gwg313/homelab-gitops
1
0
Fork 0
mirror of https://github.com/gwg313/homelab-gitops.git synced 2026-06-08 13:45:22 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions

add README

Browse source 
Signed-off-by: gwg313 <gwg313@pm.me>
This commit is contained in:
gwg313 2026-02-23 16:14:04 -05:00
parent 529cc6f29f
commit 9293a95a42
Signed by: gwg313
GPG key ID: 60FF63B4826B7400
1 changed files with 88 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

88
README.md Normal file
View file

@ -0,0 +1,88 @@
# Homelab Kubernetes GitOps Repository
This repository contains the Kubernetes manifests and Helm configurations used to operate my self-hosted infrastructure.
The cluster runs on **Talos OS** and is fully managed using **ArgoCD** with the App-of-Apps pattern.
---
## Overview
All infrastructure and applications are declaratively defined in this repository.
Core components:
- Talos OS (Kubernetes distribution)
- ArgoCD (GitOps controller)
- Sealed Secrets (encrypted secret management)
- cert-manager (certificate automation)
- Istio (Gateways for ingress and reverse proxy)
- MetalLB (bare-metal load balancing)
---
## Repository Structure
```
├── apps/
├── audiobookshelf/
├── bytestash/
├── cert-manager/
├── cluster-issuer/
├── focalboard/
├── forgejo/
├── harbor-config/
├── hedgedoc/
├── karakeep/
├── linkwarden/
├── metallb/
├── minio/
├── navidrome/
├── sealed-secrets/
├── security/
├── stirling-pdf/
├── woodpecker/
├── yopass/
└── root-app.yaml
```
Each application directory contains the manifests or Helm values required to deploy the service.
`root-app.yaml` bootstraps all applications via ArgoCD.
---
## GitOps Structure
- `root-app.yaml` defines the parent ArgoCD application.
- Child applications are defined under `apps/`.
- Infrastructure components and services are separated by directory.
- The repository represents the desired state of the cluster.
---
## Secrets Management
Secrets are managed using **Bitnami Sealed Secrets**.
- Plain Kubernetes Secrets are sealed using `kubeseal`.
- Only encrypted SealedSecret resources are committed to Git.
- The Sealed Secrets controller decrypts them inside the cluster.
No unencrypted secrets are stored in this repository.
---
## Networking
### Load Balancing
MetalLB provides external IP addresses for services in the bare-metal cluster.
### Ingress & Reverse Proxy
Istio Gateways are used to expose services externally and handle reverse proxy functionality.
### TLS
cert-manager manages certificate issuance and renewal using configured ClusterIssuers.