No description
- HCL 46.9%
- Shell 35.3%
- Jinja 10.7%
- Nix 7.1%
Mitch Mikusek
ff683b9068
The wildcard-coldcat-net-tls secret lives in system namespace but the excalidraw ingress is in public namespace. Traefik can't read secrets across namespaces, so it fell back to its default self-signed cert. Switch to per-ingress cert-manager annotation like all other services. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> |
||
|---|---|---|
| .forgejo/workflows | ||
| infrastructure | ||
| kubernetes | ||
| scripts | ||
| tailscale | ||
| .gitignore | ||
| CLAUDE.md | ||
| flake.lock | ||
| flake.nix | ||
| README.md | ||
Homelab
GitOps-driven Kubernetes homelab on a Dell R730 running Proxmox VE.
Stack
- Proxmox VE — hypervisor
- TrueNAS — storage (4x10TB WD Red Pro, IOMMU passthrough)
- Talos Linux — immutable Kubernetes
- ArgoCD — GitOps controller
- Traefik — dual Kubernetes ingress (public + internal)
- MetalLB — bare-metal load balancer
- CloudNativePG — managed PostgreSQL
- Headscale — self-hosted mesh VPN (Tailscale-compatible)
Services
Public (*.coldcat.net): Nextcloud, Immich, Forgejo, Conduit (Matrix), Stalwart (email), Prosody (XMPP), Excalidraw
Internal (*.internal.coldcat.net): Home Assistant, Obsidian LiveSync, ArgoCD, Grafana, Prometheus, Uptime Kuma
Media: Jellyfin, Sonarr, Radarr, Prowlarr, Bazarr, qBittorrent (VPN via Gluetun)
Quick Start
- Provision VMs:
cd infrastructure/terraform && tofu apply - Bootstrap Talos:
talosctl gen config homelab https://10.10.10.20:6443 - Bootstrap cluster:
./scripts/bootstrap.sh - ArgoCD syncs everything from
kubernetes/apps/
Structure
infrastructure/ Terraform, Talos, Ansible
kubernetes/ K8s manifests (ArgoCD apps, base resources)
tailscale/ Headscale ACL policies
scripts/ Helper scripts
.forgejo/ CI workflows