A monorepo that collects the pieces needed to run my homelab Kubernetes cluster and services. It contains infrastructure, cluster manifests, helper scripts and small service projects. The repo is organized to keep infra, apps and bootstrap tooling together so a single place holds the canonical manifests and generation scripts.
- Monorepo: infra, Kubernetes manifests, bootstrap helpers and service code live together.
- Goal: reproducible, git-driven cluster configuration (Flux + sops) with a small Bootstrap helper to generate local TLS material and secrets.
- Primary features used: Cilium for networking, Gateway API driven by Envoy (envoy-gateway) for ingress & edge, and 1Password as the external secrets provider.
-
Kubernetes manifests
- Path:
kubernetes/main/...— apps and components are organized per-namespace and per-app. - Flux and GitOps friendly YAML layout (Flux will pick manifests from the cluster repo).
- Path:
-
Networking: Cilium
- Cluster CNI: Cilium handles L3/L4 networking, policy and load-balancing.
-
Ingress / edge: Gateway API + Envoy (envoy-gateway)
- Gateway resources live under
kubernetes/main/apps/networking/gateway/envoy/manifests. - Uses Gateway API (Gateway, HTTPRoute, Backend, BackendTLSPolicy, BackendTrafficPolicy, ClientTrafficPolicy) to explicitly configure client TLS and upstream TLS.
- Gateway resources live under
-
Secrets & Secrets provider
- ExternalSecrets configuration lives under
kubernetes/main/apps/kube-system/external-secrets/.... - A ClusterSecretStore is configured to use 1Password Connect as the secrets provider.
- ExternalSecrets configuration lives under
- The external-secrets operator pulls secrets from 1Password Connect.
- The ClusterSecretStore config points at the 1Password Connect server:
- File:
kubernetes/main/apps/kube-system/external-secrets/stores/secret-store.yaml - Note: 1Password Connect credentials are stored as Kubernetes secrets and referenced by the ClusterSecretStore.
- File:
- Two separate TLS problems commonly show up:
- Client TLS (client → Gateway): configure the Gateway listener with
certificateRefspointing at a TLS secret in the Gateway's namespace (e.g.,networking). - Upstream TLS (Gateway/Envoy → backend): configure
BackendandBackendTLSPolicyto instruct Envoy how to speak TLS to upstream services: trust/CA, SNI/hostname, min/max TLS versions. Secrets referenced for upstream trust must be accessible to the Gateway/controller namespace.
- Client TLS (client → Gateway): configure the Gateway listener with
-
Bootstrap
bootstrap/bootstrap.sh(creates Flux secrets including age key and GitHub credentials)
-
Gateway (Envoy)
kubernetes/main/apps/networking/gateway/envoy/manifests/gateway.yamlkubernetes/main/apps/networking/gateway/envoy/manifests/backend-policy.yaml
-
ExternalSecrets store
kubernetes/main/apps/kube-system/external-secrets/stores/secret-store.yaml
- Bootstrap Flux secrets:
bash bootstrap/bootstrap.sh| Device | Count | OS Disk Size | Data Disk Size | Ram | Operating System | Purpose |
|---|---|---|---|---|---|---|
| MS-01 | 3 | 250Gi NVMe | 1Ti U.2 NVMe | 64Gi | Talos | Kubernetes |
| Synology RS1221+ | 1 | 36Ti HDD / 2Ti NVMe | - | 4Gi | DSM 7 | NAS |
| UDM Pro Max | 1 | - | - | Router / Gateway | ||
| Unifi Core Switch XG-16 | 1 | - | - | - | Switch | |
| Unifi Enterprise 24 PoE | 1 | - | - | - | Switch | |
| Unifi Flex 2.5G PoE | 1 | - | - | - | Switch | |
| Unifi Flex 2.5G Mini | 1 | - | - | - | Switch | |
| Unifi PDU Pro | 1 | - | - | - | Power Delivery |
Thanks to all the people who donate their time to the Home Operations Discord community. Be sure to check out kubesearch.dev for ideas on how to deploy applications or get ideas on what you may deploy.
- onedr0p
- bernd-schorgers / bjw-s
- buroa
- joryirving
- home-operations
For all their hard work and dedication