Talos production cluster
The production cluster is the primary Kubernetes cluster of the homelab. It runs the bulk of workloads: media (Jellyfin, Immich, Tube Archivist), productivity (Nextcloud, Outline, Paperless), DevOps (Gitea, n8n, Keycloak), and observability.
This page is a top-down overview that links into every layer.
Stack
┌──────────────────────────────┐
│ Apps (45+) │ ← docs/apps
└──────────────┬───────────────┘
│ scheduled by
┌──────────────▼───────────────┐
│ Platform controllers │ ← docs/platform
│ Cilium · Longhorn · CNPG │
│ Envoy · k8up · Kyverno · … │
└──────────────┬───────────────┘
│ runs on
┌──────────────▼───────────────┐
│ Kubernetes (kubeadm-less) │
│ provided by Talos │
└──────────────┬───────────────┘
│ runs on
┌──────────────▼───────────────┐
│ Talos Linux (OS) │ ← docs/foundation/talos
└──────────────┬───────────────┘
│ inside VMs on
┌──────────────▼───────────────┐
│ Proxmox VE (3 nodes) │ ← docs/foundation/proxmox
└──────────────┬───────────────┘
│ ON
┌──────────────▼───────────────┐
│ Intel NUC 13 Pro × 3 │ ← docs/hardware/talos
└──────────────────────────────┘
Layers at a glance
| Layer | What | Doc |
|---|---|---|
| Hardware | Intel NUC 13 Pro × 3 (i5-1340P, 64 GB RAM, 2 TB NVMe each) | hardware/talos |
| Hypervisor | Proxmox VE (3-node cluster proxmox1/2/3); 3 control-plane VMs + 3 worker VMs + 3 NetBird LXCs | foundation/proxmox |
| Cluster OS | Talos Linux, configured by Talhelper | foundation/talos |
| GitOps | Flux pulling from Gitea, decrypting secrets via SOPS | foundation/flux |
| Network | Cilium (kube-proxy replacement, WireGuard, L2 announcements) | platform/cilium |
| Storage | Longhorn (cluster-native block) + NFS to TrueNAS (bulk media) | platform/longhorn · hardware/nas |
| Ingress | Envoy Gateway with PROXY-protocol-v2 from the edge cluster | platform/envoy-gateway · topics/envoy-gateway-proxy-protocol-v2 |
| Secrets | External Secrets + SOPS | platform/external-secrets · operations/sops |
| Backups | k8up Schedule → Restic → Hetzner S3 (warm) → Synology NAS (hot) → encrypted WD drives (cold) | operations/ |
Cluster machines
| Role | Name | Host | Notes |
|---|---|---|---|
| Control plane | talos-cp-01 | proxmox1 | etcd member |
| Control plane | talos-cp-02 | proxmox2 | etcd member |
| Control plane | talos-cp-03 | proxmox3 | etcd member |
| Worker | talos-worker-01 | proxmox1 | extra NICs into VLAN 104+105, GPU passthrough |
| Worker | talos-worker-02 | proxmox2 | extra NICs into VLAN 104+105, GPU passthrough |
| Worker | talos-worker-03 | proxmox3 | extra NICs into VLAN 104+105, GPU passthrough |
Networking summary
| Plane | What |
|---|---|
| Pod CIDR | 10.100.0.0/16 |
| Service CIDR | default (10.96.0.0/12) |
| Node mgmt | VLAN 100 (192.168.100.0/24) — control planes + workers |
| Storage | VLAN 104 (192.168.104.0/24) — workers only, for NFS to TrueNAS |
| Public | VLAN 105 (192.168.105.0/24) — workers only, for ingress |
| Inter-site | NetBird mesh — production network exposes those VLANs to peers |
Full network map: Fabric overview · NetBird · UniFi.
What runs here
- All persistent apps with stateful PVCs (Longhorn-backed).
- Anything GPU-accelerated — the worker nodes carry the Intel iGPU passthrough.
- The control plane for Flux's primary
GitRepositoryand the SOPS keys.
The edge cluster handles only public-facing ingress + sidecar workloads; everything stateful lives here.
Lifecycle commands
# Render & apply Talos config
talhelper genconfig
talhelper gencommand apply | sh
# Upgrade
talhelper gencommand upgrade --extra-flags "--preserve" | sh
# Reconcile Flux
flux reconcile kustomization flux-system
# Inspect
kubectl get nodes -o wide
kubectl get pods -A | grep -v Running | grep -v Completed
flux get all -A
See also
- Hardware → Talos — physical specs
- Foundation → Proxmox — hypervisor running the VMs
- Foundation → Talos — the OS configuration workflow
- Foundation → Flux — GitOps loop
- Cluster — edge — the smaller sister cluster