Homelab

Production-Grade Kubernetes at Home

Welcome to the technical documentation for a modern homelab platform that demonstrates enterprise-grade platform engineering practices on minimal hardware. This environment showcases how to build, secure, and operate a resilient Kubernetes cluster optimized for 24/7 operation with minimal energy consumption.

Platform Overview

This homelab is a production-ready, security-hardened Kubernetes platform running on ARM hardware with:

5-node distributed cluster (Raspberry Pi Compute Module 5)
28-40W total power consumption - always-on with minimal environmental impact
GitOps-driven automation - zero manual configuration steps
Enterprise security - OIDC authentication, network segmentation, hardened containers
Complete observability - metrics, logging, and alerting

Design Principles

This platform embodies key platform engineering principles:

Infrastructure as Code - Every component from bare metal to applications is declaratively defined
GitOps-First - All changes flow through Git with automated validation and deployment
Security by Default - Hardened configurations, least privilege, defense in depth
Deterministic Operations - Reproducible deployments with zero manual configuration
Complete Observability - Comprehensive metrics, logs, audit trails, and alerts
Modular Architecture - Loosely coupled components with clear boundaries
Energy Efficiency - Optimized for 24/7 operation with minimal power consumption

Architecture at a Glance

Use Cases

This homelab serves multiple purposes:

Learning Platform - Hands-on experience with enterprise platform engineering
Development Environment - Always-available infrastructure for pet projects
CI/CD Pipeline - Automated testing and deployment for personal projects
Data Analytics - PostgreSQL databases with Metabase visualization
Experimentation - Safe environment to test new technologies
Portfolio Showcase - Demonstrate platform engineering expertise

Repository Structure


homelab/
├── .github/                       # Repository metadata and automation hooks
│   ├── template-workflows/        # Shared workflow definitions consumed by multiple repos
│   └── workflows/                 # Active CI pipelines for linting, docs, and release guardrails
├── actions/                       # Gitea/GitHub composite actions for CI/CD + GitOps
│   ├── add-composite-ingress-host/ # Generate ingress host records for composite environments
│   ├── add-partial-ingress/       # PR helper to wire PartialIngress resources into CI namespaces
│   ├── cleanup-ci-environment/    # Tear down ephemeral namespaces and workloads automatically
│   ├── commit-manifests/          # Commit rendered manifests back into the manifests repo
│   ├── generate-ci-manifests/     # Render manifests tailored to CI namespaces and inputs
│   ├── generate-manifests/        # Generic helmfile/helm renderer used by multiple pipelines
│   ├── push-manifests/            # Push rendered artifacts to the manifests repository mirror
│   └── review-manifests/          # Create review summaries and status checks for generated YAML
├── app/
│   └── helm/                      # Example application Helm charts & manifests
│       └── example-microservice/  # Reference microservice chart illustrating best practices
├── designs/                       # Architecture decision records and deep dives
├── docs/                          # Next.js documentation site (this site)
├── platform/
│   └── helmfile/                  # Day 1 platform services (ArgoCD, Gitea, observability stack)
│       ├── argocd/                # GitOps controller configuration and Dex/OIDC wiring
│       ├── cnpg-system/           # CloudNativePG operator for PostgreSQL automation
│       ├── gitea/                 # Internal Git service plus actions runner bootstrap
│       ├── metabase/              # Analytics stack with CNPG auto-discovery operator
│       ├── partial-ingress/       # Custom operator enabling partial environment deployments
│       └── victoria-metrics/      # Metrics, Grafana, alerting, and notification stack
├── system/
│   ├── ansible/                   # Day 0 automation (bootstrap, hardening, maintenance)
│   │   ├── apt-update/            # Automated unattended-apt configuration for CM5 nodes
│   │   ├── fix-flash-kernel/      # Ensures Pi blades boot reliably after kernel updates
│   │   ├── install-k3s/           # Secure K3s installation with Cilium, audit logs, and OIDC
│   │   ├── install-restrictive-proxy/ # MikroTik HTTP proxy with tight path whitelisting
│   │   ├── install-security-audit/ # Deploys daily CIS-style audit scripts to every node
│   │   ├── partition-nvme-drives/  # Declarative NVMe partitioning for etcd and local-path
│   │   └── setup-ssh-keys/        # Distributes management SSH keys across the fleet
│   └── helmfile/                  # Core infrastructure (networking, ingress, security, RBAC)
│       ├── cert-manager/          # ACME issuers, internal CA, certificate policies
│       ├── external-dns/          # DNS automation against MikroTik and Cloudflare providers
│       ├── external-tunnel/       # Cloudflare Tunnel exposure for external ingress endpoints
│       ├── ingress-nginx/         # Internal ingress controller with ModSecurity and WAF
│       ├── metallb-system/        # Layer-2 load balancer IP pool configuration
│       ├── rbac-system/           # Unified RBAC operator, User CRDs, and policy sync
│       └── secrets-system/        # External Secrets + DerivedSecrets operators and master secret
├── integrations.yaml.template     # External integration secrets template
├── users.yaml.template            # Sample RBAC user catalog
└── README.md                      # Project overview and quick start

Getting Started

Ready to explore or deploy this platform?

Understand the Design - Start with Introduction to understand the design decisions and architecture
Plan Your Infrastructure - Review Infrastructure Planning for hardware requirements
Deploy - Follow the Deployment Guide step-by-step
Operate - Learn maintenance and monitoring in Operations

Community & Collaboration

This homelab is designed to be:

Educational - Learn modern platform engineering practices
Reproducible - Fork and adapt for your own infrastructure
Open - All code available at GitHub/zengarden-space/homelab

For collaboration:

VPN Access: Available for approved contributors
Internal Git: gitea.homelab.int.zengarden.space
Internal ArgoCD: argocd.homelab.int.zengarden.space

This documentation showcases production-grade platform engineering principles applied to a cost-effective, energy-efficient homelab environment. Built by Oleksii Pylypenko as a learning platform.