Accessing Restricted Directory

THE VAULT

A curated archive of production infrastructure, AI-powered operations tooling, and platform engineering built on real hardware, not cloud credits.

terminal VAULT_ADDR: 192.168.0.52

fingerprint AUTH: VAULT_JWT

monitoring

Managed Services

25+ ACTIVE

VMs, LXCs, K8s workloads

Terraform Workspaces

17 SCOPED

Function-isolated state

Kubernetes Apps

11+ FLUX CD

GitOps-deployed workloads

Core Repositories

The two pillars of the homelab: declarative infrastructure and AI-powered operations.

/archive/projects_01

[PROXMOX] [TERRAFORM] [TALOS]

nodes: homelab-pve, homelab-pve-nas

network: 192.168.0.0/24

k8s: 4-node Talos cluster

ci/cd: GitLab 8-stage pipeline

homelab-iac

arrow_outward

Production-grade IaC monorepo managing 25+ services across a dual-node Proxmox VE 8.x cluster. 17 function-scoped Terraform workspaces, Ansible configuration management, 4-node Talos Kubernetes cluster with Flux GitOps, Vault-centric secrets, Authentik SSO, split-horizon DNS, and auto-generated MkDocs documentation.

Terraform Ansible Talos K8s Flux CD Vault Packer

[PYTHON] [MCP SDK] [FASTAPI]

tools: query_homelab, execute_command

workers: 5 ingestion pipelines

search: semantic + keyword

ssh: pooled, safety-gated

homelab-mcp-app

arrow_outward

Model Context Protocol server that gives AI agents (GitHub Copilot, Claude) live access to infrastructure state. 5 concurrent ingestion workers (Proxmox, Terraform, Ansible, Git, Markdown), semantic search via OpenViking, SSH connection pooling with safety-gated command execution, and HTTP connection reuse for sub-100ms queries.

Python 3.11 MCP SDK FastAPI Proxmoxer Fabric httpx

Deep Dives

Specialized Architecture

Vault-Centric Secrets

HashiCorp Vault as the single source of truth for every credential in the infrastructure. CI pipelines authenticate via JWT, Kubernetes workloads use the K8s auth method with External Secrets Operator. No hardcoded credentials anywhere.

Auth Methods JWT + K8s

Policy Model Least Privilege

Rotation Quarterly

VAULT_SECRET_ENGINES

infrastructure/kv-v2

applications/kv-v2

ci-cd/jwt

kubernetes/k8s-auth

security

OIDC_FEDERATION

→ GitLab CE

→ Grafana

→ Nextcloud

→ Jellyfin

Authentik SSO

Centralized OIDC identity provider federating authentication across GitLab, Grafana, Nextcloud, and Jellyfin. Single credential store eliminating per-service password management with full audit trail.

Protocol OIDC

Federated Apps 4 Services

Model Zero-Trust

zsh — vault_explorer

jason@homelab:~$ terraform workspace list

security-vault

security-identity

platform-cicd

platform-database

platform-automation

networking

observability

k8s-cluster

apps-media

apps-personal

apps-ai

apps-games

jason@homelab:~$ kubectl get nodes

NAME STATUS ROLES AGE

k8s-cp-01 Ready control-plane 90d

k8s-cp-02 Ready control-plane 90d

k8s-worker-01 Ready <none> 90d

k8s-worker-02 Ready <none> 90d

All systems nominal. Infrastructure is code._