This is a mono repository for my home infrastructure and Kubernetes cluster. I strive to adhere to Environment as Code (EaC), Infrastructure as Code (IaC), and GitOps principles using tools like Kubernetes, Flux, Renovate, Talos, and GitHub Actions.
The cluster is built on commodity hardware and runs a variety of self-hosted applications for media, networking, observability, and more. All infrastructure and application deployments are version-controlled and automatically synchronized via GitOps.
The cluster is gratuitous overkill for what is actually needed to run the applications that I do. However, it's fun for me to do stuff like this and the cluster is resilient and fairly low maintenance.
My Kubernetes cluster is deployed with Talos, a minimal, immutable Linux distribution purpose-built for Kubernetes. This is a semi-hyper-converged cluster where workloads and block storage share the same resources on compute nodes, while a separate NAS provides network storage, backups, and additional capacity.
- Cilium - eBPF-based networking and network policies
- Cert-Manager - Automatic SSL/TLS certificate management
- Blocky - DNS proxy with ad-blocking for LAN clients
- External DNS - Automatic DNS record synchronization to Cloudflare
- External Secrets - Kubernetes secret management with external providers
- Cloudflare Tunnel - Secure access to internal services
- Rook Ceph - Distributed block storage for persistent volumes
- Spegel - Stateless cluster-local OCI registry mirror
- Volsync - Automated backup and recovery of persistent volumes
- Metrics Server - Resource metrics collection
Flux watches the kubernetes/ directory in this repository and automatically applies all declared state to the cluster. The structure follows a pattern where:
- Top-level
kustomization.yamlfiles define namespaces and application deployments - Individual application directories contain
HelmReleaseresources and configuration - Renovate automatically creates pull requests for dependency updates
- When PRs are merged, Flux applies the changes automatically
kubernetes/
βββ apps/ # Application deployments organized by namespace
βββ components/ # Reusable Kustomize components
βββ flux/ # Flux system configuration and metadata
βββ bootstrap/ # Bootstrap procedures and initial setup
The cluster runs a diverse set of applications:
- Media: Plex, Radarr, Sonarr, Lidarr, Calibre-Web, Pinchflat, Tautulli
- Database: CloudNative PG, Dragonfly, LLDAP, pgAdmin
- Download: qBittorrent, SABnzbd
- Home Automation: Mosquitto, Zigbee2MQTT, Z-Wave JS UI
- Observability: Gatus, Prometheus, Alertmanager
- Networking: Envoy Gateway, K8s Gateway, Cloudflare Tunnel
- Self-Hosted Tools: Atuin, Manyfold, Paperless, Syncthing, Tandoor
- LLM: Ollama, Open WebUI
- Gaming: Epic Games Free Games, ROMM
| VLAN | ID | CIDR | Purpose |
|---|---|---|---|
| Default | 1 | 192.168.0.0/21 | General-purpose devices |
| Default | 1 | 192.168.12.0/24 | IoT devices |
| Default | 1 | 10.30.0.0/16 | Storage Network |
- Blocky - LAN DNS resolver with ad-blocking, forwards internal domains to k8s-gateway and external queries via DNS-over-HTTPS (Cloudflare + Quad9)
- K8s Gateway - Authoritative DNS for internal
${SECRET_DOMAIN}records, watches HTTPRoute/Service/Ingress resources - ExternalDNS - Syncs public DNS records to Cloudflare
Traffic is routed through two gateways:
- Internal - Only exposed to internal network
- External - Exposed internally and externally via Cloudflare
While most infrastructure is self-hosted, key services rely on cloud providers for reliability and redundancy:
| Service | Purpose | Cost |
|---|---|---|
| 1Password Secrets Manager | Secret management with External Secrets | ~$70/year$ |
| Cloudflare | Domain and tunnel hosting | Free |
| GitHub | Repository hosting, CI/CD workflows | Free |
| AWS Route53 | Domain registration | ~$15/yr |
| AWS SES | Email service | ~$1/yr |
| Pushover | Alert notifications | $5 OTP |
| Total | ~$86/yr |
| Count | Model | CPU | RAM | Storage | OS | Purpose |
|---|---|---|---|---|---|---|
| 5 | MINISFORUM MS-01 | i5-12600H | 96GB DDR4 | 512GB NVMe + 2TB NVMe | Talos | Kubernetes nodes |
| Count | Model | CPU | RAM | Storage | OS | Purpose |
|---|---|---|---|---|---|---|
| 1 | NAS (custom-built) | Ryzen 5 5600G | 64GB DDR4 | 2x960GB NVME + 5Γ18TB | Proxmox | Backups, NFS, SMB shares |
| 1 | PiKVM V4 Plus | Raspberry Pi CM4 | 2GB | 16GB SD | PiKVM | KVM |
- Multiple managed switches with VLAN support (mostly UniFi)
- Cloudflare Tunnel for secure external access (no port forwarding)
- Blocky for internal DNS and ad-blocking
See bootstrap/ directory for cluster initialization steps.
- GitOps - All changes tracked in version control
- Sealed Secrets / External Secrets - Secrets encrypted or managed externally
- Network Policies - Cilium enforces network segmentation
- RBAC - Kubernetes RBAC and pod security policies
- Immutable OS - Talos provides an immutable, hardened Linux base
The cluster includes:
- Prometheus - Metrics collection and alerting
- Gatus - Application and endpoint uptime monitoring
- Alertmanager - Alert aggregation and routing
- Pushover - Mobile notifications for critical alerts
Special thanks to:
- onedr0p - For the excellent cluster-template and home-ops repositories
- Home Operations Community - Invaluable support, ideas, and inspiration
- kubesearch.dev - Excellent resource for Kubernetes information and where I basically steal everything from to implement on this cluster.
This project is licensed under the MIT License.