GitOps infrastructure for the m0sh1.cc homelab and root Kubernetes clusters. https://m0sh1.cc

ansible argo-cd gitops homelab kubernetes managed-by-renovate

Shell 31.5%
Jinja 27.8%
HCL 23.7%
Go Template 14.3%
Python 2.7%

Find a file

Yael Meya d89bed4e0c All checks were successful ci/woodpecker/push/security Pipeline was successful Details ci/woodpecker/push/k8s Pipeline was successful Details ci/woodpecker/push/lint Pipeline was successful Details fix(argocd): enable dex health probes		2026-06-02 13:55:44 +02:00
.claude	feat: add hook scripts for infra policy	2026-05-15 12:55:09 +02:00
.codex	fix(codex): refresh hook paths and kubectl policy	2026-05-31 20:48:41 +02:00
.github	fix: let renovate track chart guard updates	2026-05-31 15:28:19 +00:00
.woodpecker	chore(deps): update ghcr.io/yaelmoshi/chart-version-guard:main docker digest to 67427f5	2026-06-01 09:24:04 +00:00
ansible	fix(wakapi): clean up homelab split dns	2026-05-31 21:36:18 +02:00
apps	fix(argocd): enable dex health probes	2026-06-02 13:55:44 +02:00
argocd	fix(argocd): render velero values explicitly	2026-06-01 18:12:58 +02:00
cluster/bootstrap	chore(deps): update weekly image rollup	2026-05-30 10:26:25 +00:00
docs	harden authentik bootstrap contract	2026-06-01 03:32:47 +02:00
root	chore: relocate app yamls to disabled dir	2026-06-02 13:51:45 +02:00
tofu	chore: relocate app yamls to disabled dir	2026-06-02 13:51:45 +02:00
tools	chore: relocate app yamls to disabled dir	2026-06-02 13:51:45 +02:00
.dcignore	Adds enforcement rules, ignores, and CI linting improvements	2026-01-14 01:37:33 +01:00
.editorconfig	Initialize GitOps infrastructure skeleton	2026-01-13 19:52:57 +01:00
.gitattributes	Update .gitattributes	2026-01-13 21:21:21 +01:00
.gitignore	refactor: restructure k3s group vars	2026-05-25 19:04:13 +02:00
.gitleaks.toml	fix(ci): tighten gitleaks allowlist and update raw manifest lint paths	2026-03-21 09:02:10 +01:00
.gitmodules	fix(ci): pin infra-cli submodule URL for woodpecker	2026-04-24 15:57:04 +02:00
.kube-linter.yaml	Add Garage secrets; update cloudflared and CloudNativePG configs	2026-01-31 19:33:20 +01:00
.pre-commit-config.yaml	chore(deps): update pre-commit hook renovatebot/pre-commit-hooks to v43.208.0	2026-06-02 11:24:11 +00:00
.rumdl.toml	feat(renovate): config updates and version bumps	2026-03-24 01:46:30 +01:00
.sops.yaml	feat(secrets): migrate Ansible vault to SOPS-with-age	2026-04-30 18:47:34 +02:00
.supply-chain-allow.yaml	chore: update submodule tools/cli (fix woodpecker-mcp bun.lock)	2026-03-20 13:15:46 +01:00
.yamllint	feat(secrets): migrate Tofu secrets to SOPS-with-age	2026-04-30 18:43:15 +02:00
AGENTS.md	docs: update forbidden agent actions	2026-05-31 20:35:36 +02:00
CLAUDE.md	fix harbor build robot credentials	2026-05-31 13:35:46 +02:00
mise.toml	chore(deps): update non-helm tooling to v0.2.5	2026-06-02 08:25:03 +00:00
README.md	Update cluster placement docs	2026-05-05 10:28:20 +02:00

README.md

Infrastructure Repository

GitOps-managed infrastructure for the m0sh1.cc homelab and root server clusters.

Overview

Declarative infrastructure using ArgoCD (app-of-apps pattern), Helm wrapper charts, OpenTofu, and Ansible. All changes flow through Git; imperative cluster writes are reserved for explicit recovery work.

See AGENTS.md for the full enforcement contract.

Tech Stack

Layer	Technology
Hypervisor	Proxmox VE (3-node cluster: pve-01/02/03, ZFS storage)
Orchestration	k3s homelab cluster (`lab-ctrl` + `horse01`-`horse03`) and standalone root cluster (`root01`), Debian 13
GitOps	ArgoCD (automated sync, prune, self-heal)
CNI	Cilium (homelab native dual-stack; root VXLAN single-stack; kube-proxy replacement)
Load Balancer	Homelab Cilium LB-IPAM + L2 announcements (dual-stack, VLAN 30); root local ingress
Ingress	Traefik (wildcard TLS via Cloudflare Origin CA)
External Access	Cloudflare Tunnel + Tailscale subnet routing
Storage	Proxmox CSI, Longhorn, NFS CSI, OpenEBS ZFS, Garage S3, CloudNativePG, Valkey
Identity	Authentik (OIDC SSO for all user apps)
Secrets	Bitnami SealedSecrets (K8s), Ansible Vault (hosts)
IaC	OpenTofu (Proxmox and root01 contract state)
Config Mgmt	Ansible (host provisioning, k3s setup, OPNsense)
Observability	Prometheus, Grafana, Loki, Alloy, Hubble
Security	CrowdSec, Kyverno, CiliumNetworkPolicies, Harbor Trivy scanning
Registry	Harbor (vulnerability scanning, cosign signing, DHI images)
CI/CD	Woodpecker CI, Forgejo runners, Renovate
IPAM	NetBox/Diode historical data retained; live network intent is Git + OPNsense + Cilium LB-IPAM
Firewall	OPNsense (inter-VLAN routing, Suricata IDS, Unbound DNS)

Network

4-VLAN architecture routed by OPNsense, with dual-stack IPv6 (ULA internal):

VLAN	Subnet	Purpose
—	10.0.0.0/24	Home network
10	10.0.10.0/24	Infrastructure (Proxmox, DNS, PBS)
20	10.0.20.0/24	Kubernetes (control plane + workers)
30	10.0.30.0/24	Load balancers (Traefik, Garage RPC/S3, CrowdSec, Alloy syslog)

The root cluster is a separate single-node Netcup k3s cluster (root01) with public IPv4 159.195.76.186, Tailscale IPv4 100.120.69.1, and pod CIDR 10.244.0.0/16.

See docs/network-architecture.md for the comprehensive architecture.

Deployed Applications

Platform (cluster scope)

ArgoCD, ArgoCD Image Updater, Alloy, cert-manager, Cilium, Cilium policies, Cloudflared, CloudNativePG, CoreDNS, CrowdSec, CSI drivers (Proxmox, NFS, S3), descheduler, external-dns, Garage (cluster + operator), kube-prometheus-stack, Kured, Kyverno, Loki, Longhorn, OPNsense exporter, origin-ca-issuer, Prometheus CRDs, PVE exporter, Reflector, Renovate Operator, SealedSecrets, snapshot-controller, Tailscale Operator, Traefik, Valkey, and Velero.

Workloads (user scope)

AI stack (Ollama, Open WebUI, Qdrant), Basic Memory, Fail2ban UI, Garage WebUI, Harbor, Headlamp, Netzbremse, pgAdmin 4, Renovate, Wakapi, and Woodpecker CI.

Root cluster workloads

Authentik, Cloudflared, CNPG, CrowdSec, CSI-S3, Forgejo, Garage, Gotify, Grafana, Grafana MCP, Loki, OpenEBS ZFS, Prometheus Agent, Stalwart, Tailscale Operator, Traefik, Uptime Kuma, Valkey, Vaultwarden, and Velero.

Repository Structure

.
├── apps/             # Helm wrapper charts (cluster/ + user/)
├── argocd/           # ArgoCD Application manifests
├── cluster/          # Bootstrap and environment configs
├── root/             # Root server k3s manifests and ArgoCD apps
├── tofu/             # Infrastructure as Code (OpenTofu, Proxmox)
├── ansible/          # Configuration management
├── docs/             # Documentation
└── tools/            # CI scripts, guards, and DevOps automation

See docs/layout.md for the authoritative structure specification.

Documentation

docs/getting-started.md — Bootstrap, workflows, validation
docs/layout.md — Repository structure
docs/network-architecture.md — Full network and cluster architecture
docs/cluster-placement.md — Node scheduling and placement
docs/authentik-contract.md — Authentik integration modes
AGENTS.md — Automation rules and GitOps enforcement
docs/TODO.md — Active tasks
docs/done.md — Completed milestones

Security

See .github/SECURITY.md for the responsible disclosure process.