My GitOps-driven homelab running ~20 self-hosted applications on a low-power ARM Kubernetes cluster. Infrastructure and application configuration are fully declarative and managed through FluxCD, Ansible, GitHub Actions and Renovate; covering everything from initial OS image builds to automated dependency updates.
This repository currently consists of 3 main directories:
-
Armbian: builds a custom image for the RK1 compute modules, based on the 6.1 BSP kernel for NPU support. Also pre-configures various settings such as disabling swap.
-
Ansible: playbooks to configure hosts, install/upgrade packages, k3s, GPU/NPU drivers and kube-vip and more.
-
Kubernetes: cluster bootstrap and manifests for FluxCD. Manifests are structured following:
apps/<namespace>/<app>/<kustomization>/<name>.yaml, where each app has one or more FluxCD Kustomizations, which can depend on each other. For example:apps/default/immich/cnpg/database.yaml.
My homelab consists of a small k3s cluster and a NAS.
| Device | Role | SoC | CPU | RAM | Storage | OS |
|---|---|---|---|---|---|---|
| Turing Pi RK1 | k3s server | RK3588 | 4x Cortex-A76 + 4x Cortex-A55 | 32GB LPDDR4 | 512GB NVMe | Armbian |
| Turing Pi RK1 | k3s server | RK3588 | 4x Cortex-A76 + 4x Cortex-A55 | 16GB LPDDR4 | 512GB NVMe | Armbian |
| Turing Pi RK1 | k3s server | RK3588 | 4x Cortex-A76 + 4x Cortex-A55 | 16GB LPDDR4 | 512GB NVMe | Armbian |
| Raspberry Pi 4B | k3s agent | BCM2711 | 4x Cortex A72 | 8GB LPDDR4 | 128GB USB | Raspberry Pi OS |
| Synology DS923+ | NAS | n/a | 2x AMD Ryzen 1600 | 4GB DDR4 ECC | 4x 4TB HDD (RAID5) | DSM |
Quick overview of the core components of my stack and why they were picked (over other options). Due to the limited hardware, I often prefer light-weight options, as long as they offer enough features.
- k3s - Kubernetes distribution that is resource optimized and works well on ARM. Easier to play with the NPU than Talos.
- FluxCD - GitOps for Kubernetes with native SOPS support.
- flux-operator - Fully declarative FluxCD deployments.
- Longhorn - Kubernetes native block storage. Lighter alternative to Rook-Ceph.
- Garage - Lightweight S3 object storage. Used for CNPG Barman Cloud Plugin backups.
- NFS - Various large data sets that are not latency sensitive are mounted directly with NFS (e.g. Immich library, Garage data). Longhorn volumes are backed up via NFS too.
- rclone - Syncs an encrypted copy of the NAS for off-site disaster recovery. Used in combination with immutable snapshots to protect against ransomware.
- Flannel - CNI provided by k3s. Considering Cilium for more features.
- MetalLB - Bare-metal load balancer using Layer 2. Replaces ServiceLB offered by k3s, as it only works on host IPs.
- Traefik - Application proxy. I've replaced the one offered by k3s with my own install for more control and recently migrated from Ingress to the Gateway API. Considering switching to Envoy.
- Victoria Metrics - Scrape and store metrics. Lighter alternative to Prometheus.
- Victoria Logs - Collect and store logs. Lighter alternative to Loki.
- Grafana - UI to explore data and dashboards
- Alert Manager - Group, inhibit and silence alerts. Sends notifications via alertmanager-ntfy.
- External Secrets - Syncs secrets from external providers, avoiding hardcoded credentials.
- Kyverno - Kubernetes-native policies for security and automation.
- Authelia - Provides OIDC and can act as a ForwardAuth proxy. Lighter alternative to Authentik or Keycloak. Tried Pocket ID, but it doesn't offer ForwardAuth.
- LLDAP - Light LDAP backend for Authelia, with a UI for user management.
Even though it's a homelab, I still have a bunch of cloud dependencies. I pay for the critical ones, and I use a bunch of free services that are nice to have. In the future I might self-host some of these. I have recently started to prefer EU-based cloud services.
| Service | Use | Cost | Notes |
|---|---|---|---|
| Cloudflare | Domain | ~€17/yr | |
| Hetzner Storage Box | Remote backup (5TB) | ~€13/mo | |
| Let's Encrypt | Certificates | Free | |
| Doppler | External Secrets | Free | See #199 |
| Tailscale | VPN without port forwarding | Free | |
| GitHub | Hosting of this repository + CI | Free | |
| Simple Mail Service | SMTP | Free | |
| ntfy.sh | Notifications | Free |
I have been inspired by many other homelab repositories along the way that I've found with kubesearch.dev. If your repo has helped me, I'll have starred it, thanks!