Pim Widdershoven

With Talos, Cilium, Linstor, and cert-manager in place, the cluster has infrastructure but no principled way to operate it. This post adds GitOps: FluxCD for the foundation layer where ordering and simplicity matter, ArgoCD for the application layer where a UI and per-project scoping matter more. The bootstrap sequence that hands control from a script to a Git repo, the self-management property that follows, and what GitOps does not tell you about developing against it.

A cluster with networking and storage still serves most of its TLS endpoints with self-signed certificates. This post wires up the trust layer: cert-manager with a bootstrapped internal CA, trust-manager to distribute the bundle to every namespace, Let’s Encrypt over Gateway API for the public edge, and a CSR approver so the kubelet finally gets a serving cert that something can verify.

Linstor with DRBD is the simplest path to replicated block storage on a homelab cluster. This post covers partitioning Talos disks, getting Piraeus running on an immutable OS, configuring StorageClasses with sensible DRBD quorum defaults, and wiring up snapshots through external-snapshotter.

Cilium replaces Flannel and kube-proxy on Talos. You get identity-based policies, kernel-level enforcement, packet-level observability through Hubble, the Gateway API for HTTP routing, and L2 announcement so you can expose Services on a bare-metal home network.

Talos Linux is a Kubernetes-only OS — minimal core, system extensions for the rest, and an API for everything. This post covers why I picked it, how I bootstrap a 3-node cluster with PXE, and the configuration files you need to follow along.