Art by @SkeletalGadget
IaC for my homelab and personal cloud
[ dotfiles · charts · containers · blog ]
This repository declares all of my infrastructure and Kubernetes clusters, both self-hosted and in Hetzner Cloud. I also host all of my documentation here.
Admittedly, both usages of "all" describe the end goal of this repo, not the current state. But, I will get there some day.
- Terraform: Bootstraps and manages infrastructure needed for Kubernetes.
- Crossplane: Kubernetes-native infrastructure management.
- Talos: Immutable Kubernetes OS; built using talhelper.
- Argo CD: Reconciles kubernetes clusters with this repository.
- Kyverno: Policy engine supporting validate, mutate, generate, and cleanup rules.
- Harbor: Artifact registry with pull-through cache and vulnerability scanning.
- Jsonnet: Configuration language I use to describe Argo applications.
- Renovate: Automatic updates for applications via pull requests.
- Doppler: Hosted secrets management platform.
- External Secrets: Synchronizes secrets from Doppler into Kubernetes.
- Cilium: eBPF-based CNI & service mesh.
- Traefik: Ingress controller & reverse proxy.
- Cert Manager: Automatic Let's Encrypt certificates.
- AdGuard Home: DNS server with ad-blocking.
- Wireguard: Modern VPN tunnels; implemented using wireguard-operator.
- Authentik: Identity Provider.
- Tetragon: eBPF-based security observability and runtime enforcement.
- SecureCodeBox: Continuous and automated security testing with familiar tools like Nmap, ZAP.
- Trivy: Kubernetes and container vulnerability scanner.
- Prometheus: Monitoring system & TSDB.
- Jaeger: Distributed tracing system.
- Loki: Log aggregation system.
- Vector: Log collector, transformer, and router.
- OTEL Collector: Trace/metric collector, transformer, and router.
- Grafana: Visualization platform.
- Robusta: Alerts / notifications and runbook automation.
- Inspektor Gadget: eBPF-based gadgets to debug and inspect Kubernetes apps and resources.
Overview of this repo's structure, there's more info in the README files for each:
📁 applications # Kubernetes applications
├─📁 base # Application base config
├─📁 environments # Application cluster customizations
│ ├─📁 hcloud # Customizations for Hetzner cluster
│ ├─📁 home # Customizations for home cluster
│ └─📁 seedbox # Customizations for seedbox cluster
└─📁 lib # Jsonnet libraries
📁 terraform # IaC defined via Terraform
├─📁 home # IaC for home
├─📁 hcloud # IaC for Hetzner Cloud
└─📁 hcloud-robot # IaC for Hetzner Cloud (Robot)Although the majority of my infrastructure and workloads are self-hosted, there are certain key components of my setup that rely on cloud services.
| Service | Use | Cost |
|---|---|---|
| Hetzner Cloud | Cloud compute and storage | ~$40/mo |
| AWS | Cloud cold storage (S3 Deep Glacier) | ~$10/mo |
| Google Cloud | Cloud storage | ~$20/mo |
| Cloudflare | DNS, Certs, Proxy, WAF | Free |
| Doppler | Secrets with External Secrets | Free |
| GitHub | Hosting this repository and continuous integration/deployments | Free |
| Renovate | Automatic updates for applications via pull requests | Free |
| Docker Hub | Docker image registry | Free |
| Robusta | Alerts / notifications and runbook automation | Free |
| Terraform Cloud | Storing Terraform state | Free |
| Grafana Cloud | Hosted Grafana & Prometheus, used for misc public projects | Free |
| Total: ~$70/mo |
| Count | Device | OS Disk Size | Data Disk Size | Ram | Operating System | Purpose |
|---|---|---|---|---|---|---|
| 3 | Turing Pi 2 | 1GB NAND | 32GB SD Card | 128MB | TPi BMC Firmware | 4-Node Cluster Board |
| 3 | Raspberry Pi CM4 | 32GB eMMC | N/A | 8GB | Talos Linux | Kubernetes Control Plane |
| 3 | Supermicro M11SDV-8C+-LN4F | 64GB SATADOM | 4TB SSD | 128GB | Talos Linux | Kubernetes Workers (x86) |
| 3 | Turing RK1 * | 32GB eMMC | 1TB SSD | 32GB | Talos Linux | Kubernetes Workers (arm64) |
| 1 | TrueNAS Mini R | 500GB SSD | 200TB HDD + 2TB SSD | 64GB | TrueNAS SCALE | Storage Server |
| 1 | Raspberry Pi 4B | 32GB SD Card | N/A | 4GB | PiKVM | Network KVM |
* == Pending
| Count | Device | Eth Interfaces | SFP Interfaces | Platform | Purpose |
|---|---|---|---|---|---|
| 1 | Ubiquiti UDM-SE | 1x 2.5G | 2x 10G | UniFi OS | Router & Security Gateway |
| 1 | Ubiquiti UCI | 1x 2.5G | N/A | UniFi OS | DOCSIS 3.1 Cable Modem |
| 1 | Ubiquiti U6-Pro | 1x 1G | N/A | UniFi OS | WiFi 6 Access Point |
| 1 | Ubiquiti USW-Pro-Aggregation | N/A | 28x 10G | UniFi OS | L3 Aggregation Switch |
| 1 | Ubiquiti USW-Pro-24 | 24x 1G | 2x 10G | UniFi OS | L3 Switch |
| 1 | Ubiquiti USW-Pro-24-POE | 24x 1G | 2x 10G | UniFi OS | L3 PoE Switch |
| 2 | WattBox WB-800-IPVM | 1x 1G | N/A | OvrC | IP Controlled Metered PDU |
| 1 | WattBox WB-800VPS-IPVM-18 | 1x 1G | N/A | OvrC | IP Controlled Metered PDU |
Over time I've taken a ton of inspiration from the K8s@Home / home-ops community: onedr0p, szinn, budimanjojo, buroa, coolguy1771, and many others.
Technically however, I hope this repo is quite unique. I've intentionally tried to make some uncommon choices to learn more and venture outside my comfort zone a bit. So, I hope that in the very least, this repo will provide anyone looking with some interesting and unique ideas. 🙂
This project is licensed under the Apache-2.0 license, primarily because it's very compatible with a lot of the projects I enjoy stealing code from.
For more details, see LICENSE.
Ultimately though, I have a WTFPL mindset about any content produced by/for myself. If you like anything you see here, feel free to use it however you want (yes, that includes the peepos), just don't sue me if my code blows up your cluster. If you're feeling especially nice, links back to this repo are always appreciated (for the SEO, or whatever).
