Automated eXperimental Infrastructure System
Mono-repo for my GitOps-driven K8s homelab 🏠
AXIS is my GitOps Kubernetes cluster home lab. The repository contains all cluster manifests, Helm repositories and releases, Talos OS configuration, backup policies, and secrets management tooling via SOPS.
- GitOps: Flux v2 manages state from this repo
- Manifests: Kustomize overlays per app/namespace under
kubernetes/ - OS: Talos for immutable Kubernetes nodes (see
talos/) - Control plane: 3 Talos control-plane nodes in HA behind a VIP (MetalLB)
- Ingress: Traefik + cert-manager (Let’s Encrypt via Cloudflare)
- Storage: democratic-csi (TrueNAS) and local-path-provisioner
- Monitoring: kube-prometheus-stack, Grafana, Loki/Promtail, Alertmanager
- Backups: VolSync (restic) with Backblaze B2
- Secrets: SOPS with age
Common operations:
# Decrypt secrets
task sops:decrypt
# Re-encrypt all secrets
task sops:encrypt
# Low-level helper (used by the tasks)
scripts/sops.sh encrypt|decryptSecret file conventions:
- Secrets end with
.secret.sops.yaml - Decrypted secrets end with
.secret.yaml(wildcard in.gitignore)
VolSync is used to snapshot and synchronize PVCs to object storage (Backblaze B2). Each app declares its backup policy under its directory, typically backup/ with a backblaze.secret.sops.yaml for credentials and a backup.yaml defining ReplicationSource/ReplicationDestination.
- Configure credentials in the corresponding
backblaze.secret.sops.yaml(encrypted with SOPS) - Validate VolSync resources with kustomize/kubeconform as usual
Operational tasks:
# Interactive restore workflow
task volsync:interactive-restore
# App-specific restore shortcuts (if defined)
task volsync:restore-<name>Example backup locations in this repo:
kubernetes/home-assistant/backup/kubernetes/media/*/backup/kubernetes/actual/backup/andkubernetes/ccinvoice/backup/
Notes:
- Restores will temporarily scale down workloads and restore PVC contents
- Ensure network egress for B2 and that credentials are valid
Talos is configured under talos/ with patches in talos/patches/. Use Taskfile helpers for generating machine configs, applying changes, and upgrading node images.
Common operations:
# Generate Talos machine configs from image schematic and patches
task talos:generate
# Apply generated configs to the cluster
task talos:apply
# Upgrade Talos across control plane and workers
task talos:upgradePatches of interest in talos/patches/ include networking (VIP, DHCP), storage mounts for local-path-provisioner, and permissions for running certain workloads on control-plane nodes.