Repository for managing a Kubernetes cluster through GitOps workflows.
Powered by Proxmox VE, Terraform, Talos, Argo CD, and Sealed Secrets. Kept up to date with Renovate. Includes a healthy dose of automation and the occasional 3-letter commit message.
This repository hosts the IaC (Infrastructure as Code) configuration for my homelab.
The homelab runs on Proxmox VE hypervisor nodes, with VMs provisioned using Terraform.
- helios — a Talos Kubernetes cluster (control plane + workers)
- atlas — an Ubuntu VM used as a file server for media storage and Longhorn backups
All cluster workloads are managed via GitOps with Argo CD and an ApplicationSet that auto-syncs from this repository. Secrets are encrypted in-repo using Sealed Secrets.
-
Create Terraform variables in
terraform/helios(and optionallyterraform/atlas). Use the provided.examplefiles as a reference. -
Deploy the Talos cluster using Terraform:
cd terraform/helios
terraform init
terraform apply- Bootstrap the cluster (creates namespaces, restores sealed-secret keys, installs ArgoCD and ArgoCD-Apps):
.\scripts\new-Cluster.ps1ArgoCD will automatically sync all remaining applications from the repository. Retrieve the initial admin password with:
.\scripts\get-ArgoPassword.ps1- Creating a new Sealed Secret:
.\scripts\new-SealedSecret.ps1 -password <value> -namespace <ns> -secretName <name>- Backing up Sealed Secret keys:
.\scripts\backup-SealedSecret.ps1End-user facing applications
| Logo | Name | Description |
|---|---|---|
 |
Hello-World | Example and template application for the repository |
 |
Home Assistant | Open-source home automation platform (proxied via nginx). |
 |
Memos | Lightweight, self-hosted note-taking service. |
 |
AIOStreams | All-in-one Stremio addon aggregator and proxy. |
 |
Nexus3 | Universal artifact repository manager. |
 |
Obsidian Sync | Self-hosted sync backend for Obsidian (proxied via nginx). |
 |
RoomCtrlScraper | Custom service to scrape and manage room control data. |
Ingress, DNS, and identity services
| Logo | Name | Description |
|---|---|---|
 |
authentik | Identity provider enabling single sign-on (SSO) and centralized user management. |
 |
Cert Manager | Manages TLS certificates for secure communication within Kubernetes. |
 |
MetalLB | Load-balancer implementation for bare metal Kubernetes clusters. |
 |
Traefik | Cloud-native reverse proxy and ingress controller for Kubernetes. |
|
Traefik CRDs | Custom Resource Definitions required by Traefik. |
Persistent storage services
| Logo | Name | Description |
|---|---|---|
 |
Longhorn | Cloud-native distributed block storage for Kubernetes. |
 |
Syncthing | Continuous file synchronization between devices. |
Secret management
| Logo | Name | Description |
|---|---|---|
 |
Sealed Secrets | Encrypts Kubernetes secrets for safe storage in Git. |
Foundation components for running and deploying applications in my cluster
| Logo | Name | Description |
|---|---|---|
 |
Argo CD | GitOps tool for continuous delivery and Kubernetes application management. |
 |
Renovate | Automates dependency and container image updates via pull requests. |
 |
Intel QuickSync | Intel GPU device plugin enabling hardware-accelerated video transcoding in Kubernetes. |
| Name | Device | CPU | RAM | Storage | Purpose |
|---|---|---|---|---|---|
| pve1 | Aoostar R7 | AMD Ryzen 7 5825U | 48 GB DDR4 SO-DIMM | 8TB HDD + 2TB SSD | Compute/General |