Everything in the homelab — network devices, VMs, Kubernetes workloads, Docker services, backups — is managed through GitLab CI/CD, Atlantis, and Argo CD. Nothing gets configured via SSH anymore.
What It Covers
Platform vs. application split — Atlantis/OpenTofu handles the infrastructure layer (nodes, networking, storage), Argo CD handles application workloads. Both triggered by merge requests, both with auto-sync.
Kubernetes — 7-node HA cluster (v1.34.2) with Cilium CNI replacing kube-proxy via eBPF. BGP peering with the Cisco ASA for LoadBalancer services. Dual storage: NFS for shared volumes, Synology iSCSI CSI for block storage.
Security — Cilium mTLS via SPIRE for service-to-service encryption. Network policies scoped per namespace. External Secrets Operator pulls credentials from OpenBao into K8s — no secrets in git.
TLS — cert-manager with Let’s Encrypt wildcards via Cloudflare DNS-01. AWX scheduled jobs sync certs to Nginx Proxy Manager across 94 hosts. Syncthing handles distribution.
Observability — Prometheus/Grafana/Alertmanager for metrics. syslog-ng → Loki → Grafana for logs. Hubble for L7 flow visibility when debugging Cilium issues.
Backups — Velero + MinIO S3 with daily/weekly schedules. Cross-site replication to Greece.
Docker — 60+ services: Ollama, Stable Diffusion, Jellyfin, databases, home automation. Everything that doesn’t need Kubernetes runs here.
Network automation — Python CI/CD pipelines push Cisco IOS/ASA configuration with drift detection. If someone changes something manually, the next pipeline run catches it.
Virtualization — Proxmox VE with 100+ LXC containers and 20+ VMs, all provisioned through GitLab pipelines.
Architecture Overview
┌─────────────────────────────────────────────────────────────────┐
│ GitLab CI/CD │
│ ┌──────────────────┐ ┌──────────────────┐ │
│ │ Atlantis │ │ ArgoCD │ │
│ │ (Platform IaC) │ │ (Applications) │ │
│ └────────┬─────────┘ └────────┬─────────┘ │
└───────────┼────────────────────────────┼────────────────────────┘
│ │
▼ ▼
┌───────────────────────┐ ┌───────────────────────┐
│ Infrastructure │ │ Workloads │
│ - Kubernetes nodes │ │ - Applications │
│ - Network configs │ │ - Services │
│ - Storage │ │ - ConfigMaps │
│ - Secrets │ │ - Ingress │
└───────────────────────┘ └───────────────────────┘
│ │
└──────────────┬─────────────┘
▼
┌─────────────────────────────────────────────────────────────────┐
│ Kubernetes Cluster │
│ ┌─────────────┐ ┌─────────────┐ ┌─────────────┐ │
│ │ Cilium CNI │ │ SPIRE │ │ OpenBao │ │
│ │ + Hubble │ │ mTLS │ │ Secrets │ │
│ └─────────────┘ └─────────────┘ └─────────────┘ │
│ ┌─────────────┐ ┌─────────────┐ ┌─────────────┐ │
│ │ Prometheus │ │ Loki │ │ Velero │ │
│ │ + Grafana │ │ Logging │ │ Backups │ │
│ └─────────────┘ └─────────────┘ └─────────────┘ │
└─────────────────────────────────────────────────────────────────┘
Technology Stack
| Category | Technologies |
|---|---|
| GitOps | GitLab CI/CD, Atlantis, Argo CD |
| IaC | OpenTofu/Terraform, Helm |
| Kubernetes | v1.34.2, Cilium CNI, SPIRE |
| Secrets | OpenBao, External Secrets Operator |
| Monitoring | Prometheus, Grafana, Alertmanager, Loki |
| Network | Hubble, BGP, Cisco IOS/ASA |
| Backup | Velero, MinIO S3 |
| Automation | AWX, Python |
| Virtualization | Proxmox VE, Docker |
The foundation everything else in the homelab runs on
