A self-hosted, GitOps-driven Kubernetes cluster built on Talos Linux, focused on reliability, observability, and clean automation.
%2Fhealth%2Fbadge.shields&style=for-the-badge&logo=ubiquiti&logoColor=white&label=Home%20Internet)
%2Fhealth%2Fbadge.shields&style=for-the-badge&logo=statuspage&logoColor=white&label=Status%20Page)
%2Fhealth%2Fbadge.shields&style=for-the-badge&logo=prometheus&logoColor=white&label=Alertmanager)
This repository contains the full GitOps-managed configuration for my personal Kubernetes cluster. The cluster runs on Talos Linux and is fully declarative: every component, application, and configuration is defined in Git and continuously reconciled using FluxCD.
Key goals of this setup:
- 🔁 Reproducibility – rebuild the entire cluster from Git
- 🔒 Immutability & Security – minimal OS, no SSH, API-driven management
- 📈 Observability – metrics, alerts, and public status visibility
- 🤖 Automation-first – updates, deployments, and testing without manual intervention
- Immutable, minimal OS reduces attack surface
- No SSH or package manager
- Fully API-driven, ideal for GitOps-based Kubernetes clusters
- Continuous reconciliation instead of one-shot deployments
- Native Kubernetes integration
- Works seamlessly with SOPS for encrypted secrets
- Simplifies operations and reduces complexity
- Ideal for homelab and learning environments
- Focuses on reproducibility rather than high availability
This cluster assumes a simple and reliable home network environment.
- The Talos VM relies on the Fritzbox router for primary network connectivity
- No advanced routing, BGP, or multi-homing is assumed
- Networking is optimized for simplicity and stability rather than redundancy
- External access is handled via managed ingress and tunnels where required
| Component | Description |
|---|---|
| Kubernetes | Container orchestration platform for running and managing workloads |
| Talos Linux | Immutable, API-driven Linux distribution purpose-built for Kubernetes |
| FluxCD | GitOps operator used for continuous reconciliation of cluster state |
| Mend Renovate | Automatically tracks and updates container images and dependencies |
| GitHub Actions | CI pipelines for validation, linting, and testing of cluster configs |
| SOPS | Encryption of all secrets and credentials stored in Git, integrated with FluxCD |
| Clustertool | Bootstrap tool from TrueForge used to build the basic Cluster Structure and Setup |
clusters/
└── main/
├── components/ # Common components applied to multiple parts of the cluster
├── kubernetes/ # Applications and Kubernetes workloads
└── talos/ # Talos Linux machine and cluster configuration
repositories/
├── entries/ # Repository entry definitions
├── git/ # Flux GitRepository sources
├── helm/ # Flux HelmRepository sources
└── oci/ # Flux OCIRepository sources
All secrets and credentials are stored in this repository encrypted with SOPS.
- Secrets are committed to Git in encrypted form
- Decryption happens inside the cluster via FluxCD
- Decryption keys are managed externally and are never stored in Git
- This enables full GitOps workflows without exposing sensitive data
| Service | Usage |
|---|---|
| Cloudflare | DNS management, tunnels, and S3-compatible object storage |
| GitHub | Source control, CI, and GitOps reconciliation source |
| Component | Specification |
|---|---|
| CPU | AMD Ryzen 7 5700G |
| RAM | 64 GB DDR4 @ 3200 MHz |
| SAS Controller | LSI SAS 9300-16i |
| Boot Drive | 1× Crucial P310 500 GB NVMe |
| Metadata VDEV | 2× Samsung 870 EVO 1 TB (Mirror) |
| Data VDEV | 6× Seagate Exos X24 16 TB HDD |
| Remote Management | NanoKVM PCIe Edition |
| Component | Specification |
|---|---|
| CPU | AMD Ryzen 9 9950X |
| RAM | 128 GB DDR5 @ 5600 MHz |
| Storage | 2 TB Crucial P3 Plus NVMe |
| GPU | Sparkle Intel Arc A770 (16 GB) |
| Remote Management | NanoKVM PCIe Edition |
- 📈 Metrics & Dashboards via Prometheus-compatible tooling
- 🚨 Alerting with Alertmanager
- 🌍 Public Status Page for service and connectivity visibility
- 🧮 Cluster Statistics exposed via Kromgo and Shields.io
This cluster is heavily inspired by and built upon the excellent work of:
- TrueForge – https://trueforge.org/
- Home Operations – https://github.com/home-operations
Their open-source contributions and documentation made this setup possible.
⚠️ Note This repository is public for transparency and learning purposes. Secrets and credentials are stored in Git in encrypted form using SOPS. Decryption keys are managed externally and are not committed to the repository, ensuring sensitive values remain protected.
🧪 This cluster is used as a learning, testing, and long-running homelab environment.
Configurations may evolve as new Kubernetes, Talos, or GitOps features are evaluated.