This repository contains the Infrastructure as Code (IaC) configuration for my homelab. The environment is powered by a combination of Docker-based virtual machines and Kubernetes, with a strong emphasis on adhering to GitOps principles.
To ensure a well-organized and efficient setup, I leverage a combination of YAML manifests and Helm charts, orchestrated through Argo CD for streamlined and automated deployments.
I also plan to document my journey and share insights on my GitHub, showcasing the lessons learned and innovations achieved throughout this project.
For newcomers to Kubernetes, I have adapted an existing shell script to streamline the Bootstrapping of k3s with Cilium. This provides a simple and efficient starting point for setting up a lightweight Kubernetes cluster.
In this repository, I have also implemented a robust DevSecOps pipeline to enhance the security and reliability of the homelab infrastructure. This pipeline integrates Trufflehog for secret scanning and Checkov for Infrastructure as Code (IaC) security analysis, ensuring adherence to best practices and safeguarding sensitive data.
-
Argo CD: A declarative, GitOps-based continuous delivery tool for Kubernetes.
-
Cilium: A cutting-edge networking, observability, and security solution powered by eBPF.
-
Teleport: An identity-aware proxy that simplifies and secures access to servers, databases, Kubernetes clusters, and more.
-
Terraform: An open-source infrastructure-as-code tool for automating infrastructure deployment.
-
Sealed-secrets: Securely encrypt Kubernetes secrets for safe storage, even in public repositories.
-
Proxmox: A robust type-1 hypervisor enabling efficient orchestration of virtualized environments.
-
Adguard: A local DNS and ad-blocking solution designed to enhance privacy and security.
-
Traefik: A cloud-native reverse proxy ensuring secure and efficient access to homelab services.
-
Cert-manager: An automated certificate management solution for secure communication within and outside Kubernetes clusters.
-
Kube-prometheus-stack: A comprehensive monitoring stack that includes Prometheus, Grafana, and Node Exporter for detailed metrics and performance insights.
-
Loki & Alloy: A powerful log aggregation stack offering deep insights into system states and events.
-
Tetragon: A runtime security tool leveraging eBPF for advanced system protection and monitoring.
-
Homepage: A modern, fully static, fast, secure fully proxied, highly customizable application dashboard with integrations for over 100 services.
-
DIUN: A tool for proactive patch management and image update notifications in containerized environments.
-
Tailscale: A modern VPN built on WireGuard, enabling seamless connectivity between on-premises resources and cloud environments.
-
Wazuh: An open-source, feature-rich SIEM and XDR solution for comprehensive security monitoring and threat detection.
-
Jenkins: A leading open-source automation server for building, testing, and deploying applications.
-
Kyverno: A policy engine for Kubernetes that enables dynamic policy management and governance.
-
Cilium Gateway API: A flexible, extensible API for defining routing and load-balancing configurations in Kubernetes.
-
N8n: A powerful workflow automation tool for connecting applications and services seamlessly.
-
NGX-paperless: A document management system for digitizing and organizing paperwork efficiently.
-
Portainer: A simple and elegant container management solution for Docker, Kubernetes, and other container platforms.
-
Keycloak: An open-source identity and access management solution providing single sign-on (SSO), identity brokering, and user federation for securing modern applications and services.
-
Minio: A high-performance, distributed object storage system compatible with the Amazon S3 API, ideal for scalable cloud-native storage solutions.
-
SPIRE: A production-grade implementation of the SPIFFE standard for workload identity, enabling secure service-to-service authentication in distributed systems.
Infrastructure: Terraform configurations for provisioning and managing core infrastructure components.Docker: Docker Compose files for orchestrating various homelab services.K8s: Helm charts and YAML manifests for Kubernetes resource definitions and management.
| Name | Device | CPU | RAM | Storage | Location |
|---|---|---|---|---|---|
| Pve-main | Morefine S600 | Ryzen 9 | 64 GB DDR5 | 1 TiB SSD | 192.168.0.189 |
| Intel-node | HP Mini G3-800 | Intel Core i5 | 32 GB DDR4 | 1 TiB SSD | 192.168.0.59 |
| Docker-vm | VM | AMD | 32 GB | 0.4 TiB SSD | 192.168.0.32 |
| OKE-node-01 | VM | ARM | 12 GB | 50GB | Oracle Cloud |
| OKE-node-02 | VM | ARM | 12 GB | 50GB | Oracle Cloud |
| Storage-01 | VM | Intel | 1 GB | 50GB | Oracle Cloud |
| Teleport | VM | Intel | 1 GB | 50GB | Oracle Cloud |
- Deploy External Secrets Operator (ESO): Implement ESO for centralized and secure secrets management within the Kubernetes ecosystem.
- Deploy Harbor: Set up Harbor as a self-hosted container registry to manage and secure container images.
- Configure Tailscale Router Node: Establish a Tailscale router node to enable Jenkins, hosted in Oracle Kubernetes Engine, to manage homelab services within the LAN.
- Redeploy Keycloak: Migrate Keycloak to leverage an external PostgreSQL database for enhanced scalability and reliability.
- Integrate Object Storage: Add an object storage-backed storage class to Kubernetes to enable dynamic Persistent Volume (PV) provisioning.
- Deploy Pi-hole: Configure Pi-hole as a backup DNS server to enhance network resilience and redundancy.