Homelab as Code

Bare metal to a self-healing Kubernetes cluster, every layer as code. This is my homelab.

Built in five layers

Start at the hardware and add one layer at a time. Every layer is declared in code.

L0 Hardware Low-power x86 computers
L1 Debian Unattended install from a preseed
L2 Proxmox VE Type-1 hypervisor, configured with Ansible
L3 TrueNAS Storage VM serving files over NFS and SMB
L4 Talos + Kubernetes Immutable, API-driven nodes

One toolbox, nothing to install

Every layer is driven by a single container image, so there's no toolchain to set up locally. State lives in a Cloudflare R2 bucket; the cluster runs the rest.

The runner image

In-cluster operators

From a commit to a running app

The only step I run by hand is the commit. The rest happens on its own.

01 A commit lands on `main`

Renovate opens the PR, CI lints and validates the manifests, and after it merges the repo is the source of truth for the whole lab.

02 Argo CD notices it's OutOfSync

Argo CD watches the repo and compares what Git declares against what's actually running. The new commit means the cluster no longer matches Git.

03 An ApplicationSet expands the tree

An ApplicationSet turns the directory layout under kubernetes/cluster/active into Argo CD applications. Add a folder, get an app.

04 Helm + Kustomize render the manifests

Kustomize renders the charts with --enable-helm and hands Argo CD the exact objects to apply.

05 Secrets come from outside Git

The External Secrets Operator pulls values from Bitwarden Secrets Manager when the objects apply. One bootstrap token unlocks the rest, so no secret ever lands in Git.

06 Synced and healthy

Argo CD applies the changes, prunes anything no longer in Git, and reports Synced and Healthy. The cluster matches the commit now, and it stays that way.