State of the art multi-cluster GitOps repository for homelab use. Currently used with my bare metal Kubernetes clusters at home to host a bunch of useful open-source apps.
The diagram below shows my network and hardware setup. My ISP provides a dedicated public IP address and 10 Gbps throughput. All of my MS-01 nodes are equipped with 32 GB of RAM and 2 To of M.2 storage.
%%{init: {'themeVariables': {'clusterBkg':'transparent'}, 'securityLevel': 'loose'}}%%
graph TD
Web@{ shape: cloud, label "Web" } <-->|10G| A(Protectli VP2440<br/>Proxmox)
subgraph LAN[" "]
A e1@<--> B(OPNsense<br/>VM)
e1@{ animate: true }
B e2@<-->|10G DAC| C(Pro XG 8 PoE Switch)
e2@{ animate: true }
C e3@<-->|10G| D1[MS-01<br/>Talos]
C e4@<-->|10G| D2[MS-01<br/>Talos]
C e5@<-->|10G| D3[MS-01<br/>Talos]
e3@{ animate: true }
e4@{ animate: true }
e5@{ animate: true }
end
| Apps | Description |
|---|---|
 |
Immutable Linux distro for Kubernetes, allowing to deploy clusters with Omni |
 |
Full network stack, replaces Flannel as the CNI and kube-proxy from Talos. Also used as the Load Balancer with Gateway API support |
 |
Fully managed Kubernetes deployment using GitOps practices |
 |
Manage secrets remotely & securely from a large list of providers |
 |
Automatic X.509 certificates management with Gateway API support |
 |
Manage automatically the DNS records of domains listed in the Gateway API's routes |
 |
DNS server with blocking capabilities to route internal traffic |
 |
Storage Orchestrator to manage a Ceph cluster |
 |
Operator for running PostgreSQL databases clusters with high availability |
 |
Open-source high-performance key/value datastore |
 |
Identity provider to allow Single-Sign-On for any apps |
| Apps | Description |
|---|---|
 |
Recursive DNS server used with Pi-hole to provide more privacy |
 |
Dashboard with a bunch of features that I use as my browser starting page |
 |
Automated developer-oriented status page |
 |
Better shell history that is synced onto any machine |
 |
Git server to host personal stuff likes notes etc. |
 |
Home automation that puts local control and privacy first |
 |
3D printing slicer based on Bambu Studio and PrusaSlicer with enhanced features |
 |
Prowlarr is an indexer manager/proxy that supports management of both torrent trackers and usenet indexers |
 |
Torrent client to download legal stuff :) |
 |
Readarr is an eBook and audiobook collection manager |
| Apps | Description |
|---|---|
 |
Open-source analytics and interactive visualization web application |
 |
Monitoring system with a dimensional data model, flexible query language & more |
 |
Automatically inform and updates deployed apps in the clusters |
 |
Kubenative scanner to find security vulnerabilities & misconfigurations |
I'm using a self-hosted instance of Sidero Omni to manage and deploy my Kubernetes clusters.
You'll need the following:
- A static public IP address with a router able to forward ports
- A domain name with a DNS provider usable with ExternalDNS
- Any secret provider supported by External Secrets Operator. This repository uses
GitLabas it's secrets provider - An API token of the DNS provider that will allow challenges to create certificates. This repository uses a
Cloudflaretoken with the permissions: Zone - DNS - Edit, Zone - Zone - Read & Include - All Zones - Another API token of the same provider to manage DNS records. Using
Cloudflare, the token should have the same permissions as above - A GitHub PAT to be used by
FluxCD, with Read-Write permissions for Admnistration & Contents
Here is the following list of secrets you need to add in your external secrets provider of choice before starting the cluster:
| Name | Description |
|---|---|
dns_provider_challenge_token |
API token of your DNS management provider of your domain, used to generate the x.509 certificates |
dns_provider_management_token |
API token of your DNS management provider of your domain, used to manage your DNS records |
authentik_key |
Random string of atleast 50 caracters long (ex: openssl rand -base64 50) |
renovate_token |
Git token for the Renovate account |