Homelab Kubernetes — cluster configuration and GitOps manifests for a single Talos cluster, managed via FluxCD against this repo.
| Directory | Status | Distribution | Notes |
|---|---|---|---|
cluster-talos/ |
Active | Talos Linux + vanilla Kubernetes | Primary cluster; Cilium, Gateway API, ESO, Kasten, Longhorn |
cluster-talos/ ships OpenTofu + talm configs under tofu/ and talos/ for
day-0 and day-2 cluster management.
Reusable tooling extracted from this homelab lives in its own repository:
gpu-node-vsphere-maintenance-controller— Kubernetes controller that safely handles ESXi maintenance-mode transitions for worker VMs using PCI passthrough.
kubernetes/bootstrap/— Flux bootstrap and thecluster-kustomizations.yamlindex of the six top-level Flux Kustomizations in the cluster.kubernetes/infrastructure/— cluster-wide controllers, operators, and ops tooling:infrastructure/flux-system/— Flux Operator + FluxInstance + theflux-repositories/HelmRepository/OCIRepository/GitRepositorysources consumed byHelmReleases and child Kustomizations.infrastructure/core/— CNI, CRDs, storage drivers, cert-manager, ESO, etcd backup (everything theplatformtier depends on).infrastructure/platform/— higher-level platform components (monitoring, configs, external-dns, Cloudflare, Longhorn, Kasten, Spegel, Renovate, log forwarding).
kubernetes/apps/— user-facing workloads, nested by category (arr/,downloaders/,media/,tools/); each app ships its own FluxKustomization+HelmRelease+HTTPRoute/TunnelBinding.kubernetes/forwarders/— routing-only shims (externalService+HTTPRoute[+TunnelBinding]) for off-cluster apps like Home Assistant and NZBGet.
PR-gated GitHub Actions workflows in .github/workflows/:
- flux-diff — runs
allenporter/flux-local/action/diffon any PR touchingcluster-talos/kubernetes/**; posts unified HelmRelease and Kustomization diffs as idempotent PR comments (one per resource type, edited in place on follow-up commits). - renovate-validate — runs
renovate-config-validator --stricton any PR touchingrenovate.json. - lint — runs
yamlfmt -linton any PR touching**/*.{yaml,yml}(or the tooling configs), using the pinned toolchain from.mise.toml. - build-images — matrix build for custom GHCR images under
cluster-talos/kubernetes/apps/tools/*/image/(currentlynetbox-plusandoctodns). Triggers on pushes tomainthat touch those paths; pushes:latest+sha-<short>toghcr.io/${{ github.repository_owner }}/<image>. Consumers pin by digest so Renovate can auto-bump (see each app'sREADME.md).
Local tooling (.mise.toml, .yamlfmt, lefthook.yml) mirrors CI; devs run
mise install && lefthook install once per clone to enforce formatting
pre-commit.
Individual tools under subdirectories declare their own licenses (e.g.
gpu-node-vsphere-maintenance-controller/LICENSE). The cluster
configuration itself is provided as-is; feel free to borrow ideas, but
treat credentials, hostnames, and secret references as homelab-specific.