A production-grade, self-hosted Kubernetes homelab powered by k3s and FluxCD, running declarative infrastructure with secrets management, monitoring, and a curated suite of personal apps.
⚙️ Built for reliability, automation, and modular GitOps workflows.
| Layer | Tooling |
|---|---|
| Kubernetes | k3s |
| GitOps | FluxCD |
| Secrets Mgmt | HashiCorp Vault + ESO |
| Networking | Cloudflared + Traefik (in-built) |
| Monitoring | kube-prometheus-stack |
| App Packaging | Helm, Kustomize |
| OS Environment | Ubuntu 24.04.2 LTS on Lenovo Legion Y540 |
.
├── apps/ # Application manifests (base/lab overlays)
├── cluster/ # Cluster-level definitions, Flux bootstrap
├── docs/ # Documentation site (MkDocs)
├── infrastructure/ # Infrastructure components (Vault, ESO, Cloudflared)
├── monitoring/ # Monitoring stack (Prometheus, Grafana)
├── mkdocs.yml # MkDocs config for documentation site
└── README.md
✅
base/holds reusable blueprints. 🧪lab/contains environment-specific overlays.
| App | Purpose |
|---|---|
| Homepage | Custom home dashboard |
| Linkding | Bookmark manager |
| Mealie | Recipe management |
| Vault | Secrets management backend |
| ESO | Sync Vault secrets to K8s |
| Cloudflared | Secure tunneling to cluster |
| Prometheus + Grafana | Monitoring + Dashboards |
All apps are declaratively managed using Helm & Kustomize via FluxCD.
Secrets are managed using:
- HashiCorp Vault (deployed in-cluster)
- External Secrets Operator (ESO) using the Kubernetes auth method
- Cloudflared tunnels expose apps securely without port forwarding or public IPs
This homelab follows a pure GitOps model:
- All manifests are committed to Git
- FluxCD watches the repo and applies changes
- Secrets are synced via ESO from Vault
- Each component is modular, reusable, and declaratively configured
| Spec | Value |
|---|---|
| OS | Ubuntu 24.04.2 LTS |
| Machine | Lenovo Legion Y540 (i5-9300H) |
| Memory | 16 GB |
| GPU | NVIDIA GTX 1650 Mobile |
| Cluster | Bare-metal, single-node (k3s) |
This setup is built for:
- Learning Kubernetes, GitOps, and security best practices
- Running production-grade self-hosted tools
- Keeping everything declarative, minimal, and portable
Inspired by the principles of GitOps, Platform Engineering, and Zero Trust Access.
MIT - feel free to fork, clone, and adapt for your own lab!