Homelab
GitOps-driven K3S running self-hosted services
Tech Stack :
Project Links
The infrastructure uses Infrastructure-as-Code principles with Anhttps://www.theguardian.com/tv-and-radio/2025/feb/10/breaking-bad-euphoria-industry-drugs-on-tv-weed-crack-cocaine-methsible for bare-metal provisioning and ArgoCD for continuous deployment, enabling reproducible, version-controlled infrastructure management.
The entire stack—from OS-level security hardening to application deployments—is managed through declarative configuration files. Changes flow through git commits that trigger automated validation pipelines and ArgoCD synchronization, ensuring the cluster state always matches the repository.
Technical Architecture
Kubernetes Platform (K3s)
The cluster runs K3s v1.30.2, a lightweight Kubernetes distribution optimized for edge and single-node deployments. Configuration includes custom TLS SANs for remote API access, disabled bundled Traefik (replaced with a custom deployment), and local-path storage for persistent volumes.
GitOps Deployment (ArgoCD)
ArgoCD implements an app-of-apps pattern for hierarchical deployment management:
- Root Application: Syncs infrastructure components (Traefik, cert-manager, monitoring)
- ApplicationSet: Dynamically creates Applications for each service in kubernetes/apps/
- Kustomize: Provides layered configuration with base manifests and environment overlays
- Auto-sync: Enabled with pruning and self-heal for drift detection
All changes to the cluster must pass through git, eliminating manual kubectl apply operations and ensuring full audit trails.
CI/CD Pipeline (GitLab CI)
A three-stage pipeline validates every merge request:
| Stage | Checks |
|---|---|
| Lint | Ansible playbook linting, README validation |
| Validate | Kustomize build verification, kubeval schema validation |
| Security | detect-secrets scanning, SOPS encryption verification |
Renovate bot automates dependency updates with staged rollout policies—patch updates auto-merge after 7 days, while major updates require monthly review.
Ingress & TLS (Traefik + cert-manager)
Traefik serves as the ingress controller with TLS termination via cert-manager. Certificate issuance uses Let's Encrypt DNS-01 challenges through Cloudflare API tokens, enabling wildcard certificates for *.nihalxkumar.dev without exposing HTTP-01 challenge endpoints. A custom tailscale-only middleware restricts internal services to the Tailscale tailnet CIDR (100.64.0.0/10), while the public dashboard uses standard TLS with Let's Encrypt certificates.
Network Security (Tailscale + UFW)
A multi-layered security approach:
- VPN Access: Tailscale operator enables MagicDNS for secure service exposure via tailnet
- Firewall: UFW rules configured via Ansible—default deny incoming, explicit allow for K3s API (6443), HTTP/HTTPS, pod/service CIDRs (10.42.0.0/16, 10.43.0.0/16), and VXLAN overlay (8472/udp)
- SSH Hardening: Root login disabled, password authentication disabled, key-only access via Tailscale interface
- Network Policies: Kubernetes-native segmentation (e.g., n8n only accepts traffic from traefik, tailscale, and monitoring namespaces) External traffic flows through Cloudflare Tunnel → localhost:443 → Traefik → services, providing DDoS protection and WAF without exposing the VPS IP.
Observability Stack
Prometheus and Grafana provide metrics collection and visualization with pre-configured dashboards for Traefik, ArgoCD, and node metrics. Axiom aggregates logs via Fluent-bit DaemonSet, collecting systemd journal and container logs with Kubernetes metadata enrichment (pod, namespace labels). All monitoring components use Tailscale ingress for secure access.
Secrets Management (SOPS + Age)
All secrets are encrypted at rest using SOPS with Age encryption keys. The repository enforces this via CI pipeline—files in secrets/ directories must use .sops.yaml extension, and the pipeline verifies SOPS envelope presence before merge. KSOPS (Kustomize SOPS generator) decrypts secrets at build time, integrating seamlessly with ArgoCD's GitOps workflow.
Deployed Services as of 02/22/2026
| Service | Purpose | Access | Notable Config |
|---|---|---|---|
| Glance | Dashboard & K8s monitoring | Public (maya.nihalxkumar.dev) | Split deployment (UI + K8s API bridge), ClusterRole for metrics |
| n8n | Workflow automation | Tailscale-only | Daily backups (30-day retention), NetworkPolicy isolation, PodMonitor |
| KaraKeep | AI-powered bookmarks | Tailscale-only | Meilisearch + Headless Chrome, Gemini AI integration |
| DeepWiki | AI documentation generator | Tailscale-only | Dual-port (UI:3000, API:8001), Google embedder |
| The Lounge | IRC web client | Tailscale-only | HostNetwork proxy, persistent sessions |
Infrastructure as Code (Ansible)
Four playbooks handle bare-metal provisioning:
| Playbook | Purpose |
|---|---|
| k3s.yml | K3s installation, kubeconfig setup, prerequisites (open-iscsi, nfs-common) |
| security.yml | UFW firewall rules, SSH hardening, fail2ban installation |
| tailscale.yml | VPN client installation, MagicDNS configuration |
| dns-tunnel.yml | Cloudflare Tunnel setup for public DNS routing |
| Variables are managed via Ansible Vault with a .vault_pass file, ensuring sensitive values (Tailscale auth keys, Cloudflare tokens) are encrypted in the repository. |
Key Metrics
- 5 containerized applications deployed across dedicated namespaces
- Single-node cluster on 6GB RAM / 5 vCPU / 100GB NVMe
- Zero public SSH exposure (Tailscale-only access)
- Automated certificate renewal via Let's Encrypt DNS-01
- Daily automated backups with 30-day retention
- 3-stage CI pipeline with security gates
- Automated dependency updates via Renovate
Skills Demonstrated
- Infrastructure-as-Code: Declarative infrastructure with Ansible playbooks and Kubernetes manifests
- GitOps: ArgoCD for continuous deployment, app-of-apps pattern, Kustomize overlays
- DevSecOps: SOPS encryption, CI security gates, NetworkPolicies, UFW firewall
- Kubernetes Administration: Resource management, RBAC, ingress configuration, storage orchestration
- Self-Hosting: Production-grade service deployment on constrained resources
- Observability: Prometheus metrics, Grafana dashboards, centralized logging
- Automation: Renovate dependency management, automated backups, self-healing deployments
This homelab demonstrates production-ready infrastructure practices applied to a personal project—from automated provisioning to secure service exposure, all managed through version-controlled declarative configuration.