No description

YAML 84.7%
Python 7.2%
MARKDOWN 5.5%
SHELL 1.4%
JSON5 0.8%
Other 0.2%

Find a file

andrei-iacobb 9029ac4fac chore(website): bump image to 7269d76		2026-05-31 19:55:58 +01:00
.claude	feat(default): add sftpgo — self-hosted Dropbox alternative	2026-04-14 18:35:06 +01:00
.github	feat(github-action): update actions/labeler ( v6.0.1 → v6.1.0 )	2026-05-06 04:43:54 +00:00
.playwright-mcp	feat(default): add sftpgo — self-hosted Dropbox alternative	2026-04-14 18:35:06 +01:00
.taskfiles	Initial commit	2026-01-19 21:41:40 +00:00
.vscode	Initial commit	2026-01-19 21:41:40 +00:00
bootstrap	feat(container): update flux operator group	2026-05-20 14:41:44 +00:00
docs	docs(monitoring): note ha dashboard deployed via UI; card_mod overlay hides anonymous powered-by badge	2026-05-22 13:21:19 +01:00
kubernetes	chore(website): bump image to 7269d76	2026-05-31 19:55:58 +01:00
scripts	openclaw dns change gurt	2026-02-23 12:47:24 +00:00
secrets	feat(volsync): add TrueNAS NFS backup destination 192.168.1.1:/mnt/sexy-pool	2026-02-01 11:45:20 +00:00
talos	fix(container): update ghcr.io/siderolabs/installer ( v1.12.6 → v1.12.7 ) (#161 )	2026-04-25 21:30:52 +01:00
templates	fix(container): update ghcr.io/spegel-org/helm-charts/spegel ( 0.7.0 → 0.7.1 )	2026-05-21 10:38:59 +00:00
test-results	fix: use source.toolkit.fluxcd.io/v1 for OCIRepository (not v1beta2)	2026-03-22 20:21:46 +00:00
.editorconfig	Initial commit	2026-01-19 21:41:40 +00:00
.gitattributes	Initial commit	2026-01-19 21:41:40 +00:00
.gitignore	feat(homepage): fix all dashboard widget API credentials & URLs	2026-04-22 00:09:43 +01:00
.mise.toml	fix(github-release): update aqua:helmfile/helmfile ( 1.5.1 → 1.5.2 )	2026-05-22 01:52:22 +00:00
.renovaterc.json5	chore(renovate): switch to PR automerge with merge commits	2026-05-07 22:56:00 +01:00
.shellcheckrc	Initial commit	2026-01-19 21:41:40 +00:00
.sops.yaml	chore: initial commit again	2026-01-20 09:20:48 +00:00
dashboard	works	2026-01-20 13:00:36 +00:00
get	works	2026-01-20 13:00:36 +00:00
INFRASTRUCTURE.md	feat(default): add sftpgo — self-hosted Dropbox alternative	2026-04-14 18:35:06 +01:00
LICENSE	Initial commit	2026-01-19 21:41:40 +00:00
makejinja.toml	Initial commit	2026-01-19 21:41:40 +00:00
README.md	docs(readme): consistent app section format, 2.5G LAN, no em dashes	2026-05-08 15:24:46 +01:00
Taskfile.yaml	feat(storage): add VolSync backups for all apps with openebs PVCs	2026-03-10 00:32:24 +00:00

README.md

🏠 homeops

A single-node, GitOps-managed Kubernetes homelab - running on Talos, reconciled by Flux, and entirely declared in this repo.

📊 Dependency Dashboard · 🌍 Public Site

📡 At a glance

  Cluster      home-cluster        ·  single-node Talos Linux
  Reconciler   Flux CD             ·  watches main, auto-applies on push
  CNI          Cilium              ·  with LBIPAM + Gateway API
  Storage      OpenEBS + NFS-CSI   ·  hostpath for state, TrueNAS for media
  Backups      VolSync → MinIO     ·  restic, daily, off-cluster
  Secrets      SOPS + age          ·  encrypted at rest, decrypted by Flux
  Updates      Renovate (auto)     ·  PRs auto-merged with merge commits

Namespace	Apps	Namespace	Apps
`default`	31	`monitoring`	10
`media`	30	`databases`	6
`network`	6	`ai`	4
`kube-system`	4	`storage`	4
`cert-manager`	1	Total	~96

🏗️ Architecture

                                  ┌──────────────┐
                    iacob.co.uk   │  Cloudflare  │
              ┌─────────────────▶ │    Tunnel    │
              │                   └──────┬───────┘
              │                          │ public
   ┌──────────┴──────────┐               ▼
   │        User         │       ╔═══════════════════╗
   │                     │       ║  envoy-external   ║
   └──────────┬──────────┘       ║    192.168.1.8    ║
              │                  ╚═════════╤═════════╝
              │ iacob.uk                   │
              │ LAN / VPN                  │
              ▼                            │
       ╔═══════════════════╗               │
       ║  envoy-internal   ║               │
       ║    192.168.1.7    ║               │
       ╚═════════╤═════════╝               │
                 │                         │
                 └────────────┬────────────┘
                              ▼
                ┌─────────────────────────────┐
                │    Talos · home-cluster     │
                │     ~96 apps / 10 ns        │
                └─────────────┬───────────────┘
                              │ 10G NFS
                              ▼
                    ┌──────────────────────┐
                    │       TrueNAS        │
                    │   media · backups    │
                    └──────────────────────┘

LAN clients resolve *.iacob.uk to 192.168.1.7 via AdGuard split DNS; public *.iacob.co.uk is served via Cloudflare Tunnel (no inbound ports open).

🖥️ Hardware

Host	Model	CPU	RAM	Role
dl360	HP ProLiant DL360 Gen9	48 vCPU	252 GiB	Compute · K8s VM, AdGuard, Home Assistant, WireGuard
dl380	HP ProLiant DL380 Gen9	40 vCPU	157 GiB	Storage · TrueNAS, AdGuard secondary
Total		88 vCPU	409 GiB

Network backbone: 2.5G LAN + dedicated 10G P2P between K8s node and TrueNAS for NFS traffic.

🧱 The Stack

Platform

Talos Linux · immutable K8s OS
Kubernetes · v1.35
Flux CD · GitOps reconciler
Renovate · automated dep updates
SOPS + age · encrypted secrets

Networking

Cilium · CNI + LBIPAM
Envoy Gateway · Gateway API
cert-manager · TLS automation
k8s_gateway · cluster DNS
Cloudflare Tunnel · zero-trust ingress

Storage & Data

OpenEBS · hostpath PVs
NFS CSI · TrueNAS shares
VolSync · restic backups → MinIO
PostgreSQL · primary RDBMS
MinIO · S3-compatible object store

📦 Applications

Inventory derived from kubernetes/apps/. Click a section to expand.

🎬 Media · 30 apps - *arr stack, streaming, transcoding, surveillance

Plex · Jellyfin · ErsatzTV · Tautulli · Sonarr · Sonarr-LowQ · Radarr · Radarr-LowQ · Readarr · Lidarr · Lidify · Calibre-Web · LazyLibrarian · Prowlarr · Bazarr · FlareSolverr · qBittorrent · SABnzbd · Overseerr · Recommendarr · Pulsarr · Wizarr · Tdarr · Recyclarr · Huntarr · Agregarr · Sharerr · Plexo · Frigate · Scrypted · Ring-MQTT

🛠️ Default · 31 apps - productivity, identity, utilities, hosted services

Authentik · Vaultwarden · Immich · Paperless · FileBrowser · SFTPGo · Zipline · Outline · Mealie · Vikunja · Gitea · code-server · IT-Tools · Stirling-PDF · Homepage · Glance · Echo · n8n · Actual-Budget · Wallos · Solis-Charge · NeatPlan · Shlink · SearXNG · OpenSpeedTest · UniFi · Website · iLO4 Fan Controller · Informate · Replicarr

🤖 AI · 4 apps - local inference & RAG

Ollama · Open WebUI · AnythingLLM · Arca

📊 Monitoring · 10 apps - metrics, logs, traces, status

Prometheus · Grafana · Alloy · Loki · Promtail · Graphite-Exporter · Uptime-Kuma · Scrutiny · Plausible · Exporters (TrueNAS / ProxmoxVE / AdGuard / iLO)

🗄️ Databases · 6 apps

PostgreSQL (CNPG) · MariaDB · Redis · MinIO · Qdrant · Mosquitto (MQTT) · pgAdmin

🌐 Network · 6 apps

Envoy Gateway · Cloudflare Tunnel · Cloudflare DDNS · Cloudflare DNS · k8s_gateway · Headscale

⚙️ System - kube-system, storage, cert-manager

Cilium · CoreDNS · Metrics-Server · Reloader · NFS-CSI (x2) · OpenEBS · VolSync · cert-manager

🔄 GitOps Workflow

   ┌──────┐                          ┌──────────┐
   │  me  │── git push ─────────────▶│          │
   └──────┘                          │  GitHub  │── pull main ──▶  Flux CD ──▶  Cluster
   ┌──────────┐                      │   main   │     (1m)
   │ Renovate │── PR + auto-merge ──▶│          │
   └──────────┘                      └──────────┘

Update strategy - patch/minor container, helm, github-release, github-action, and mise updates auto-merge as standard merge commits. Major versions and critical infra (Talos, ClickHouse, Postgres, MariaDB, Redis, MinIO, Plex, Envoy, Cilium, cert-manager) are held for manual review via the Dependency Dashboard.

🗂️ Repository Layout

homeops/
├── bootstrap/            # one-shot Helmfile to seed the cluster
├── kubernetes/
│   ├── apps/             # one folder per workload, grouped by namespace
│   │   ├── ai/  default/  databases/  media/  monitoring/
│   │   ├── network/  storage/  cert-manager/  kube-system/
│   │   └── external-services/   # things outside the cluster (HA, iLO, Minecraft)
│   ├── components/       # reusable bits - volsync, sops, gatus probes
│   └── flux/             # Flux Kustomization graph + meta repos
├── talos/
│   ├── talconfig.yaml    # talhelper input
│   ├── talenv.yaml       # pinned Talos + K8s versions (Renovate-managed)
│   └── patches/          # node-level Talos patches
├── .taskfiles/           # task runners (flux, talos, volsync, k8s)
└── .renovaterc.json5     # update policy

Each app follows a consistent shape: ks.yaml (Flux Kustomization) + app/ (HelmRelease, OCIRepository, optional HTTPRoute and SOPS secret). Most apps use bjw-s/app-template.

🔌 Networking & Access

Gateway	IP	Domain	Exposure
`envoy-internal`	`192.168.1.7`	`*.iacob.uk`	LAN + WireGuard only
`envoy-external`	`192.168.1.8`	`*.iacob.co.uk`	Public via Cloudflare Tunnel

Public services sit behind a Cloudflare Tunnel: no inbound ports, DDoS protection at the edge, optional Authentik in front of sensitive apps. Internal services resolve via AdGuard Home split DNS so *.iacob.uk points at the internal Envoy, even from outside via WireGuard.

🔧 Operations

# Status overview
flux get all -A
kubectl get pods -A | grep -v Running | grep -v Completed

# Force a reconcile
task reconcile                                    # whole cluster
flux reconcile ks <name> -n <ns> --with-source    # one app

# Talos lifecycle
task talos:generate-config
task talos:apply-node IP=<ip>
task talos:upgrade-node IP=<ip>

# Backups (VolSync → TrueNAS MinIO)
task volsync:backup-all
task volsync:status

# Secrets (SOPS + age)
sops <file.sops.yaml>                             # edit
sops -e -i <file.sops.yaml>                       # encrypt in place

🙏 Credits

Built on the shoulders of the homelab community: primarily onedr0p/cluster-template, with patterns borrowed from onedr0p/home-ops, DavidIlie/home-cluster, and discoveries via kubesearch.dev.

iacob.co.uk

_{Reconciled by Flux. Updated by Renovate. Maintained by coffee. ☕}