mirror of https://github.com/gwg313/homelab-gitops.git synced 2026-06-05 19:51:01 +00:00

No description

Find a file

gwg313 bbbb96bd6a add tekton Signed-off-by: gwg313 <gwg313@pm.me>		2026-05-19 00:26:05 -04:00
apps	add tekton	2026-05-19 00:26:05 -04:00
apps_bak	update	2026-05-17 14:29:03 -04:00
apps_temp	update default deny	2026-05-17 00:05:02 -04:00
audiobookshelf	update default deny	2026-05-17 00:05:02 -04:00
bootstrap	update	2026-05-17 14:29:03 -04:00
bytestash	update bytestash	2025-07-25 16:38:22 -04:00
cert-manager	squash all	2025-07-03 08:02:33 -04:00
cluster-issuer	squash all	2025-07-03 08:02:33 -04:00
focalboard	add focalboard	2026-01-05 15:42:08 -05:00
harbor-config	squash all	2025-07-03 08:02:33 -04:00
hedgedoc	update hedgedoc pull policy	2025-09-22 22:32:26 -04:00
infra	add infra	2026-05-16 14:11:31 -04:00
istio	remove istio	2026-05-14 15:28:21 -04:00
karakeep	add karakeep	2025-08-11 23:32:15 -04:00
kube-prometheus-stack	add kube-prometheus-stack	2026-05-12 23:05:51 -04:00
linkwarden	update linkwarden	2025-08-02 15:33:19 -04:00
management/platform-apps	add tekton	2026-05-19 00:26:05 -04:00
metallb	squash all	2025-07-03 08:02:33 -04:00
minio	squash all	2025-07-03 08:02:33 -04:00
platform	add tekton	2026-05-19 00:26:05 -04:00
sealed-secrets	squash all	2025-07-03 08:02:33 -04:00
security	initial commit	2025-06-21 16:00:40 -04:00
stirling-pdf	add stirling-pdf	2026-01-06 13:50:05 -05:00
woodpecker	add tekton	2026-05-19 00:26:05 -04:00
.argocd-ignore	squash all	2025-07-03 08:02:33 -04:00
.devenv.flake.nix	squash all	2025-07-03 08:02:33 -04:00
.envrc	initial commit	2025-06-21 16:00:40 -04:00
.gitignore	initial commit	2025-06-21 16:00:40 -04:00
.gitleaks.toml	squash all	2025-07-03 08:02:33 -04:00
.yamllint	squash all	2025-07-03 08:02:33 -04:00
devenv.lock	initial commit	2025-06-21 16:00:40 -04:00
devenv.nix	squash all	2025-07-03 08:02:33 -04:00
README.md	readme update	2026-05-17 23:43:06 -04:00
root-app.yaml	squash me	2026-05-15 16:56:17 -04:00

README.md

Homelab Kubernetes – GitOps Repository

Currently in process of major overhaul, so things may be a bit messy for a few days This repository contains the Kubernetes manifests and Helm configurations used to operate my self-hosted infrastructure.

The cluster runs on Talos OS and is fully managed using ArgoCD with the App-of-Apps pattern.

Overview

All infrastructure and applications are declaratively defined in this repository.

Core components:

Talos OS (Kubernetes distribution)
ArgoCD (GitOps controller)
Sealed Secrets (encrypted secret management)
cert-manager (certificate automation)
Istio (Gateways for ingress and reverse proxy)
MetalLB (bare-metal load balancing)

Repository Structure

├── apps/
├── audiobookshelf/
├── bytestash/
├── cert-manager/
├── cluster-issuer/
├── focalboard/
├── forgejo/
├── harbor-config/
├── hedgedoc/
├── karakeep/
├── linkwarden/
├── metallb/
├── minio/
├── navidrome/
├── sealed-secrets/
├── security/
├── stirling-pdf/
├── woodpecker/
├── yopass/
└── root-app.yaml

Each application directory contains the manifests or Helm values required to deploy the service.

root-app.yaml bootstraps all applications via ArgoCD.

GitOps Structure

root-app.yaml defines the parent ArgoCD application.
Child applications are defined under apps/.
Infrastructure components and services are separated by directory.
The repository represents the desired state of the cluster.

Secrets Management

Secrets are managed using Bitnami Sealed Secrets.

Plain Kubernetes Secrets are sealed using kubeseal.
Only encrypted SealedSecret resources are committed to Git.
The Sealed Secrets controller decrypts them inside the cluster.

No unencrypted secrets are stored in this repository.

Networking

Load Balancing

MetalLB provides external IP addresses for services in the bare-metal cluster.

Ingress & Reverse Proxy

Istio Gateways are used to expose services externally and handle reverse proxy functionality.

TLS

cert-manager manages certificate issuance and renewal using configured ClusterIssuers.

README.md Unescape Escape