<div align="center">

iac (wip)

This is my homelab infrastructure, defined in code.

</div>

---

<div align="center">

| Hypervisor | OS | Tools | Networking | Misc. Automations | | ----------------------------------------------------------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | | | | | | |

</div>

📖 Overview

This repository contains the IaC (Infrastructure as Code) configuration for my homelab.

My homelab runs two infrastructure stacks: Kubernetes nodes provisioned with Talos Linux, and Proxmox VMs running Docker. All VMs are cloned from templates I created with Packer. My Kubernetes nodes are all defined as code using Talos Linux. I have been migrating my Ubuntu VM's over to NixOS, see Nix config here and going forward all VM's will be NixOS

Everything is containerized — either managed with Docker Compose or orchestrated through Kubernetes. My long-term goal is to move it all to Kubernetes using GitOps practices, and the migration is ongoing. Docker Compose sticks around mainly due to hardware limitations; scaling a homelab Kubernetes cluster means buying alot of hardware.

To automate infrastructure updates, I use Github Actions, which trigger workflows upon changes to this repo. This ensures seamless deployment and maintenance across my homelab:

• Flux manages Continuous Deployment (CD) for Kubernetes, deployed via Flux Operator.
• Docker CD Workflow handles Continuous Deployment for Docker services.
• Renovate keeps services updated by opening PRs for new versions.
• Ansible is used to execute playbooks on all of my VMs, automating management and configurations

🔒 Security & Networking

For Secret management I use Bitwarden Secrets and their various integrations into the tools used.

Kubernetes is using External Secrets implementation of BWS, not official. BWS Access Key is SOPS encrypted.

GitLeaks makes sure before every commit no secrets are exposed, GitGuardian makes sure to alert me if something slips through GitLeaks.

Each container image is automatically scanned by Trivy, with detected vulnerabilities published to Github Security

I use RackNerd for their very reasonably priced VPS and deploy Docker services that require uptime here. Tailscale is used to connect my home network to the various VPS's securely using Zero Trust architecture.

I use Cloudflare for my DNS provider with Cloudflare Tunnels to expose some of the services to the world. Cloudflare Access is used as Zero Trust for public websites, this is paired with Fail2Ban looking through all my reverse proxy logs for malicious actors who made it through Access and banning them via Cloudflare WAF.

I also utilize Unifi's IDS/IPS for intrusion detection on my home network, and use Wazuh as a SIEM to monitor and generate security ale