Skip to content

🥼 Automated eXperimental Infrastructure System 🧪 a.k.a. my k8s homelab

License

Notifications You must be signed in to change notification settings

scottmckendry/axis

Repository files navigation

AXIS

Automated eXperimental Infrastructure System

Talos Kubernetes Uptime


Mono-repo for my GitOps-driven K8s homelab 🏠

🧭 Overview

AXIS is my GitOps Kubernetes cluster home lab. The repository contains all cluster manifests, Helm repositories and releases, Talos OS configuration, backup policies, and secrets management tooling via SOPS.

  • GitOps: Flux v2 manages state from this repo
  • Manifests: Kustomize overlays per app/namespace under kubernetes/
  • OS: Talos for immutable Kubernetes nodes (see talos/)
  • Control plane: 3 Talos control-plane nodes in HA behind a VIP (MetalLB)
  • Ingress: Traefik + cert-manager (Let’s Encrypt via Cloudflare)
  • Storage: democratic-csi (TrueNAS) and local-path-provisioner
  • Monitoring: kube-prometheus-stack, Grafana, Loki/Promtail, Alertmanager
  • Backups: VolSync (restic) with Backblaze B2
  • Secrets: SOPS with age

🔐 Secrets management (SOPS + age)

Common operations:

# Decrypt secrets
just decrypt

# Re-encrypt all secrets
just encrypt

# Low-level helper (used by the recipes)
scripts/sops.sh encrypt|decrypt

Secret file conventions:

  • Secrets end with .secret.sops.yaml
  • Decrypted secrets end with .secret.yaml (wildcard in .gitignore)
image

🐘 CloudNative Postgres

CloudNative Postgres is used everywhere I possibly can for persistent databases.

Backup and restore

All backups are configured with the CNPG Barman Cloud plugin to Backblaze B2. WAL archiving allows for point-in-time recovery with small RPO/RTO.

♻️ Backups and restores (VolSync)

VolSync is used to snapshot and synchronize PVCs to object storage (Backblaze B2). Each app declares its backup policy under its directory, typically backup/ with a backblaze.secret.sops.yaml for credentials and a backup.yaml defining ReplicationSource/ReplicationDestination.

  • Configure credentials in the corresponding backblaze.secret.sops.yaml (encrypted with SOPS)
  • Validate VolSync resources with kustomize/kubeconform as usual

Operational tasks:

# Interactive restore workflow
just restore

Notes:

  • Restores will temporarily scale down workloads and restore PVC contents
  • Ensure network egress for B2 and that credentials are valid
image

🛡️ Talos/Kubernetes cluster management

Talos is configured under talos/ with patches in talos/patches/. Use justfile recipes for generating machine configs and applying them to the cluster.

Common operations:

# Generate Talos machine configs from image schematic and patches
just generate

# Apply generated configs to the cluster
just apply

Upgrades

Managed via tuppr 🩵

About

🥼 Automated eXperimental Infrastructure System 🧪 a.k.a. my k8s homelab

Topics

Resources

License

Stars

Watchers

Forks

Releases

No releases published

Contributors 3

  •  
  •  
  •  

Languages