Skip to content

Mafyuh/iac

Repository files navigation

CD Ansible

Pods  Nodes  Uptime  CPU  RAM  Version  Talos  Alerts 

Header Image

iac (wip)

This is my homelab infrastructure, defined in code.


Hypervisor OS Tools Networking Misc. Automations
Proxmox Talos Ubuntu Arch Docker Kubernetes Renovate OpenTofu Packer Ansible Flux Unifi n8n Actions

πŸ“– Overview

This repository contains the IaC (Infrastructure as Code) configuration for my homelab.

Most of my homelab runs on Proxmox, with VMs managed and maintained using OpenTofu. All VMs are cloned from templates I created with Packer.

All services are containerized, either managed with Docker Compose or orchestrated with Kubernetes. Over time, I’ve been migrating everything to Kubernetes using GitOps practices, which is my long-term goal.

To automate infrastructure updates, I use Github Actions, which trigger workflows upon changes to this repo. This ensures seamless deployment and maintenance across my homelab:

  • Flux manages Continuous Deployment (CD) for Kubernetes, bootstrapped via OpenTofu.
  • Docker CD Workflow handles Continuous Deployment for Docker services.
  • Renovate keeps services updated by opening PRs for new versions.
  • super-linter ensures configuration files are properly structured.
  • Ansible is used to execute playbooks on all of my VMs, automating management and configurations

πŸ”’ Security & Networking

For Secret management I use Bitwarden Secrets and their various integrations into the tools used.

Kubernetes is using SOPS with Age encryption until migration over to Bitwarden Secrets.

GitGuardian makes sure to alert me if I do accidentally push a secret

I use Oracle Cloud for their Always-Free VM's and deploy Docker services that require uptime here. Twingate is used to connect my home network to the various VPS's securely using Zero Trust architecture.

I use Cloudflare for my DNS provider with Cloudflare Tunnels to expose some of the services to the world. Cloudflare Access is used as Zero Trust for public websites, this is paired with Fail2Ban looking through all my reverse proxy logs for malicious actors who made it through Access and banning them via Cloudflare WAF.

I also utilize Unifi’s IDS/IPS for intrusion detection on my home network, and use Wazuh as a SIEM to monitor and generate security alerts across all my hosts.

πŸ“Š Monitoring & Observability

I use a combination of Grafana, Loki, Alloy, and Prometheus with various exporters to collect and visualize system metrics, logs, and alerts. This helps maintain visibility into my infrastructure and detect issues proactively.

  • Prometheus – Metrics collection and alerting
  • Loki – Centralized logging for containers and VMs
  • Grafana – Dashboarding and visualization
  • Exporters – Alloy, Blackbox Exporter, Speedtest Exporter, etc.

πŸ§‘β€πŸ’» Getting Started

This repo is not structured like a project you can easily replicate. Although if you are new to any of the tools used I encourage you to read through the directories that make up each tool to see how I am using them.

Over time I will try to add more detailed instructions in each directories README.

Some good references for how I learned this stuff (other than RTM)

πŸ–₯️ Hardware

Servers
Name Device CPU RAM Storage GPU Purpose
Talos-1 Optiplex 7040 Micro Intel i5-6500t 32GB DDR4 1x1TB SATA SSD 128GB NVME Integrated k8s control-plane
Talos-2 Optiplex 7040 Micro Intel i5-6500t 32GB DDR4 1x1TB SATA SSD 128GB NVME Integrated k8s control-plane
Talos-3 Optiplex 7040 Micro Intel i5-6500t 32GB DDR4 1x1TB SATA SSD 128GB NVME Integrated k8s control-plane
Arc-Ripper Optiplex 3050 Intel i5-6500 32 GB DDR4 1TB NVMe Arc A310 Jellyfin Server, Blu-ray Ripper
PVE Node 1 Custom Intel i7-9700K 64 GB DDR4 NVMe for boot and VMs, 4Γ—4TB HDD (RaidZ10) Nvidia 1660 6GB Main node with most VMs, NAS
PVE Node 2 Custom Intel i7-8700K 64 GB DDR4 1Γ—2TB NVMe Nvidia 3080 10GB More VMs
Pi Raspberry Pi 4 8GB 1TB m.2 SATA SSD w/ USB HAT n/a Home Assistant Server
Proxmox Backup Server Mini-PC Intel N150 8GB 2TB SATA n/a Backup Proxmox VM's
Personal
Name Device CPU RAM Storage GPU Purpose
Gaming PC Custom Intel i7-13700k 64GB DDR5 10TB NVMe Nvidia RTX 5070 Main Machine
Laptop HP 15-eh1097nr AMD Ryzen 7 5700U 32GB DDR4 1TB NVMe Integrated On the go/bed machine
Networking
Name Device Purpose
Switch Unifi Flex 2.5Gb PoE Switch with PoE
Router Unifi Dream Router 7 Router/Firewall
AP U7 Pro XG AP

πŸ“Œ To-Do

See Project Board

About

IaC for my homelab - GitOps Driven

Resources

License

Stars

Watchers

Forks