Skip to content

nickvigilante/homelab

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

20 Commits
.githooks
.githooks
 
 
.github
.github
 
 
ansible
ansible
 
 
k8s
k8s
 
 
system
system
 
 
.gitignore
.gitignore
 
 
.gitleaks.toml
.gitleaks.toml
 
 
CLAUDE.md
CLAUDE.md
 
 
README.md
README.md
 
 

Repository files navigation

homelab

Kubernetes manifests, Helm values, and host-level system configs for my home lab — a single-node k3s cluster running on gandalf (a ThinkCentre on Ubuntu Server 26.04 LTS).

This repo is the source of truth. The working copy lives at ~/git/nickvigilante/homelab/ on gandalf and tracks main.

Layout

Path What's in it
system/ Host-level systemd units, apt drop-ins, and config templates (rclone Storj mount; unattended-upgrades auto-reboot override)
k8s/jellyfin/ Jellyfin (jellyfin/jellyfin Helm chart) — values.yaml + PV/PVC for config persistence
k8s/pihole/ Pi-hole (mojo2600/pihole Helm chart) — values.yaml + PV/PVC for /etc/pihole persistence
k8s/backup/ Restic backup CronJob → Storj. See k8s/backup/README.md for setup + restore.
k8s/uptime-kuma/ Uptime Kuma (dirsigler/uptime-kuma-helm Helm chart) — status board + push-monitor sink for restic. See k8s/uptime-kuma/README.md.
k8s/authentik/ Authentik (authentik/authentik Helm chart) — identity provider for future SSO across services. Bundled PostgreSQL. See k8s/authentik/README.md.
k8s/homeassistant/ (planned) Home Assistant
ansible/ Host-level config for future Pi workers (Stage 2). One playbook today — provision-pi.yml — that joins a fresh Pi as a k3s agent + Tailscale node. See ansible/README.md.

How changes land in the cluster

Manual, single-node, no GitOps controller (yet). Edit in this repo, then on gandalf:

# k8s manifests / PVs
kubectl apply -f k8s/<service>/pv-pvc.yaml

# Helm releases — upgrade an existing release with new values
helm -n <namespace> upgrade <release> <chart> -f k8s/<service>/values.yaml
kubectl -n <namespace> rollout status deployment/<release>

# Host-level systemd units
sudo install -m 644 -o root -g root system/<unit>.service /etc/systemd/system/
sudo systemctl daemon-reload && sudo systemctl restart <unit>.service

# Host-level apt / unattended-upgrades drop-ins
sudo install -m 644 -o root -g root system/<file>.conf /etc/apt/apt.conf.d/

Secrets

No secrets live in this repo. Where they live instead:

  • pihole-admin k8s Secret — created by kubectl create secret generic sourced from Bitwarden ("Pi-Hole" item).
  • rclone.conf/etc/rclone/rclone.conf on gandalf (root, 0600), populated by hand from Storj S3 access grant. Template in system/rclone.conf.template.

Pre-commit secret scan

Same pattern as nickvigilante/infrastructure. After cloning:

brew install gitleaks
git config core.hooksPath .githooks

gitleaks then scans every staged change before each commit, blocking commits that contain detected secrets. See .gitleaks.toml.

Related

  • nickvigilante/infrastructure — OpenTofu for cluster-external resources (Tailscale tailnet DNS, GitHub repo settings, future Storj buckets).

About

k3s manifests, Helm values, and host system configs for my home lab on gandalf

Topics

kubernetes helm pi-hole homelab jellyfin k3s

Resources

Readme
Activity

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

 
 
 

Contributors

Languages