[](https://git.mafyuh.dev/mafyuh/iac/actions?workflow=yamllint.yml) [](https://git.mafyuh.dev/mafyuh/iac/actions?workflow=CD.yml) [](https://git.mafyuh.dev/mafyuh/iac/actions?workflow=ansible-playbooks.yml) [](https://git.mafyuh.dev/mafyuh/iac/actions?workflow=tofu.yml) [](https://git.mafyuh.dev/renovatebot/renovate/actions) [](https://git.mafyuh.dev/mafyuh/iac/pulls)  <div align="center"> # iac (wip) This is my homelab infrastructure, defined in code. </div> --- <div align="center"> | Hypervisor | OS | Tools | Firewall | Misc. Automations | |---|---|---|---|---| | [](https://www.proxmox.com) | [](https://www.debian.org/) [](https://releases.ubuntu.com/noble/) | [](https://forgejo.org/) [](https://www.docker.com/) [](https://k3s.io/) [](https://github.com/renovatebot/renovate) [](https://opentofu.org/) [](https://www.packer.io/) [](https://www.ansible.com/) | [](https://www.pfsense.org/) | [](https://n8n.io/) [](https://forgejo.org/docs/latest/user/actions/) </div> ## 📖 **Overview** This repository contains the IaC ([Infrastructure as Code](https://en.wikipedia.org/wiki/Infrastructure_as_code)) configuration for my homelab. Most of my homelab runs on **Proxmox**, with VMs managed and maintained using [OpenTofu](https://opentofu.org/). All VMs are cloned from templates I created with [Packer](https://www.packer.io/). All services are **containerized**, either managed with **Docker Compose** or **orchestrated with Kubernetes ([K3s](https://k3s.io/))**. Over time, I’ve been migrating everything to Kubernetes using **[GitOps](https://en.wikipedia.org/wiki/DevOps) practices**, which is my long-term goal. To automate infrastructure updates, I use **Forgejo Actions**, which trigger workflows upon changes to this repo. This ensures seamless deployment and maintenance across my homelab: - **[Flux](https://fluxcd.io/)** manages Continuous Deployment (CD) for Kubernetes, bootstrapped via [OpenTofu](https://git.mafyuh.dev/mafyuh/iac/src/branch/main/terraform/flux/main.tf). - **[Docker CD Workflow](https://git.mafyuh.dev/mafyuh/iac/src/branch/main/.forgejo/workflows/CD.yml)** handles Continuous Deployment for Docker services. - **[Renovate](https://github.com/renovatebot/renovate)** keeps services updated by opening PRs for new versions. - **[Yamllint](https://github.com/adrienverge/yamllint)** ensures configuration files are properly structured. - **[Ansible](https://github.com/ansible/ansible)** is used to execute playbooks on all of my VMs, automating management and configurations ### 🔒 **Security & Networking** For Secret management I use [Bitwarden Secrets](https://bitwarden.com/products/secrets-manager/) and their various [integrations](https://bitwarden.com/help/ansible-integration/) into the tools used. > Kubernetes is using SOPS with Age encryption until migration over to Bitwarden Secrets. I use **Oracle Cloud** for their [Always-Free](https://www.oracle.com/cloud/free/) VM's and deploy Docker services that require uptime here (Uptime Kuma, this website). [Twingate](https://www.twingate.com/) is used to connect my home network to the various VPS's securely using [Zero Trust architecture](https://en.wikipedia.org/wiki/Zero_trust_architecture). I use **Cloudflare** for my DNS provider with **Cloudflare Tunnels** to expose some of the services to the world. **Cloudflare Access** is used to restrict the access to some of the services, this is paired with **Fail2Ban** looking through all my reverse proxy logs for malicious actors who made it through **Access** and banning them via **Cloudflare WAF**. For my home network I use **PfSense** with VLAN segmentation and strict firewall rules to isolate public-facing machines, ensuring they can only communicate with the necessary services and nothing else. ### **📊 Monitoring & Observability** I use a combination of **Grafana, Loki, and Prometheus** with various exporters to collect and visualize system metrics, logs, and alerts. This helps maintain visibility into my infrastructure and detect issues proactively. - **Prometheus** – Metrics collection and alerting - **Loki** – Centralized logging for containers and VMs - **Grafana** – Dashboarding and visualization - **Exporters** – Node Exporter, cAdvisor, Blackbox Exporter, etc. ## 🧑💻 **Getting Started** This repo is not structured like a project you can easily replicate. Although if you are new to any of the tools used I encourage you to read through the directories that make up each tool to see how I am using them. Over time I will try to add more detailed instructions in each directories README. Some good references for how I learned this stuff (other than RTM) - [Kubernetes Cluster Setup](https://technotim.live/posts/k3s-etcd-ansible/) - [Kubernetes + Flux](https://technotim.live/posts/flux-devops-gitops/) - [Kubernetes Secrets with SOPS](https://technotim.live/posts/secret-encryption-sops/) - [Packer with Proxmox](https://www.youtube.com/watch?v=1nf3WOEFq1Y) - [Terraform with Proxmox](https://www.youtube.com/watch?v=dvyeoDBUtsU) - [Docker](https://www.youtube.com/watch?v=eGz9DS-aIeY) - [Ansible](https://www.youtube.com/watch?v=goclfp6a2IQ) ## 🖥️ **Hardware** | Name | Device | CPU | RAM | Storage | GPU | Purpose | |-------------|----------------|-----------------|--------------|----------------------------------------------|-----------|----------------------------------| | Arc-Ripper | Optiplex 3050 | Intel i5-6500 | 32 GB DDR4 | 1TB NVMe | Arc A310 | Jellyfin Server, Blu-ray Ripper | | PVE Node 1 | Custom | Intel i7-9700K | 64 GB DDR4 | NVMe for boot and VMs, 4x4TB HDD RaidZ10 | Nvidia 1660 6GB | Main node with most VMs, NAS | | PVE Node 2 | Custom | Intel i7-8700K | 64 GB DDR4 | 1x2TB NVMe | Nvidia 1060 6GB | More VMs | ## 📌 **To-Do** See [Project Board](https://git.mafyuh.dev/mafyuh/iac/projects/2)