{"id":48766345,"url":"https://github.com/Mafyuh/iac","last_synced_at":"2026-04-29T06:01:04.760Z","repository":{"id":251303420,"uuid":"837008731","full_name":"Mafyuh/iac","owner":"Mafyuh","description":"GitOps-driven Infrastructure as Code for my homelab","archived":false,"fork":false,"pushed_at":"2026-04-28T22:14:15.000Z","size":3220,"stargazers_count":469,"open_issues_count":4,"forks_count":20,"subscribers_count":2,"default_branch":"main","last_synced_at":"2026-04-28T23:17:29.395Z","etag":null,"topics":["actions","ansible","devops","docker","docker-compose","gitops","iac","k8s","k8s-at-home","kubernetes","kubesearch","opentofu","packer","terraform"],"latest_commit_sha":null,"homepage":"","language":"YAML","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"wtfpl","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/Mafyuh.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2024-08-02T02:56:22.000Z","updated_at":"2026-04-28T22:13:28.000Z","dependencies_parsed_at":"2024-08-20T03:59:41.569Z","dependency_job_id":"507ffccc-c0ba-4eb1-a86b-ebd809f98a1d","html_url":"https://github.com/Mafyuh/iac","commit_stats":null,"previous_names":["mafyuh/iac"],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/Mafyuh/iac","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Mafyuh%2Fiac","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Mafyuh%2Fiac/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Mafyuh%2Fiac/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Mafyuh%2Fiac/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/Mafyuh","download_url":"https://codeload.github.com/Mafyuh/iac/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Mafyuh%2Fiac/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":32412890,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-04-29T05:20:56.964Z","status":"ssl_error","status_checked_at":"2026-04-29T05:19:54.749Z","response_time":110,"last_error":"SSL_read: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["actions","ansible","devops","docker","docker-compose","gitops","iac","k8s","k8s-at-home","kubernetes","kubesearch","opentofu","packer","terraform"],"created_at":"2026-04-13T08:00:31.918Z","updated_at":"2026-04-29T06:01:04.753Z","avatar_url":"https://github.com/Mafyuh.png","language":"YAML","funding_links":[],"categories":["YAML"],"sub_categories":[],"readme":"[![CD](https://github.com/Mafyuh/iac/actions/workflows/CD.yml/badge.svg)](https://github.com/Mafyuh/iac/actions/workflows/CD.yml)\n[![Ansible](https://github.com/Mafyuh/iac/actions/workflows/ansible-playbooks.yml/badge.svg)](https://github.com/Mafyuh/iac/actions/workflows/ansible-playbooks.yml)\n\n[![Pods](https://img.shields.io/endpoint?url=https%3A%2F%2Fkromgo.mafyuh.dev%2Fcluster_pods_running\u0026\u0026logo=kubernetes\u0026color=black)](https://kubernetes.io/)\u0026nbsp;\n[![Nodes](https://img.shields.io/endpoint?url=https%3A%2F%2Fkromgo.mafyuh.dev%2Fcluster_node_count\u0026label=Nodes\u0026logo=kubernetes\u0026color=black)](https://kubernetes.io/)\u0026nbsp;\n[![Uptime](https://img.shields.io/endpoint?url=https%3A%2F%2Fkromgo.mafyuh.dev%2Fcluster_uptime_days\u0026label=Uptime\u0026logo=kubernetes\u0026color=black)](https://kubernetes.io/)\u0026nbsp;\n[![CPU](https://img.shields.io/endpoint?url=https%3A%2F%2Fkromgo.mafyuh.dev%2Fcluster_cpu_usage\u0026\u0026logo=kubernetes\u0026label=CPU\u0026color=black)](https://kubernetes.io/)\u0026nbsp;\n[![RAM](https://img.shields.io/endpoint?url=https%3A%2F%2Fkromgo.mafyuh.dev%2Fcluster_memory_usage\u0026\u0026logo=kubernetes\u0026label=RAM\u0026color=black)](https://kubernetes.io/)\u0026nbsp;\n[![Version](https://img.shields.io/endpoint?url=https%3A%2F%2Fkromgo.mafyuh.dev%2Fkubernetes_version\u0026label=Kubernetes\u0026logo=kubernetes\u0026color=black)](https://kubernetes.io/)\u0026nbsp;\n[![Talos](https://img.shields.io/endpoint?url=https%3A%2F%2Fkromgo.mafyuh.dev%2Ftalos_version\u0026\u0026logo=talos\u0026color=black)](https://kubernetes.io/)\u0026nbsp;\n[![PVE Version](https://img.shields.io/endpoint?url=https%3A%2F%2Fkromgo.mafyuh.dev%2Fpve_version\u0026\u0026logo=proxmox\u0026color=black)](https://kubernetes.io/)\u0026nbsp;\n[![Flux](https://img.shields.io/endpoint?url=https%3A%2F%2Fkromgo.mafyuh.dev%2Fflux_version\u0026\u0026logo=flux\u0026color=black)](https://kubernetes.io/)\u0026nbsp;\n[![Alerts](https://img.shields.io/endpoint?url=https%3A%2F%2Fkromgo.mafyuh.dev%2Fcluster_alert_count\u0026\u0026logo=prometheus)](https://kubernetes.io/)\u0026nbsp;\n\n![Header Image](https://raw.githubusercontent.com/Mafyuh/homelab-svg-assets/main/assets/header_.png)\n\n\u003cdiv align=\"center\"\u003e\n\n# iac (wip)\n\nThis is my homelab infrastructure, defined in code.\n\n\u003c/div\u003e\n\n---\n\n\u003cdiv align=\"center\"\u003e\n\n| Hypervisor | OS | Tools | Networking | Misc. Automations |\n| ----------------------------------------------------------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ |\n| [![Proxmox](https://img.shields.io/badge/-Proxmox-black?logo=Proxmox)](https://www.proxmox.com) | [![Talos](https://img.shields.io/badge/Talos-black?\u0026logo=talos)](https://www.talos.dev/) [![Ubuntu](https://img.shields.io/badge/Ubuntu-black?\u0026logo=ubuntu\u0026logoColor=red)](https://releases.ubuntu.com/noble/) [![Arch](https://img.shields.io/badge/Arch-black?\u0026logo=archlinux)](https://archlinux.org/) [![NixOS](https://img.shields.io/badge/NixOS-black?\u0026logo=nixos)](https://nixos.org/) | [![Docker](https://img.shields.io/badge/-Docker-black?logo=docker)](https://www.docker.com/) [![Kubernetes](https://img.shields.io/badge/-Kubernetes-black?logo=kubernetes)](https://k3s.io/) [![Renovate](https://img.shields.io/badge/-Renovate-black?logo=renovate\u0026logoColor=blue)](https://github.com/renovatebot/renovate) [![OpenTofu](https://img.shields.io/badge/-OpenTofu-black?logo=opentofu)](https://opentofu.org/) [![Packer](https://img.shields.io/badge/-Packer-black?logo=packer)](https://www.packer.io/) [![Ansible](https://img.shields.io/badge/-Ansible-black?logo=ansible\u0026logoColor=red)](https://www.ansible.com/) [![Flux](https://img.shields.io/badge/-Flux-black?logo=flux)](https://fluxcd.io/) | [![Unifi](https://img.shields.io/badge/-Unifi-black?logo=ubiquiti\u0026logoColor=blue)](https://www.ui.com/) | [![n8n](https://img.shields.io/badge/-n8n-black?logo=n8n)](https://n8n.io/) [![Actions](https://img.shields.io/badge/-Actions-black?logo=github\u0026logoColor=white)](https://github.com/features/actions) |\n\n\u003c/div\u003e\n\n## 📖 **Overview**\n\nThis repository contains the IaC ([Infrastructure as Code](https://en.wikipedia.org/wiki/Infrastructure_as_code)) configuration for my homelab.\n\nMy homelab runs two infrastructure stacks: Kubernetes and Proxmox VMs running Docker. Legacy VMs are Ubuntu cloned from templates I created with [Packer](https://www.packer.io/), I have been migrating my Ubuntu VM's over to NixOS, see Nix config [here](https://github.com/Mafyuh/nixos) and going forward all VM's will be NixOS. My Kubernetes nodes are all defined as code using [Talos Linux](https://www.talos.dev/) with [talhelper](https://github.com/budimanjojo/talhelper).\n\nEverything is containerized — either managed with Docker Compose or orchestrated through Kubernetes. My long-term goal is to move it all to Kubernetes using **[GitOps](https://en.wikipedia.org/wiki/DevOps) practices**, and the migration is ongoing. Docker Compose sticks around mainly due to hardware limitations; scaling a homelab Kubernetes cluster means buying alot of hardware.\n\nTo automate infrastructure updates, I use **Github Actions**, which trigger workflows upon changes to this repo. This ensures seamless deployment and maintenance across my homelab:\n\n- **[Flux](https://fluxcd.io/)** manages Continuous Deployment (CD) for Kubernetes, deployed via [Flux Operator](https://fluxcd.control-plane.io/).\n- **[Docker CD Workflow](https://github.com/Mafyuh/iac/blob/main/.github/workflows/CD.yml)** handles Continuous Deployment for Docker services.\n- **[Renovate](https://github.com/renovatebot/renovate)** keeps services updated by opening PRs for new versions.\n- **[Ansible](https://github.com/ansible/ansible)** is used to execute playbooks on all of my VMs, automating management and configurations\n\n### 🔒 **Security \u0026 Networking**\n\nFor Secret management I use [Bitwarden Secrets](https://bitwarden.com/products/secrets-manager/) and their various [integrations](https://bitwarden.com/help/ansible-integration/) into the tools used.\n\n\u003e Kubernetes is using External Secrets implementation of BWS, not official. BWS Access Key is SOPS encrypted.\n\n**[GitLeaks](https://github.com/gitleaks/gitleaks)** makes sure before every commit no secrets are exposed, **[GitGuardian](https://www.gitguardian.com/)** makes sure to alert me if something slips through GitLeaks.\n\nEach container image is automatically scanned by **[Trivy](https://trivy.dev/latest/)**, with detected vulnerabilities published to **[Github Security](https://github.com/security)**\n\nI use **RackNerd** for their very reasonably priced VPS and deploy Docker services that require uptime here. [Tailscale](https://www.tailscale.com/) is used to connect my home network to the various VPS's securely using [Zero Trust architecture](https://en.wikipedia.org/wiki/Zero_trust_architecture).\n\nI use [**Cloudflare**](https://www.cloudflare.com/) for my DNS provider with [**Cloudflare Tunnels**](https://developers.cloudflare.com/cloudflare-one/connections/connect-networks/) to expose some of the services to the world. [**Cloudflare Access**](https://www.cloudflare.com/access/) is used as Zero Trust for public websites, this is paired with [**Fail2Ban**](https://www.fail2ban.org/) looking through all my reverse proxy logs for malicious actors who made it through [**Access**](https://www.cloudflare.com/access/) and banning them via [**Cloudflare WAF**](https://www.cloudflare.com/web-application-firewall/).\n\nI also utilize Unifi's IDS/IPS for intrusion detection on my home network, and use **[Wazuh](https://wazuh.com/)** as a SIEM to monitor and generate security alerts across all my hosts.\n\n### **📊 Monitoring \u0026 Observability**\n\nI use a combination of **Grafana, fluent-bit, VictoriaLogs and Prometheus** with various exporters to collect and visualize system metrics, logs, and alerts. This helps maintain visibility into my infrastructure and detect issues proactively.\n\n- **Prometheus** – Metrics collection and alerting\n- **Victoria Logs** – Centralized logging\n- **Grafana** – Dashboarding and visualization\n- **Exporters** – Blackbox Exporter, Speedtest Exporter, etc.\n\n### ☁️ **Cloud Dependencies**\n\nAlthough I try to self-host everything I can, my infra still relies on the cloud for certain services.\n\n| Service | Use | Cost |\n| --------------------------------------------------------------------------------------- | --------------------------------------------------------------------------------------------------------------- | -------------- |\n| [Proton](https://proton.me/) | IMAP, SMTP, VPN (Pass once there is Autofill Hotkey) | ~$120/yr |\n| [Bitwarden](https://bitwarden.com/) | Secrets for all tools | Free |\n| [OneDrive](https://www.microsoft.com/en-us/microsoft-365/onedrive/online-cloud-storage) | Takes backups of Proxmox VM's, Kubernetes PV's (will migrate to Proton Drive once there's proper Linux support) | Free (e5 dev) |\n| [Cloudflare](https://www.cloudflare.com/) | Domain, DNS, WAF | Free |\n| [GitHub](https://github.com/) | Hosting this repo and continuous integration/deployments | Free |\n| [RackNerd](https://www.racknerd.com/) | RackNerd VPS, services such as Gotify, Vaultwarden | ~$60/yr |\n| | | Total: ~$15/mo |\n\n## 🧑‍💻 **Getting Started**\n\nThis repo is not structured like a project you can easily replicate. Although if you are new to any of the tools used I encourage you to read through the directories that make up each tool to see how I am using them.\n\nOver time I will try to add more detailed instructions in each directories README.\n\nSome good references for how I learned this stuff (other than RTFM)\n\n- [Kubernetes Cluster Setup](https://technotim.live/posts/k3s-etcd-ansible/)\n- [Kubernetes + Flux](https://technotim.live/posts/flux-devops-gitops/)\n- [Kubernetes Secrets with SOPS](https://technotim.live/posts/secret-encryption-sops/)\n- [Finding Kubernetes HelmReleases](https://kubesearch.dev)\n- [Packer with Proxmox](https://www.youtube.com/watch?v=1nf3WOEFq1Y)\n- [Terraform with Proxmox](https://www.youtube.com/watch?v=dvyeoDBUtsU)\n- [Docker](https://www.youtube.com/watch?v=eGz9DS-aIeY)\n- [Ansible](https://www.youtube.com/watch?v=goclfp6a2IQ)\n\nSpecial thank you to [@chkpwd](https://github.com/chkpwd) for helping me get this started. [His repo](https://github.com/chkpwd/iac) was the inspiration for this.\n\n## 🖥️ **Hardware**\n\nProof that you don't need expensive new equipment to run infra like mine. Mostly everything here is secondhand, bought over time, totaling less than ~$3k.\n\n\u003cdetails open\u003e\n \u003csummary\u003e\u003cstrong\u003eServers\u003c/strong\u003e\u003c/summary\u003e\n\n| Name | Device | CPU | RAM | Storage | GPU | Purpose |\n| ------------------------- | --------------------------------------------------------------------------------------------------------------------- | ---------------- | ---------- | -------------------------------------------------------- | ---------------- | ----------------------- |\n| **Talos-1** | Optiplex 7040 Micro | Intel i5-6700t | 32GB DDR4 | 1x1TB SATA SSD 128GB NVME | Integrated | k8s control-plane |\n| **Talos-2** | Optiplex 7040 Micro | Intel i5-6700t | 32GB DDR4 | 1x1TB SATA SSD 128GB NVME | Integrated | k8s control-plane |\n| **Talos-3** | Optiplex 7040 Micro | Intel i5-6700t | 32GB DDR4 | 1x1TB SATA SSD 128GB NVME | Integrated | k8s control-plane |\n| **TrueNAS** | Custom | AMD Ryzen 5 5500 | 32 GB DDR4 | 1TB NVMe, 4x4TB RAIDZ1 (Media), 2x4TB Mirrored (Backups) | Arc A310 | NAS + Jellyfin Server |\n| **PVE** | Custom | AMD Ryzen 9 5950X | 64 GB DDR4 | NVMe for boot and VMs | Nvidia 1660 6GB | Main proxmox node |\n| **Pi** | Raspberry Pi 4 | | 8GB | 1TB m.2 SATA SSD w/ USB HAT | n/a | Home Assistant Server |\n| **Proxmox Backup Server** | [Mini-PC](https://www.amazon.com/FIREBAT-Computer-Expansible-Efficient-Business/dp/B0DZWP653T/ref=sr_1_4?s=pc\u0026sr=1-4) | Intel N150 | 8GB | 2TB SATA | n/a | Backup Proxmox VM's |\n\n\u003c/details\u003e\n\n\u003cdetails\u003e\n \u003csummary\u003e\u003cstrong\u003ePersonal\u003c/strong\u003e\u003c/summary\u003e\n\n| Name | Device | CPU | RAM | Storage | GPU | Purpose |\n| --------- | -------------- | ----------------- | --------- | --------- | --------------- | --------------------- |\n| Gaming PC | Custom | Intel i7-13700k | 64GB DDR5 | 10TB NVMe | Nvidia RTX 5070 | Main Machine |\n| Laptop | HP 15-eh1097nr | AMD Ryzen 7 5700U | 32GB DDR4 | 1TB NVMe | Integrated | On the go/bed machine |\n\n\u003c/details\u003e\n\n\u003cdetails\u003e\n \u003csummary\u003e\u003cstrong\u003eNetworking\u003c/strong\u003e\u003c/summary\u003e\n\n| Name | Device | Purpose |\n| ------ | ------------------------------------------------------------------------------------------------------ | --------------- |\n| Switch | [Unifi Flex 2.5Gb PoE](https://store.ui.com/us/en/category/all-switching/products/usw-flex-2-5g-8-poe) | Switch with PoE |\n| Router | [Unifi Dream Router 7](https://store.ui.com/us/en/products/udr7) | Router/Firewall |\n| AP | [U7 Pro XG](https://store.ui.com/us/en/category/all-wifi/products/u7-pro-xg) | AP |\n\n\u003c/details\u003e\n\n## 📌 **To-Do**\n\nSee [Project Board](https://github.com/users/Mafyuh/projects/1)\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FMafyuh%2Fiac","html_url":"https://awesome.ecosyste.ms/projects/github.com%2FMafyuh%2Fiac","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FMafyuh%2Fiac/lists"}