H8s (Homernetes)

H8s is a home infrastructure project that combines the power of Kubernetes with the security-first approach of Talos OS.
This project provides a my setup, designed specifically for home labs and personal cloud environments.

This cluster uses 2 N100 CPU-based mini PCs, both retrofitted with 32GB of RAM and 1TB of NVME SSDs. They are happily tucked away under my TV :).

Motivations

Doing a homelab Kubernetes cluster has been a source of a lot of joy for me personally. I got these mini PCs as I wanted to learn as much as possible when it came to:

Best DevOps and SWE practices.
Sharpen my Kubernetes skills (at work I heavily use Kubernetes).
Bring some of the stack back back within my control.
Self-host things that I find useful.

Most importantly: I find it fun! It keeps me excited and hungry at work and on my other personal projects.

Features

Automated Bootstrap - 8-stage fully declaritive pipeline for complete cluster provisioning from bare metal in under 10 mins.
Container registry.
Home-wide ad blocker and DNS.
Internal certificate authority.
Routing to private services only accessible at home.
Secrets management.
Metric and log observability.
Full CI/CD capabilities.
Internet access to services via Cloudflare. Give these a try:
- Excalidraw
- Grafana
- Harbor, you can pull from the main project here.
Postgres databases for internal services like Terraform and Harbor.
Full network encryption, observability, IPAM, kube-proxy replacement and L2 annoucements with Cilium.

Repo Structure

├── applications
│   ├── excalidraw                  | Self-hosted Excalidraw.
│   └── searxng                     | Privacy-focused metasearch engine.
├── ci-cd
│   ├── argo-workflows              | CI/CD pipelines (WIP).
│   ├── argocd                      | GitOps CD for Kubernetes resources.
│   └── renovate                    | Automated dependency updates.
├── images
│   ├── coredns
│   ├── terraform
│   └── image-buildah
├── infrastructure                  | Complete bootstrapping of the cluster with Proxmox and Talos + platform configuration.
├── namespaces                      | Holds all namespaces for the cluster.
├── networking
│   ├── cert-manager                | Certificate controller for the self-hosted certificate authority.
│   ├── cilium                      | The cluster's eBPF CNI.
│   ├── cloudflared                 | Allows Cloudflare to ingress internet traffic in.
│   ├── coredns                     | Home-wide DNS services and ad-blocking.
│   └── gateways                    | Ingress and networking routing management.
├── observability
│   ├── grafana                     | Metrics and log observability.
│   ├── loki                        | Log collection.
│   ├── prometheus                  | Metrics collection.
│   └── promtail                    | Log collection and shipping agent.
├── security
│   ├── cosign                      | Secrets to sign containers and binaries going to Harbor.
│   ├── external-secrets-operator   | Takes secrets hosted internally with Vault and manages them inside the cluster.
│   ├── keycloak                    | (WIP) Cluster SSO.
│   └── vault                       | Secrets storage and certificate authority.
└── storage
    ├── cloudnative-pg              | PostrgreSQL database management for various Applications.
    ├── harbor                      | Container and binary registry.
    └── longhorn                    | Cluster CSI.

Getting Started

CLI Tools

This repo uses Nix Flakes to install all dependencies to run all commands and scripts. To get started:

Enable experimental-features. Read the Nix Flakes wiki for more information.
Run the following to drop into a shell with all dependencies:

nix shell

Taskfile

The Taskfile.yaml is used for useful commands orchestration. To get a list of available functionality, within any directory of this repo run:

task

okwilkins/h8s