A GitOps-driven multi-site homelab managed by ArgoCD, bootstrapped via Terraform IaC and CI/CD to deploy a Talos Kubernetes cluster on Proxmox with Cilium CNI and a full OTel-based Prometheus/Loki monitoring stack.
Four Terraform layers, deployed sequentially via GitHub Actions. Each layer has its own S3-backed state and feeds outputs into the next.
| Layer | Scope | What it configures |
|---|---|---|
00-global |
S3 state backend, shared config | AWS S3 bucket for Terraform state |
01-network |
VLANs, firewall, DHCP, DNS | UniFi networks, Cloudflare DNS records |
02-infrastructure |
VMs, Kubernetes bootstrap, storage | Proxmox VMs/LXCs, Talos Linux cluster |
03-services |
Cluster platform bootstrapping (CNI, certs, ingress, secrets) | Helm releases, K8s resources, Cloudflare DNS |
| ArgoCD | Application workloads via GitOps | App of Apps pattern from this repo |
Push to main triggers an orchestrator workflow that detects which layers changed and runs them in order. PRs get a Terraform plan comment for review. Tailscale connects the GitHub runner to the homelab network.
Manages the entire Vieta site network through the UniFi controller API and Cloudflare. This includes VLANs, zone-based firewall policies, switch port profiles, static DHCP reservations with local DNS, and Cloudflare DNS records.
| VLAN | ID | Subnet | Purpose |
|---|---|---|---|
| Default | 10 | 10.10.10.0/24 |
Consumer devices, IoT, mDNS enabled |
| Athena | 20 | 10.10.1.0/24 |
Homelab infrastructure, network-isolated |
| Rule | From | To | Ports | Action |
|---|---|---|---|---|
| Service access | Internal (Default) | Athena | 22, 443, 445 | Allow |
| VPN gateway | Athena | External (10.0.3.2) |
All | Allow |
| VPN lockout | Internal (Default) | External (10.0.3.2) |
All | Block |
Inter-VLAN traffic is blocked by default (network isolation). Only SSH, HTTPS, and SMB are permitted from Default into Athena.
Cloudflare manages the lippok.dev zone. A wildcard and root A record are created in 03-services pointing to the Kubernetes Gateway LoadBalancer IP.
Provisions VMs and containers on a Proxmox host (Intel NUC) and bootstraps a Talos-based Kubernetes cluster. All IPs and MACs are sourced from 01-network via remote state.
- OS: Talos Linux -- immutable, API-driven, no SSH
- Image: Built via Talos Image Factory with
qemu-guest-agentextension - CNI: Set to
noneat bootstrap (Cilium installed in03-services) - kube-proxy: Disabled (Cilium takes over)
- KubePrism: Enabled on port 7445 for HA API server discovery
| Node Role | Count | Platform |
|---|---|---|
| Control plane | 1 | Proxmox VM |
| Workers (general) | 3 | Bare-metal (Athena VLAN) |
| Worker (database) | 1 | Proxmox VM, tainted dedicated=database:NoSchedule |
Debian 12 LXC container with dual storage (SSD for OS, HDD for data). Exports /srv/nfs/kubernetes to the cluster. Proxmox firewall defaults to DROP; only K8s nodes and the NUC are whitelisted via IP set.
Exports kubeconfig, talosconfig, cluster info, and NFS server details for the next layer.
Bootstraps all platform-level services that make the cluster operational. Reads state from both 01-network (LB CIDR) and 02-infrastructure (kubeconfig, NFS server). Everything here is a prerequisite for the application workloads managed by ArgoCD.
Replaces kube-proxy and acts as the cluster CNI.
| Feature | Status |
|---|---|
| kube-proxy replacement | Enabled |
| L2 Announcements | Enabled (all nodes) |
| Gateway API | Enabled (cilium gatewayClassName) |
| Hubble (observability) | Enabled with UI and relay |
| LoadBalancer IP Pool | Sourced from 01-network output |
A single Gateway resource handles all ingress with HTTP (80) and HTTPS (443) listeners. The HTTPS listener terminates TLS with a wildcard *.lippok.dev certificate. Services are exposed by creating HTTPRoute resources in their own namespaces.
- Issuer: Let's Encrypt (production ACME)
- Challenge: DNS-01 via Cloudflare API token
- Certificate: Wildcard
*.lippok.dev+ root, stored in thegatewaynamespace
| Component | Details |
|---|---|
| CSI Driver | csi-driver-nfs |
| StorageClass | nfs-client (default), NFS 4.1 |
| NFS Server | IP and export path from 02-infrastructure outputs |
Planned migration (once the new NAS/TrueNAS is online): remove the temporary Proxmox database worker VM, NFS LXC, and
local-path-provisioner, then switch to Democratic CSI for dynamic ZFS-backed iSCSI/NFS provisioning and snapshots, with a new Talos database VM hosted on TrueNAS.
Manages secret distribution across namespaces.
- Backend (current): Kubernetes secrets in a dedicated
secret-storenamespace - Backend (planned): HashiCorp Vault
- ClusterSecretStore reads from the temporary backend via a dedicated ServiceAccount + RBAC
Terraform seeds the initial secrets (Authentik, ArgoCD OIDC, Tailscale OAuth, CNPG superuser).
Deployed via Helm in 03-services. All application workloads beyond the platform services are managed through ArgoCD's App of Apps pattern. A root Application watches the apps/ directory in this repo and automatically syncs each application definition to the cluster.