GitOps-driven Kubernetes clusters for home infrastructure
This repository contains Infrastructure as Code (IaC) for my home Kubernetes clusters, managed using GitOps principles with ArgoCD. The setup supports multiple clusters with shared components and cluster-specific configurations.
- π GitOps Workflow: Complete GitOps setup using ArgoCD
- ποΈ Multi-Cluster Support: Manage multiple Kubernetes clusters from one repository
- π Secrets Management: SOPS encryption with 1Password integration
- π¦ Helm + Kustomize: Flexible application deployment and configuration
- π Automated Bootstrap: Scripts for easy cluster initialization
- π§ Task Automation: Task-based workflows for common operations
- π€ Dependency Updates: Automated dependency management with Renovate Bot
βββββββββββββββββββ βββββββββββββββββββ
β cluster01 β β omv β
β β β β
β βββββββββββββ β β βββββββββββββ β
β β ArgoCD ββββΌβββββΌβββ€ ArgoCD β β
β βββββββββββββ β β βββββββββββββ β
β β β β
β Applications β β Applications β
βββββββββββββββββββ βββββββββββββββββββ
β² β²
β β
βββββββββββββββββββββββββ
β
βββββββββββββββ
β Git Repo β
β (home-ops) β
βββββββββββββββ
.
βββ π clusters/ # Cluster-specific configurations
β βββ π cluster01/ # Primary cluster
β β βββ π apps/ # Applications for cluster01
β β βββ π bootstrap/ # Bootstrap configurations
β βββ π omv/ # Secondary cluster
β βββ π apps/ # Applications for omv
βββ π components/ # Shared Kubernetes components
β βββ π argo-system/ # ArgoCD configuration
β βββ π cert-manager/ # Certificate management
β βββ π default/ # Default namespace apps
β βββ π external-secrets/ # External secrets operator
β βββ π kube-system/ # System components
β βββ π longhorn-system/ # Storage system
β βββ π network/ # Networking components
β βββ π common/ # Common configurations
βββ π helm/ # Custom Helm charts
βββ π scripts/ # Automation scripts
β βββ π bootstrap-apps.sh # Cluster bootstrap script
β βββ π lib/ # Helper libraries
βββ π .taskfiles/ # Task definitions
βββ π Taskfile.yaml # Main task configuration
βββ π makejinja.toml # Template processing config
Ensure you have the following tools installed:
# Core tools
brew install kubernetes-cli helm kustomize
brew install argoproj/tap/argocd
brew install go-task/tap/go-task
brew install helmfile
# Security tools
brew install sops age
brew install 1password/tap/1password-cli
# Optional: Talos Linux tools (if using Talos)
brew install siderolabs/tap/talosctl
brew install budimanjojo/tap/talhelper-
Configure SOPS with age:
# Generate age key if you don't have one age-keygen -o ~/.config/sops/age/keys.txt # Export public key for .sops.yaml configuration age-keygen -y ~/.config/sops/age/keys.txt
-
Configure 1Password CLI:
# Sign in to 1Password op signin # Verify access to kubernetes vault op vault list
-
Bootstrap cluster applications:
# Bootstrap cluster01 task bootstrap:apps CLUSTER_NAME=cluster01 # Bootstrap omv cluster task bootstrap:apps CLUSTER_NAME=omv
-
Manual ArgoCD access (if needed):
# Get ArgoCD admin password kubectl -n argo-system get secret argocd-initial-admin-secret -o jsonpath="{.data.password}" | base64 -d # Port forward to ArgoCD UI kubectl port-forward svc/argocd-server -n argo-system 8080:443
# List all available tasks
task --list
# Force ArgoCD to sync all applications
task reconcile
# Bootstrap cluster applications
task bootstrap:apps CLUSTER_NAME=<cluster_name># Check ArgoCD application status
argocd app list
# Sync specific application
argocd app sync <app-name>
# Check cluster resources
kubectl get nodes,pods --all-namespaces| Component | Purpose | Namespace |
|---|---|---|
| ArgoCD | GitOps continuous delivery | argo-system |
| Cert-Manager | TLS certificate management | cert-manager |
| External Secrets | Secrets synchronization | external-secrets |
| Traefik | Ingress controller | kube-system |
| Longhorn | Distributed storage | longhorn-system |
| Cilium | Container networking | kube-system |
| Homepage | Dashboard application | default |
| Syncthing | File synchronization | default |
| Garage | S3-compatible object storage | default |
- Secrets Encryption: All sensitive data encrypted with SOPS
- External Secrets: Integration with 1Password for secure secret management
- TLS Certificates: Automated certificate provisioning with cert-manager
- Network Policies: Implemented via Cilium for network security
-
Create component directory:
mkdir -p components/my-namespace/my-app
-
Add Kustomization:
# components/my-namespace/my-app/kustomization.yaml apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization namespace: my-namespace resources: - namespace.yaml - http-route.yaml helmCharts: - name: my-app repo: https://charts.example.com version: "1.0.0" valuesFile: values.yaml
-
Add to cluster configuration:
# clusters/cluster01/apps/kustomization.yaml resources: - ../../components/my-namespace/my-app
- Make changes to application configurations in this repository
- Commit and push changes to the main branch
- ArgoCD automatically detects changes and syncs applications
- Monitor deployment via ArgoCD UI or CLI
This repository uses Renovate Bot to automatically update dependencies:
- Helm Charts: Automatically updates chart versions in
kustomization.yamlfiles - Container Images: Updates image tags in Kubernetes manifests
- GitHub Releases: Updates CRD URLs and tool versions in bootstrap scripts
- Talos & Kubernetes: Updates cluster platform versions
- Main Config:
renovate.json- Comprehensive Renovate configuration - GitHub Specific:
.github/renovate.json5- Alternative config location - Dependency Dashboard: Available in GitHub Issues for manual triggering
Renovate intelligently groups related updates:
- Cilium Ecosystem: CNI, CLI, and related components
- ArgoCD Stack: Server, CLI, and ArgoCD applications
- cert-manager: Controller, webhook, and CRDs
- Security Tools: SOPS, external-secrets, and 1Password components
- Fork the repository
- Create a feature branch
- Make your changes
- Test in a development environment
- Submit a pull request
This project is licensed under the MIT License - see the LICENSE file for details.
β Star this repo if you find it helpful!