An open API service indexing awesome lists of open source software.

https://github.com/roib20/homelab-as-code


https://github.com/roib20/homelab-as-code

ansible argocd kuberenetes opentofu talos terragrunt

Last synced: 15 days ago
JSON representation

Awesome Lists containing this project

README

          

# 🏠 Homelab as Code πŸ‘¨β€πŸ’»

**Bare-metal to a self-healing Kubernetes cluster, every layer as code. This is my homelab.**

[![Documentation](https://img.shields.io/badge/Documentation-homelab.towerofkubes.com-5E81AC?style=for-the-badge&logo=astro&logoColor=white)](https://homelab.towerofkubes.com)

The goal is to keep manual steps out of it as much as I can. Ansible and OpenTofu provision the OS layer and VMs, the nodes run Talos Linux, and Argo CD reconciles the cluster against Git. Most changes are a commit, and rebuilding a node means running the same code again.

## βœ… Status

[![Image](https://img.shields.io/badge/image-ghcr.io%2Froib20%2Fhomelab--as--code--runner-blue)](https://github.com/roib20/homelab-as-code/pkgs/container/homelab-as-code-runner)
[![Bake Container Image](https://github.com/roib20/homelab-as-code/actions/workflows/bake-image.yml/badge.svg)](https://github.com/roib20/homelab-as-code/actions/workflows/bake-image.yml)
[![Kustomize Build Validation](https://github.com/roib20/homelab-as-code/actions/workflows/kustomize-build-validation.yml/badge.svg)](https://github.com/roib20/homelab-as-code/actions/workflows/kustomize-build-validation.yml)
[![pre-commit](https://github.com/roib20/homelab-as-code/actions/workflows/pre-commit.yml/badge.svg)](https://github.com/roib20/homelab-as-code/actions/workflows/pre-commit.yml)
[![ShellCheck](https://github.com/roib20/homelab-as-code/actions/workflows/shellcheck.yml/badge.svg)](https://github.com/roib20/homelab-as-code/actions/workflows/shellcheck.yml)
[![Terragrunt Validate & Format](https://github.com/roib20/homelab-as-code/actions/workflows/terragrunt-validate-and-fmt.yml/badge.svg)](https://github.com/roib20/homelab-as-code/actions/workflows/terragrunt-validate-and-fmt.yml)
[![yamllint](https://github.com/roib20/homelab-as-code/actions/workflows/yamllint.yml/badge.svg)](https://github.com/roib20/homelab-as-code/actions/workflows/yamllint.yml)

---

## 🧱 Built with Layers

```mermaid
flowchart LR
hw["πŸ’» Hardware"] --> deb["🐧 Debian"] --> pve["πŸ“¦ Proxmox VE"]
pve --> tn["πŸ—„οΈ TrueNAS"]
pve --> k8s["☸️ Talos + Kubernetes"]
k8s --> argo["πŸš€ Argo CD"]
```

The lab is built bottom to top, and each layer assumes the one under it. A Proxmox VE cluster runs the Talos VMs that form Kubernetes, plus a TrueNAS VM for storage. The lower layers rarely change once they work, while the apps on top change frequently, with updates automated by Renovate Operator.

## πŸ” Kept in Sync with Git

```mermaid
flowchart LR
git["Git (this repo)"] --> argo["Argo CD"] --> cluster["Cluster state"]
argo -. corrects drift .-> cluster
```

This is the GitOps part. Git holds the desired state and Argo CD does the writing: it is the only thing that applies changes to the cluster, and ApplicationSets generate the apps from `kubernetes/cluster/active`. A rollback is a `git revert`. The one thing kept out of Git is secrets, which the External Secrets Operator pulls from Bitwarden Secrets Manager at runtime.

## πŸšͺ Two Ways In

```mermaid
flowchart LR
req["Request"] --> pick{"Public or private?"}
pick -->|Public| gw["🌐 Gateway API + WAF"]
pick -->|Private| ts["πŸ”’ Tailscale Operator"]
gw --> svc["Service"]
ts --> svc
```

Every service picks one of two Ingress paths. Public services come in through the Gateway API, where Envoy Gateway terminates TLS and runs a Coraza WAF. Private ones reside on the Tailnet instead, reachable only from approved devices.

## 🧰 The Stack

| Category | Tools |
| --- | --- |
| πŸ—οΈ Infrastructure as Code (IaC) | OpenTofu, Terragrunt, Ansible |
| πŸ–₯️ Hosts and Virtualization | Proxmox VE, TrueNAS, Talos Linux |
| πŸ” GitOps | Argo CD with ApplicationSets |
| 🌐 Networking | Cilium, CoreDNS, external-dns |
| πŸšͺ Ingress | Envoy Gateway (public), Tailscale Operator (private) |
| πŸ”‘ Certificates and Secrets | cert-manager, External Secrets Operator (Bitwarden Secrets Manager) |
| πŸͺͺ Identity | Kanidm with Kaniop |
| πŸ’Ύ Storage | Longhorn, CSI drivers for NFS and SMB |
| πŸ›’οΈ Databases | CloudNativePG, mariadb-operator |
| βš™οΈ Runner Toolchain | Task, talosctl, kubectl, Helm, Kustomize |

## πŸ“‚ What's in the Repo

| Path | Contents |
| --- | --- |
| [`ansible/`](ansible) | Proxmox VE setup and Kubernetes bootstrap playbooks |
| [`debian/`](debian) | Unattended Debian install (preseed) |
| [`Dockerfile`](Dockerfile) | The all-in-one runner image |
| [`kubernetes/`](kubernetes) | GitOps source of truth |
| [`.taskfiles/`](.taskfiles) | Task runner workflows |
| [`terragrunt/`](terragrunt) | Talos VM provisioning, with remote state in Cloudflare R2 |
| [`tofu/`](tofu) | OpenTofu bootstrap for the R2 state bucket |

## πŸ“– Read More

Tutorials, guides, reference material, and explanations are in the [docs](https://homelab.towerofkubes.com). Deep dives can be found at my [blog](https://www.towerofkubes.com/).