Everything in the homelab — network devices, VMs, Kubernetes workloads, Docker services, backups — is managed through GitLab CI/CD, Atlantis, and Argo CD. Nothing gets configured via SSH anymore.

What It Covers

Platform vs. application split — Atlantis/OpenTofu handles the infrastructure layer (nodes, networking, storage), Argo CD handles application workloads. Both triggered by merge requests, both with auto-sync.

Kubernetes — 7-node HA cluster (v1.34.2) with Cilium CNI replacing kube-proxy via eBPF. BGP peering with the Cisco ASA for LoadBalancer services. Dual storage: NFS for shared volumes, Synology iSCSI CSI for block storage.

Security — Cilium mTLS via SPIRE for service-to-service encryption. Network policies scoped per namespace. External Secrets Operator pulls credentials from OpenBao into K8s — no secrets in git.

TLS — cert-manager with Let’s Encrypt wildcards via Cloudflare DNS-01. AWX scheduled jobs sync certs to Nginx Proxy Manager across 94 hosts. Syncthing handles distribution.

Observability — Prometheus/Grafana/Alertmanager for metrics. syslog-ng → Loki → Grafana for logs. Hubble for L7 flow visibility when debugging Cilium issues.

Backups — Velero + MinIO S3 with daily/weekly schedules. Cross-site replication to Greece.

Docker — 60+ services: Ollama, Stable Diffusion, Jellyfin, databases, home automation. Everything that doesn’t need Kubernetes runs here.

Network automation — Python CI/CD pipelines push Cisco IOS/ASA configuration with drift detection. If someone changes something manually, the next pipeline run catches it.

Virtualization — Proxmox VE with 100+ LXC containers and 20+ VMs, all provisioned through GitLab pipelines.

Architecture Overview

┌─────────────────────────────────────────────────────────────────┐
                        GitLab CI/CD                              
  ┌──────────────────┐         ┌──────────────────┐              
      Atlantis                    ArgoCD                     
    (Platform IaC)             (Applications)                
  └────────┬─────────┘         └────────┬─────────┘              
└───────────┼────────────────────────────┼────────────────────────┘
                                        
                                        
┌───────────────────────┐    ┌───────────────────────┐
   Infrastructure              Workloads          
   - Kubernetes nodes          - Applications     
   - Network configs           - Services         
   - Storage                   - ConfigMaps       
   - Secrets                   - Ingress          
└───────────────────────┘    └───────────────────────┘
                                        
            └──────────────┬─────────────┘
                           
┌─────────────────────────────────────────────────────────────────┐
                    Kubernetes Cluster                            
  ┌─────────────┐ ┌─────────────┐ ┌─────────────┐               
    Cilium CNI     SPIRE        OpenBao                   
    + Hubble       mTLS         Secrets                   
  └─────────────┘ └─────────────┘ └─────────────┘               
  ┌─────────────┐ ┌─────────────┐ ┌─────────────┐               
   Prometheus       Loki         Velero                   
    + Grafana     Logging       Backups                   
  └─────────────┘ └─────────────┘ └─────────────┘               
└─────────────────────────────────────────────────────────────────┘

Technology Stack

CategoryTechnologies
GitOpsGitLab CI/CD, Atlantis, Argo CD
IaCOpenTofu/Terraform, Helm
Kubernetesv1.34.2, Cilium CNI, SPIRE
SecretsOpenBao, External Secrets Operator
MonitoringPrometheus, Grafana, Alertmanager, Loki
NetworkHubble, BGP, Cisco IOS/ASA
BackupVelero, MinIO S3
AutomationAWX, Python
VirtualizationProxmox VE, Docker

The foundation everything else in the homelab runs on