Skip to content

ThePhaseless/Interstellar

BranchesTags

Repository files navigation

Interstellar Homelab

A GitOps-managed Kubernetes homelab running TalosOS on Proxmox, with secure public access via Tailscale mesh networking and an Oracle VPS entry point.

🌐 Architecture Overview

flowchart TB
    subgraph Internet["🌐 Public Internet"]
        Users(["Users"])
    end

    subgraph Private["🏠 Private Network"]
        Devices(["Private Devices"])
    end

    subgraph Oracle["☁️ Oracle Cloud"]
        HAProxy["HAProxy<br/>Entry Point"]
    end

    subgraph Tailscale["🔐 Tailscale Mesh"]
        TS(("Encrypted<br/>Overlay"))
    end

    subgraph Proxmox["🖥️ Proxmox Host"]
        subgraph Cluster["TalosOS Cluster"]
            T1["talos-1<br/>GPU"]
            T2["talos-2"]
            T3["talos-3"]
        end
        iSCSI[("ZFS<br/>iSCSI<br/>15TB")]
    end

    Users -->|HTTPS| HAProxy
    Devices -->|Tailscale| TS
    HAProxy -->|Tailscale| TS
    TS <-->|Encrypted| T1 & T2 & T3
    T1 & T2 & T3 <-->|LongHorn| iSCSI

    style Internet fill:#e1f5fe
    style Private fill:#f3e5f5
    style Oracle fill:#fff3e0
    style Tailscale fill:#e8f5e9
    style Proxmox fill:#fce4ec
    style Cluster fill:#fff8e1
Loading

🛠️ Technology Stack

Layer Technology
OS TalosOS (immutable Linux)
Orchestration Kubernetes
GitOps ArgoCD (app-of-apps pattern)
Networking Flannel CNI, MetalLB L2, Tailscale
Ingress Traefik v3.3 with PROXY protocol + CrowdSec plugin
Storage LongHorn CSI → iSCSI → ZFS zvol
Secrets Bitwarden Secrets Manager + External Secrets Operator
Security CrowdSec WAF (Traefik plugin), ClamAV malware scanning
Observability Grafana, Loki, Mimir, Promtail, Alloy
IaC Terraform, Ansible, GitHub Actions

🖥️ Hardware

Proxmox Host

Component Specification
CPU Intel Core i5-12600K (6P + 4E cores)
RAM 32GB DDR4
Storage 1TB NVMe + 15TB ZFS pool (5x3TB, iSCSI target)
GPU Intel Arc B580 (passed to talos-1)
Network 1Gbps + Tailscale mesh

TalosOS Cluster (3 nodes)

Node vCPU RAM Role Special
talos-1 8 16GB Control Plane + Worker GPU passthrough
talos-2 8 16GB Control Plane + Worker
talos-3 8 16GB Control Plane + Worker

Oracle VPS (Entry Point)

Component Specification
Instance VM.Standard.A1.Flex (ARM)
CPU 4 Ampere cores
RAM 24GB
Network 4Gbps + public IP
Role HAProxy → Tailscale → Traefik

📦 Services

Media Stack

Service Access Description
Jellyfin Public Media streaming (GPU transcoding)
Seerr Public Media request management
Sonarr Tailscale TV show automation
Radarr Tailscale Movie automation
Prowlarr Tailscale Indexer management
Bazarr Tailscale Subtitle management
qBittorrent Tailscale Download client
Recyclarr Internal TRaSH guide sync
Decluttarr Internal Auto-cleanup

Utilities

Service Access Description
Copyparty Tailscale + OAuth File sharing (GPU processing)
Immich Tailscale Photo management (ML on GPU)
AdGuard Home Tailscale DNS + ad blocking
MCPJungle Internal MCP server aggregator

Infrastructure

Component Description
ArgoCD GitOps continuous deployment
Traefik Ingress controller
CrowdSec WAF + threat detection
MetalLB Load balancer (L2 mode)
LongHorn Distributed block storage
External Secrets Bitwarden integration
Tailscale Operator Service mesh + auth
Reloader Auto-reload on config changes
ClamAV Malware scanning for downloads

📂 Repository Structure

Interstellar/
├── .github/workflows/       # CI/CD pipelines
│   ├── terraform.yaml       # Infrastructure deployment
│   ├── ansible.yaml         # Host configuration
│   ├── kubernetes-lint.yaml # Manifest linting
│   └── tailscale-acl.yaml   # ACL policy sync
├── .kube-linter.yaml        # Kube-linter configuration
├── Ansible/                 # Host configuration playbooks
│   └── setup-oracle.yaml    # HAProxy, Tailscale
├── Kubernetes/
│   ├── bootstrap/           # Core infrastructure
│   │   ├── argocd/
│   │   ├── metallb/
│   │   ├── longhorn/
│   │   ├── traefik/
│   │   ├── crowdsec/
│   │   ├── external-secrets/
│   │   ├── tailscale-operator/
│   │   ├── observability/
│   │   └── clamav/
│   └── apps/                # Application manifests
├── scripts/
│   └── lint-kubernetes.sh   # Local linting script
├── Tailscale/
│   └── policy.hujson        # ACL policy
├── Terraform/               # Infrastructure as Code
│   ├── proxmox.tf           # VM provisioning
│   ├── talos.tf             # Cluster configuration
│   ├── cloudflare.tf        # DNS records
│   ├── tailscale.tf         # Auth keys
│   ├── oracle.tf            # VPS infrastructure
│   └── bitwarden.tf         # Secret references
├── haproxy.cfg              # Oracle HAProxy config
└── compose.proxy.yaml       # HAProxy Docker Compose

🚀 Getting Started

All setup and bootstrap instructions live in SETUP.md. Use that file as the single source of truth.

💾 Storage Configuration

NFS endpoint values are configured once in Kubernetes/nfs-storage-config.yaml.

  • data.server: NFS server IP/hostname
  • data.path: NFS export path

Top-level Kustomize replacements apply these values to both the static media PV and the nfs-csi StorageClass.

🔒 Security Model

  • Network Topology: Talos VMs are bridged directly to the home LAN (vmbr0)
  • Zero Trust: All inter-service communication via Tailscale
  • Public Access: Only through Oracle VPS → Tailscale → Traefik
  • Private Services: Require Tailscale authentication
  • Malware Scanning: ClamAV scans all downloaded files
  • WAF Protection: CrowdSec with community threat feeds

📝 License

This project is for personal use and educational purposes.

About

Homelab stack

nerine.dev

Topics

docker zsh docker-compose

Resources

Readme
Activity

Stars

1 star

Watchers

1 watching

Forks

0 forks
Report repository

Contributors 2

  •  
  •  

Languages