https://github.com/Mafyuh/iac
GitOps-driven Infrastructure as Code for my homelab
https://github.com/Mafyuh/iac
actions ansible devops docker docker-compose gitops iac k8s k8s-at-home kubernetes kubesearch opentofu packer terraform
Last synced: 14 days ago
JSON representation
GitOps-driven Infrastructure as Code for my homelab
- Host: GitHub
- URL: https://github.com/Mafyuh/iac
- Owner: Mafyuh
- License: wtfpl
- Created: 2024-08-02T02:56:22.000Z (almost 2 years ago)
- Default Branch: main
- Last Pushed: 2026-04-28T22:14:15.000Z (14 days ago)
- Last Synced: 2026-04-28T23:17:29.395Z (14 days ago)
- Topics: actions, ansible, devops, docker, docker-compose, gitops, iac, k8s, k8s-at-home, kubernetes, kubesearch, opentofu, packer, terraform
- Language: YAML
- Homepage:
- Size: 3.07 MB
- Stars: 469
- Watchers: 2
- Forks: 20
- Open Issues: 4
-
Metadata Files:
- Readme: README.md
- License: LICENSE
Awesome Lists containing this project
README
[](https://github.com/Mafyuh/iac/actions/workflows/CD.yml)
[](https://github.com/Mafyuh/iac/actions/workflows/ansible-playbooks.yml)
[](https://kubernetes.io/)
[](https://kubernetes.io/)
[](https://kubernetes.io/)
[](https://kubernetes.io/)
[](https://kubernetes.io/)
[](https://kubernetes.io/)
[](https://kubernetes.io/)
[](https://kubernetes.io/)
[](https://kubernetes.io/)
[](https://kubernetes.io/)
# iac (wip)
This is my homelab infrastructure, defined in code.
---
| Hypervisor | OS | Tools | Networking | Misc. Automations |
| ----------------------------------------------------------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ |
| [](https://www.proxmox.com) | [](https://www.talos.dev/) [](https://releases.ubuntu.com/noble/) [](https://archlinux.org/) [](https://nixos.org/) | [](https://www.docker.com/) [](https://k3s.io/) [](https://github.com/renovatebot/renovate) [](https://opentofu.org/) [](https://www.packer.io/) [](https://www.ansible.com/) [](https://fluxcd.io/) | [](https://www.ui.com/) | [](https://n8n.io/) [](https://github.com/features/actions) |
## 📖 **Overview**
This repository contains the IaC ([Infrastructure as Code](https://en.wikipedia.org/wiki/Infrastructure_as_code)) configuration for my homelab.
My homelab runs two infrastructure stacks: Kubernetes and Proxmox VMs running Docker. Legacy VMs are Ubuntu cloned from templates I created with [Packer](https://www.packer.io/), I have been migrating my Ubuntu VM's over to NixOS, see Nix config [here](https://github.com/Mafyuh/nixos) and going forward all VM's will be NixOS. My Kubernetes nodes are all defined as code using [Talos Linux](https://www.talos.dev/) with [talhelper](https://github.com/budimanjojo/talhelper).
Everything is containerized — either managed with Docker Compose or orchestrated through Kubernetes. My long-term goal is to move it all to Kubernetes using **[GitOps](https://en.wikipedia.org/wiki/DevOps) practices**, and the migration is ongoing. Docker Compose sticks around mainly due to hardware limitations; scaling a homelab Kubernetes cluster means buying alot of hardware.
To automate infrastructure updates, I use **Github Actions**, which trigger workflows upon changes to this repo. This ensures seamless deployment and maintenance across my homelab:
- **[Flux](https://fluxcd.io/)** manages Continuous Deployment (CD) for Kubernetes, deployed via [Flux Operator](https://fluxcd.control-plane.io/).
- **[Docker CD Workflow](https://github.com/Mafyuh/iac/blob/main/.github/workflows/CD.yml)** handles Continuous Deployment for Docker services.
- **[Renovate](https://github.com/renovatebot/renovate)** keeps services updated by opening PRs for new versions.
- **[Ansible](https://github.com/ansible/ansible)** is used to execute playbooks on all of my VMs, automating management and configurations
### 🔒 **Security & Networking**
For Secret management I use [Bitwarden Secrets](https://bitwarden.com/products/secrets-manager/) and their various [integrations](https://bitwarden.com/help/ansible-integration/) into the tools used.
> Kubernetes is using External Secrets implementation of BWS, not official. BWS Access Key is SOPS encrypted.
**[GitLeaks](https://github.com/gitleaks/gitleaks)** makes sure before every commit no secrets are exposed, **[GitGuardian](https://www.gitguardian.com/)** makes sure to alert me if something slips through GitLeaks.
Each container image is automatically scanned by **[Trivy](https://trivy.dev/latest/)**, with detected vulnerabilities published to **[Github Security](https://github.com/security)**
I use **RackNerd** for their very reasonably priced VPS and deploy Docker services that require uptime here. [Tailscale](https://www.tailscale.com/) is used to connect my home network to the various VPS's securely using [Zero Trust architecture](https://en.wikipedia.org/wiki/Zero_trust_architecture).
I use [**Cloudflare**](https://www.cloudflare.com/) for my DNS provider with [**Cloudflare Tunnels**](https://developers.cloudflare.com/cloudflare-one/connections/connect-networks/) to expose some of the services to the world. [**Cloudflare Access**](https://www.cloudflare.com/access/) is used as Zero Trust for public websites, this is paired with [**Fail2Ban**](https://www.fail2ban.org/) looking through all my reverse proxy logs for malicious actors who made it through [**Access**](https://www.cloudflare.com/access/) and banning them via [**Cloudflare WAF**](https://www.cloudflare.com/web-application-firewall/).
I also utilize Unifi's IDS/IPS for intrusion detection on my home network, and use **[Wazuh](https://wazuh.com/)** as a SIEM to monitor and generate security alerts across all my hosts.
### **📊 Monitoring & Observability**
I use a combination of **Grafana, fluent-bit, VictoriaLogs and Prometheus** with various exporters to collect and visualize system metrics, logs, and alerts. This helps maintain visibility into my infrastructure and detect issues proactively.
- **Prometheus** – Metrics collection and alerting
- **Victoria Logs** – Centralized logging
- **Grafana** – Dashboarding and visualization
- **Exporters** – Blackbox Exporter, Speedtest Exporter, etc.
### ☁️ **Cloud Dependencies**
Although I try to self-host everything I can, my infra still relies on the cloud for certain services.
| Service | Use | Cost |
| --------------------------------------------------------------------------------------- | --------------------------------------------------------------------------------------------------------------- | -------------- |
| [Proton](https://proton.me/) | IMAP, SMTP, VPN (Pass once there is Autofill Hotkey) | ~$120/yr |
| [Bitwarden](https://bitwarden.com/) | Secrets for all tools | Free |
| [OneDrive](https://www.microsoft.com/en-us/microsoft-365/onedrive/online-cloud-storage) | Takes backups of Proxmox VM's, Kubernetes PV's (will migrate to Proton Drive once there's proper Linux support) | Free (e5 dev) |
| [Cloudflare](https://www.cloudflare.com/) | Domain, DNS, WAF | Free |
| [GitHub](https://github.com/) | Hosting this repo and continuous integration/deployments | Free |
| [RackNerd](https://www.racknerd.com/) | RackNerd VPS, services such as Gotify, Vaultwarden | ~$60/yr |
| | | Total: ~$15/mo |
## 🧑💻 **Getting Started**
This repo is not structured like a project you can easily replicate. Although if you are new to any of the tools used I encourage you to read through the directories that make up each tool to see how I am using them.
Over time I will try to add more detailed instructions in each directories README.
Some good references for how I learned this stuff (other than RTFM)
- [Kubernetes Cluster Setup](https://technotim.live/posts/k3s-etcd-ansible/)
- [Kubernetes + Flux](https://technotim.live/posts/flux-devops-gitops/)
- [Kubernetes Secrets with SOPS](https://technotim.live/posts/secret-encryption-sops/)
- [Finding Kubernetes HelmReleases](https://kubesearch.dev)
- [Packer with Proxmox](https://www.youtube.com/watch?v=1nf3WOEFq1Y)
- [Terraform with Proxmox](https://www.youtube.com/watch?v=dvyeoDBUtsU)
- [Docker](https://www.youtube.com/watch?v=eGz9DS-aIeY)
- [Ansible](https://www.youtube.com/watch?v=goclfp6a2IQ)
Special thank you to [@chkpwd](https://github.com/chkpwd) for helping me get this started. [His repo](https://github.com/chkpwd/iac) was the inspiration for this.
## 🖥️ **Hardware**
Proof that you don't need expensive new equipment to run infra like mine. Mostly everything here is secondhand, bought over time, totaling less than ~$3k.
Servers
| Name | Device | CPU | RAM | Storage | GPU | Purpose |
| ------------------------- | --------------------------------------------------------------------------------------------------------------------- | ---------------- | ---------- | -------------------------------------------------------- | ---------------- | ----------------------- |
| **Talos-1** | Optiplex 7040 Micro | Intel i5-6700t | 32GB DDR4 | 1x1TB SATA SSD 128GB NVME | Integrated | k8s control-plane |
| **Talos-2** | Optiplex 7040 Micro | Intel i5-6700t | 32GB DDR4 | 1x1TB SATA SSD 128GB NVME | Integrated | k8s control-plane |
| **Talos-3** | Optiplex 7040 Micro | Intel i5-6700t | 32GB DDR4 | 1x1TB SATA SSD 128GB NVME | Integrated | k8s control-plane |
| **TrueNAS** | Custom | AMD Ryzen 5 5500 | 32 GB DDR4 | 1TB NVMe, 4x4TB RAIDZ1 (Media), 2x4TB Mirrored (Backups) | Arc A310 | NAS + Jellyfin Server |
| **PVE** | Custom | AMD Ryzen 9 5950X | 64 GB DDR4 | NVMe for boot and VMs | Nvidia 1660 6GB | Main proxmox node |
| **Pi** | Raspberry Pi 4 | | 8GB | 1TB m.2 SATA SSD w/ USB HAT | n/a | Home Assistant Server |
| **Proxmox Backup Server** | [Mini-PC](https://www.amazon.com/FIREBAT-Computer-Expansible-Efficient-Business/dp/B0DZWP653T/ref=sr_1_4?s=pc&sr=1-4) | Intel N150 | 8GB | 2TB SATA | n/a | Backup Proxmox VM's |
Personal
| Name | Device | CPU | RAM | Storage | GPU | Purpose |
| --------- | -------------- | ----------------- | --------- | --------- | --------------- | --------------------- |
| Gaming PC | Custom | Intel i7-13700k | 64GB DDR5 | 10TB NVMe | Nvidia RTX 5070 | Main Machine |
| Laptop | HP 15-eh1097nr | AMD Ryzen 7 5700U | 32GB DDR4 | 1TB NVMe | Integrated | On the go/bed machine |
Networking
| Name | Device | Purpose |
| ------ | ------------------------------------------------------------------------------------------------------ | --------------- |
| Switch | [Unifi Flex 2.5Gb PoE](https://store.ui.com/us/en/category/all-switching/products/usw-flex-2-5g-8-poe) | Switch with PoE |
| Router | [Unifi Dream Router 7](https://store.ui.com/us/en/products/udr7) | Router/Firewall |
| AP | [U7 Pro XG](https://store.ui.com/us/en/category/all-wifi/products/u7-pro-xg) | AP |
## 📌 **To-Do**
See [Project Board](https://github.com/users/Mafyuh/projects/1)