Complete GitOps platform on K3s - Deploy production-ready infrastructure in minutes with enterprise-grade security, monitoring, and automation.
This homelab implements a multi-repository GitOps pattern with separate repos for platform, monitoring, and applications - all orchestrated by ArgoCD using app-of-apps patterns. Perfect for testing new services, container hardening, and DevSecOps practices.
I use these cluster for testing new services, and conainter hardening for DevSecOps, using platforms like:
Instead of one monolithic cluster, I run multiple single-purpose clusters for better isolation, security, and maintainability. Current approach is HA(High Availability, Fault tolerant) clusters.
For the Dev and Staging cluster I am looking at SinglNode Clusters to allow me to quickly brink up and test a new version cluster OS (Like Talos or K3D). I can test a newer cluster OS and validate before migrating. and have my fallback previous cluster.
| Cluster | Purpose | Status | Nodes |
|---|---|---|---|
| Prod | End-user applications (stateless) | 🔄 Planned (OpenShift) | 3 control + 6 workers |
| Staging | Application testing & validation | ✅ Running (Talos/Omni) | 2 control + 4 workers |
| Data | Databases & persistent storage | 🔄 Planned (K3s) | 2 control + 2 workers |
| Dev | Development & container testing | ✅ Running (K3s) | 1 control + 2 workers |
- Blast radius containment - Issues don't affect other environments
- Independent scaling - Right-size each cluster for its workload
- Easy disaster recovery - Rebuild clusters from code, restore data from backups
- Technology diversity - Test different platforms (OpenShift, Talos, K3s)
Philosophy: Cheap, small, upgradeable refurbished business PCs
- HP EliteDesk 800 G5 Mini (Control Planes): i5-6400T, 16GB RAM, 240GB SSD
- HP EliteDesk 800 G2 Mini (Workers): i3-6100T, 8-16GB RAM, 240GB SSD
- Cost: ~$100-150 per node (refurbished)
- Upgrade path: RAM easily expandable for larger workloads
Production Cluster (Planned - OpenShift)
Purpose: Mission-critical applications with enterprise support
- Control Plane: 3x HP EliteDesk 800 G5 Mini (i5-6400T/16GB/240GB)
- Workers: 6x HP EliteDesk 800 G2 Mini (i5-6400T/16GB/240GB)
- Features: HA, automated failover, enterprise monitoring
Staging Cluster (Running - Talos/Omni)
Purpose: Pre-production testing and validation
- Control Plane: 2x HP EliteDesk 800 G5 Mini (i5-6400T/16GB/240GB)
- Workers: 4x HP EliteDesk 800 G2 Mini (i3-6100T/8GB/240GB)
- Features: Immutable OS, declarative configuration
Data Cluster (Planned - K3s)
Purpose: Centralized databases and shared storage
- Control Plane: 2x HP EliteDesk 800 G5 Mini (i5-6400T/16GB/240GB)
- Workers: 2x HP EliteDesk 800 G2 Mini (i3-6100T/8GB/240GB)
- Storage: Synology DS224+ NAS with CSI integration
Dev Cluster (Running - K3s)
Purpose: Development, testing, and experimentation
- Control Plane: 1x HP EliteDesk 800 G5 Mini (i5-6400T/16GB/240GB)
- Workers: 2x HP EliteDesk 800 G2 Mini (i3-6100T/8GB/240GB)
- Features: Lightweight, fast iteration, disposable workloads
Each repo managed as separate ArgoCD project with app-of-apps pattern for complete production infrastructure release cycle management.
| Logo | Purpose |
|---|---|
| homelab-gitops | ArgoCD bootstrap + cluster scripts |
| homelab-platform | Core infrastructure (Istio, Vault, Keycloak) |
| homelab-monitoring | Observability (Prometheus, Grafana, ELK) |
| homelab-apps | End-user applications |
- Dependency Control: Platform services deploy before apps that need them
- Team Separation: Different teams can own different repositories
- Independent Releases: Update monitoring without touching applications
- Security Boundaries: Separate access controls per repository type
- Scalability: Add new app repos without touching core infrastructure
| Logo | Name | Description |
|---|---|---|
 |
K3s | Lightweight Kubernetes - easy to install, half the memory, all in a binary < 100MB |
 |
Cilium | eBPF-based networking, security, and observability |
 |
ArgoCD | Declarative GitOps continuous delivery |
| Logo | Name | Description |
|---|---|---|
 |
Istio | Service mesh for security, observability, and traffic management |
 |
HashiCorp Vault | Secrets management and PKI |
 |
Keycloak | Identity and access management |
 |
External Secrets | Vault integration for K8s secrets |
 |
Kyverno | Policy engine for security and governance |
| Logo | Name | Description |
|---|---|---|
 |
Grafana | The open observability platform |
 |
Prometheus | An open-source monitoring system with a dimensional data model, flexible query language, efficient time series database and modern alerting approach |
 |
Elastic Stack | Centralized logging and analytics |
| Logo | Name | Description |
|---|---|---|
 |
Commafeed | Bloat free RSS feed reader |
 |
Homepage | My customized portal to my homelab & internet |
 |
n8n | Secure, AI-native workflow automation |
 |
Wallabag | Save articles & posts from the web for storage & reading later |
 |
Linkding | Bookmark manager with tagging and search |
🌟 Future Roadmap
⚙️ Version upgrades Using single node clusters to test version updates of each OS provider, K3s, Talos, CRC, etc.
🔄 Enhanced Platform Cert Manager + Cloudflare: Automated TLS certificate management External DNS: Automatic DNS record management for services CloudNativePG: PostgreSQL operator for database workloads
📊 Advanced Observability Thanos: Long-term metrics storage and global query view OpenTelemetry: Distributed tracing across all services
🚀 Production Operations Flagger: Automated canary deployments and progressive delivery Velero: Comprehensive backup and disaster recovery Renovate: Automated dependency updates with testing
🤝 Contributing Found this helpful? Here's how you can contribute:
⭐ Star the repositories if this helped your learning 🐛 Report issues or suggest improvements 📖 Share your experience - write about your own homelab journey 🔀 Fork and adapt for your own needs
💬 Questions? Open an issue or start a discussion in any of the repository links above!