Overview¶
The homelab is split across two systems: a Synology NAS running Docker containers, and a Kubernetes cluster running the majority of self-hosted applications.
Architecture¶
graph TD
Internet --> Traefik
subgraph NAS["NAS (Synology)"]
Traefik["Traefik (edge proxy)"]
Gitea["Gitea (source code)"]
Vault["Vault (secrets)"]
PostgreSQL["PostgreSQL (shared DB)"]
MinIO["MinIO (S3 storage)"]
PiHole["Pi-hole (DNS)"]
CouchDB["CouchDB (Obsidian sync)"]
NFS["NFS storage"]
end
subgraph K8s["Kubernetes Cluster (noah)"]
Apps["Applications"]
Monitoring["Monitoring"]
end
Traefik --> K8s
Gitea -- GitOps --> K8s
Vault -- secrets --> K8s
PostgreSQL -- shared DB --> K8s
MinIO -- S3 buckets --> K8s
PiHole -- DNS --> K8s
NFS -- volumes --> K8s
Hold "Alt" / "Option" to enable pan & zoom
NAS¶
The NAS hosts services that must remain available independently of the cluster.
Bootstrap dependencies
Many NAS services are prerequisites for the cluster itself. If they ran inside Kubernetes, a cluster failure would create a circular problem: the cluster needs Vault to start, Gitea to reconcile, and Pi-hole for DNS — none of which would be available during recovery.
| Service | Purpose |
|---|---|
| Traefik | Edge proxy and main entry point for all homelab traffic |
| Gitea | Git hosting; Flux CD watches it to reconcile the cluster |
| Vault | Secret management; ExternalSecrets syncs secrets into k8s |
| PostgreSQL | Centralized database shared by multiple applications |
| MinIO | S3-compatible object storage |
| Pi-hole | DNS for the home network and the cluster |
| CouchDB | Database backend for Obsidian LiveSync |
| NFS | Network storage volumes for the cluster |
Kubernetes Cluster¶
The cluster (noah) runs Talos Linux on Proxmox VMs and is managed via OpenTofu (provisioning) and Flux CD (continuous deployment). Most self-hosted applications run here.
See Cluster for topology and provisioning details.