Kustomization: dragonfly-operator] -->|Creates| D[HelmRelease: dragonfly-operator]

    %% Authentik Dependencies
    E[Kustomization: authentik] -->|dependsOn| A
    E -->|dependsOn| C
    E -->|Creates| F[(PostgresCluster: authentik)]
    E -->|Creates| G[(Dragonfly: authentik)]
    E -->|Creates| H[[HelmRelease: authentik]]

    %% Health Dependencies
    H -->|Requires healthy| F
    H -->|Requires healthy| G

    %% Operator Management
    B -.->|Manages| F
    D -.->|Manages| G

    %% External Dependencies
    I[(rook-ceph storage)] -->|Provides PVC| F

🌐 Networking

Network infrastructure is managed via Terraform. See vrozaksen/mikrotik-terraform for details.

☁️ Cloud Dependencies

While most of my infrastructure and workloads are self-hosted I do rely upon the cloud for certain key parts of my setup. This saves me from having to worry about two things. (1) Dealing with chicken/egg scenarios and (2) services I critically need whether my cluster is online or not.

The alternative solution to these two problems would be to host a Kubernetes cluster in the cloud and deploy applications like HCVault, Vaultwarden, ntfy, and Gatus. However, maintaining another cluster and monitoring another group of workloads is a lot more time and effort than I am willing to put in.

Service	Use	Cost
Bitwarden	Secrets with External Secrets	~$10/yr
Cloudflare	Domain, DNS, WAF and R2 bucket (S3 Compatible endpoint)	~$30/yr
GitHub	Hosting this repository and continuous integration/deployments	Free
Healthchecks.io	Monitoring internet connectivity and external facing applications	Free
		Total: ~$3,3/mo

🔧 Hardware

Main Kubernetes Cluster

Name	Device	CPU	OS Disk	Data Disk	RAM	OS	Purpose
Alfheim	Lenovo M720q	i5-8500T	480GB SSD	500GB NVME	64GB	Talos	k8s control
Alne	Lenovo M720q	i5-8500T	480GB SSD	500GB NVME	32GB	Talos	k8s control
Ainias	Lenovo M720q	i5-8500T	480GB SSD	500GB NVME	32GB	Talos	k8s control

Totals: 18 CPU threads, 128 GB RAM Network: Intel X710-DA2 (LACP 2x10Gbps 802.3ad)

Experimental/Game Server

Name	Device	CPU	OS Disk	Data Disk	RAM	OS	Purpose
Granzam	Lenovo M920q	i3-9100	xxxxxxxxx	xxxxxxxxxx	16GB	TBD	Game servers (Pterodactyl/AMP)

Infrastructure management: Ansible or Terraform (learning project)

NAS

Name	CPU	RAM	OS	Storage	Purpose
Aincrad	i3-14100	32GB	Unraid	Array: 5x14TB + 5x4TB ZFS Cache: 1TB M.2 SSD Blaze Pool: 2x960GB SSD RAID1	NAS/NFS/S3/Backup

Components: AsRock B760M-H2/M.2, Corsair Vengeance DDR5 6000MHz, Inter-Tech 4U Case, 2x ASM1166 HBA GPU: ASUS GeForce RTX 3060 Phoenix V2 LHR 12GB GDDR6 (ML/LLM)

Networking/UPS Hardware

Device	Purpose
MikroTik RB5009UPr+S+IN	Router
MikroTik CRS326-24S+2Q+RM	10G Switch
HORACO 2.5GbE 5-Port + 10G SFP+	2.5G Switch
APC SMC1500I-2UC	UPS

Server Rack

🤝 Thanks

Big shout out to onedr0p's cluster-template for the excellent foundation, and the Home Operations Discord community for continuous inspiration and support.

Check out kubesearch.dev for ideas on deploying applications in your homelab.