Homelab - Orbit

Repository for managing a Kubernetes cluster through GitOps workflows.

Powered by Proxmox VE, Terraform, Talos, Argo CD, and Sealed Secrets. Kept up to date with Renovate. Includes a healthy dose of automation and the occasional 3-letter commit message.

This repository hosts the IaC (Infrastructure as Code) configuration for my homelab.

The homelab runs on Proxmox VE hypervisor nodes, with VMs provisioned using Terraform.

• helios — a Talos Kubernetes cluster (control plane + workers)
• atlas — an Ubuntu VM used as a file server for media storage and Longhorn backups

All cluster workloads are managed via GitOps with Argo CD and an ApplicationSet that auto-syncs from this repository. Secrets are encrypted in-repo using Sealed Secrets.

1. Create Terraform variables in terraform/helios (and optionally terraform/atlas). Use the provided .example files as a reference.

2. Deploy the Talos cluster using Terraform:

cd terraform/helios
terraform init
terraform apply

3. Bootstrap the cluster (creates namespaces, restores sealed-secret keys, installs ArgoCD and ArgoCD-Apps):

.\scripts\new-Cluster.ps1

ArgoCD will automatically sync all remaining applications from the repository. Retrieve the initial admin password with:

.\scripts\get-ArgoPassword.ps1

4. Creating a sealed value for a specific secret key:

.\scripts\new-SealedSecret.ps1 -password <value> -namespace <ns> -secretName <name> -key <secretKey>

5. Edit a SealedSecret file using your default editor (sops-like flow):

.\scripts\edit-SealedSecret.ps1 -FilePath <path-to-sealed-secret.yaml>

This decrypts the file to a temporary manifest, opens it in $VISUAL/$EDITOR (falls back to vi), and reseals it back to the original file when the editor exits. The script automatically preserves secret name, namespace, and scope (strict, namespace-wide, cluster-wide) from the existing manifest.

6. Backing up Sealed Secret keys:

.\scripts\backup-SealedSecret.ps1

6. Configure Velero Azure credentials (create a velero-credentials secret with a cloud key in the velero namespace that includes your Azure subscription ID, then update kubernetes/velero/velero/values.yaml with your Azure storage account and resource group).

7. Restore Velero backups during onboarding (optional):

.\scripts\new-Cluster.ps1 -RestoreVelero -VeleroSchedule daily

End-user facing applications

Logo	Name	Description
	Hello-World	Example and template application for the repository
	Home Assistant	Open-source home automation platform (proxied via nginx).
	Memos	Lightweight, self-hosted note-taking service.
	AIOStreams	All-in-one Stremio addon aggregator and proxy.
	Nexus3	Universal artifact repository manager.
	Obsidian Sync	Self-hosted sync backend for Obsidian (proxied via nginx).
	RoomCtrlScraper	Custom service to scrape and manage room control data.

Ingress, DNS, and identity services

Logo	Name	Description
	authentik	Identity provider enabling single sign-on (SSO) and centralized user management.
	Cert Manager	Manages TLS certificates for secure communication within Kubernetes.
	MetalLB	Load-balancer implementation for bare metal Kubernetes clusters.
	Traefik	Cloud-native reverse proxy and ingress controller for Kubernetes.
	Traefik CRDs	Custom Resource Definitions required by Traefik.

Persistent storage services

Logo	Name	Description
	Longhorn	Cloud-native distributed block storage for Kubernetes.
	Velero	Scheduled backups with retention and Azure off-site storage.
	Syncthing	Continuous file synchronization between devices.

Secret management

Logo	Name	Description
	Sealed Secrets	Encrypts Kubernetes secrets for safe storage in Git.

Foundation components for running and deploying applications in my cluster

Logo	Name	Description
	Argo CD	GitOps tool for continuous delivery and Kubernetes application management.
	Renovate	Automates dependency and container image updates via pull requests.
	Intel QuickSync	Intel GPU device plugin enabling hardware-accelerated video transcoding in Kubernetes.