home-operations

October 20, 2025 ยท View on GitHub

home-operations

GitOps-managed Kubernetes cluster for home infrastructure and services

Renovate Status KUMA


๐Ÿ“– Overview

This repository contains the complete infrastructure-as-code for my home Kubernetes cluster. Everything from bare-metal provisioning to application deployment is managed through GitOps principles using Flux CD.

The cluster runs on Talos Linux and hosts 90+ applications across 18 namespaces, including media services, home automation, monitoring, and various utilities.

โญ Features

  • Fully Automated GitOps: All cluster state managed via Flux CD with automatic reconciliation
  • Immutable Infrastructure: Talos Linux provides a secure, minimal OS designed for Kubernetes
  • High Availability: 3-node control plane with virtual IP for API server redundancy
  • Distributed Storage: Rook-Ceph cluster for persistent storage with replication
  • Secret Management: SOPS with Age encryption for secure secret storage in Git
  • Automated Backups: VolSync with Kopia for application data protection
  • Comprehensive Monitoring: Prometheus, Grafana, and Gatus for observability
  • Self-Healing: Automated dependency updates via Renovate and health monitoring

๐Ÿ—๏ธ Architecture

Infrastructure

ComponentImplementationPurpose
OSTalos Linux v1.11.1Immutable Linux distribution for Kubernetes
Kubernetesv1.34.1Container orchestration platform
GitOpsFlux CD v2.6.4Continuous deployment from Git
Secret ManagementSOPS + AgeEncrypted secrets in Git
StorageRook-CephDistributed block and filesystem storage
BackupsVolSync + KopiaAutomated backup and replication
IngressNGINX Ingress ControllerHTTP/HTTPS traffic routing
Certificatescert-managerAutomatic TLS certificate management
DNSExternal DNS + k8s-gatewayDynamic DNS and service discovery
MonitoringPrometheus + GrafanaMetrics, alerting, and visualization

Cluster Details

Control Plane Nodes: 3 (k8s-0, k8s-1, k8s-2)
Node Network:        10.88.0.0/24
Pod Network:         10.42.0.0/16
Service Network:     10.43.0.0/16
API Endpoint:        10.88.0.20:6443 (HA Virtual IP)

๐Ÿ“ฆ Applications

Media & Entertainment (17 apps)
  • Media Servers: Plex, Jellyfin
  • Media Management: Radarr, Sonarr, Lidarr, Readarr, Prowlarr
  • Media Requests: Jellyseerr, Overseerr
  • Download Clients: qBittorrent, SABnzbd
  • Media Automation: Autobrr, Cross-Seed, Unpackerr
  • Media Analytics: Tautulli, Jellystat, Jellyplex-Watched
  • Content: Audiobookshelf, Pinchflat
Home Automation (4 apps)
  • Home Assistant
  • ESPHome
  • Zigbee2MQTT
  • EMQX (MQTT broker)
Productivity & Utilities (8 apps)
  • Actual Budget (personal finance)
  • Mealie (recipe management)
  • Changedetection.io (website monitoring)
  • Hugo (static site generator)
  • IT-Tools
  • Homebox (inventory management)
  • Scrypted (video/camera integration)
  • Valheim (game server)
Infrastructure & System (30+ apps)
  • Databases: CloudNative-PG (PostgreSQL), Dragonfly (Redis)
  • Storage: Rook-Ceph, MinIO, Local-Path-Provisioner, VolSync
  • Networking: External DNS, k8s-gateway, Multus, Echo Server
  • Monitoring: Prometheus, Grafana, Gatus, Alertmanager
  • Exporters: Smartctl, SNMP, Blackbox
  • Security: cert-manager, External Secrets Operator
  • System: Reloader, Descheduler, Node Feature Discovery, Intel Device Plugin
  • CI/CD: GitHub Actions Runner Scale Set
  • Kubernetes: Metrics Server, CoreDNS, Cilium, System Upgrade Controller

๐Ÿš€ Getting Started

Prerequisites

  • Hardware: 3 nodes (physical or virtual) capable of running Talos Linux
  • Network: Static IP addresses, DHCP, DNS, and ability to configure a virtual IP
  • Storage: Additional disks for Rook-Ceph (recommended)
  • Tools:
    • talosctl - Talos CLI
    • kubectl - Kubernetes CLI
    • flux - Flux CD CLI
    • task - Task runner
    • sops and age - Secret encryption
    • helm - Kubernetes package manager

Quick Start

  1. Clone the repository

    git clone https://github.com/jalim/home-operations.git
    cd home-operations
    
  2. Generate Age encryption key

    task sops:age-keygen
    
  3. Bootstrap Talos cluster

    task talos:bootstrap
    
  4. Deploy Flux CD

    task bootstrap:flux
    
  5. Deploy applications

    task bootstrap:apps
    

Note: For detailed setup instructions, see docs/GETTING-STARTED.md

๐Ÿ› ๏ธ Repository Structure

๐Ÿ“ home-operations/
โ”œโ”€โ”€ ๐Ÿ“ .github/workflows/     # CI/CD automation (Renovate, linting, releases)
โ”œโ”€โ”€ ๐Ÿ“ .taskfiles/            # Task automation for operations
โ”œโ”€โ”€ ๐Ÿ“ ansible/               # Ansible playbooks (if used)
โ”œโ”€โ”€ ๐Ÿ“ kubernetes/
โ”‚   โ””โ”€โ”€ ๐Ÿ“ main/
โ”‚       โ”œโ”€โ”€ ๐Ÿ“ apps/          # Application deployments (90+ apps)
โ”‚       โ”œโ”€โ”€ ๐Ÿ“ bootstrap/     # Cluster initialization configs
โ”‚       โ”œโ”€โ”€ ๐Ÿ“ flux/          # Flux CD configuration
โ”‚       โ””โ”€โ”€ ๐Ÿ“ templates/     # Reusable templates
โ”œโ”€โ”€ ๐Ÿ“„ .sops.yaml            # SOPS encryption rules
โ”œโ”€โ”€ ๐Ÿ“„ Taskfile.yaml         # Main task automation entrypoint
โ””โ”€โ”€ ๐Ÿ“„ README.md             # This file

๐Ÿ“š Documentation

DocumentDescription
Getting StartedDetailed bootstrap and installation guide
ArchitectureSystem design and infrastructure overview
ApplicationsComplete application inventory
OperationsDay-to-day operational tasks
MaintenanceUpgrade and maintenance procedures
Disaster RecoveryBackup and recovery procedures
TroubleshootingCommon issues and solutions
NetworkingNetwork configuration and topology
Secrets ManagementWorking with encrypted secrets

๐Ÿ”ง Common Tasks

# List all available tasks
task --list

# View cluster status
kubectl get nodes
kubectl get pods -A

# Sync Flux
flux reconcile source git flux-system

# Upgrade Talos OS
task talos:upgrade-cluster

# Upgrade Kubernetes
task talos:upgrade-k8s

# Browse PVC contents
task kubernetes:browse-pvc

# View application logs
kubectl logs -n <namespace> <pod-name>

๐Ÿ” Secret Management

Secrets are encrypted using SOPS with Age encryption and stored directly in Git. The encryption key (age.key) is stored securely outside this repository.

# Encrypt a file
task sops:encrypt FILE=path/to/secret.yaml

# View encrypted file
sops path/to/secret.sops.yaml

# Edit encrypted file
sops path/to/secret.sops.yaml

See docs/SECRETS.md for detailed instructions.

๐Ÿ”„ Automated Updates

Renovate runs hourly to check for updates to:

  • Helm chart versions
  • Container images
  • Kubernetes manifests
  • GitHub Actions

Updates are automatically submitted as pull requests for review.

๐Ÿ“Š Monitoring & Observability

๐Ÿ†˜ Support & Community

๐Ÿ™ Acknowledgements

This repository is inspired by and built upon the excellent work of the Home Operations and k8s-at-home communities.

Special thanks to:

  • onedr0p for the original template and patterns
  • The k8s-at-home community for application Helm charts
  • The Talos, Flux, and Rook communities for excellent tooling

๐Ÿ“ License

This repository is provided as-is for educational and reference purposes. See LICENSE for details.


โญ If you find this repository useful, please consider giving it a star!