Homelab
A production-grade Kubernetes homelab on Talos Linux, provisioned entirely by Pulumi, with full GitOps via ArgoCD and CDK8s. One command deploys everything — from bare VMs to running apps.
What's Inside
Fully automated, GitOps-driven homelab — from bare metal to running apps
Talos Linux
Immutable, API-driven OS. No SSH, no shell, fully declarative. Provisioned by Pulumi on Proxmox with per-role machine configs.
Pulumi IaC (Go)
Infrastructure as typed Go code. Proxmox VMs, Talos cluster, Cilium, ArgoCD, Hetzner VPS, Cloudflare DNS — all in one codebase.
ArgoCD GitOps
CDK8s synthesizes manifests to a branch; ArgoCD ApplicationSet detects every new directory and syncs automatically. Zero manual kubectl.
Bifrost Edge Layer
Hetzner VPS running Traefik v3.3, NetBird v0.66, and Authentik. Fully bootstrapped by a single Pulumi command — no manual SSH steps.
Two-Tier Secrets
Bootstrap secrets encrypted with SOPS/age, committed safely to git. Runtime secrets managed by OpenBao + Secrets Store CSI Driver — never written to manifests.
GPU Workloads
NVIDIA RTX 5070 Ti with PCIe passthrough and time-slicing. Ollama for LLM inference, ComfyUI for Stable Diffusion / Flux image generation.
Full Observability
VictoriaMetrics + VictoriaLogs + Grafana + OpenTelemetry collector on every node. Falco eBPF syscall monitoring. Trivy vulnerability scanning.
Storage
Longhorn provides distributed block storage with RWX support via NFS share-manager, eliminating rolling update deadlocks on stateful apps.
Security
Falco provides runtime syscall monitoring via eBPF with alerts flowing through OpenTelemetry to VictoriaLogs. Trivy scans container images for vulnerabilities on every workload change.
Zero-Touch Bootstrap
bootstrap.sh starts all services in order, waits for health checks, auto-provisions the NetBird IDP token via Authentik Django ORM, and substitutes secrets in config — all from one Pulumi deploy.