Homelab tlahcuilolli

Tlatecpanaliztli homelab CI/CD pipeline

Case-study style tlahcuilolli: quen Debian control plane, Pimox app workers, external Gitea, local registry, Kyverno policy, Argo CD, monitoring, ihuan static demo shelf omocuepque repeatable Kubernetes delivery path.

Portfolio tlamantli

Evidence quen production

Inin yeyi proof points ma quitta hiring manager achto: platform ownership, production reliability at scale, ihuan reserved MLOps path para model-serving tequitl.

Tlamantli 01

Self-hosted Kubernetes delivery platform

Git push, validation, image build, registry, GitOps sync, policy guardrails, monitoring, retained storage, ihuan VM worker provisioning ipan ce tepiton platform in quipia operational truth.

Xiquitta architecture

Tlamantli 02

Enterprise SRE ihuan incident automation

Oracle ihuan occe enterprise roles quinextia production side: 20,000+ developer users, 10,000+ external customers, Linux troubleshooting, automation, runbooks, on-call improvement, ihuan high-scale incident response.

Xiquitta CV evidence

Tlamantli 03

MLOps deployment platform placeholder

Reserved para next serious demo: FastAPI inference, Kubernetes manifests, rollout strategy, model metrics, drift signals, ihuan rollback behavior.

Xictlapo placeholder

Architecture mapa

Homelab, end to end

Current delivery path starts ika push to Gitea, runs local validation, builds arm64 images, syncs validated commit into GitOps mirror, ihuan lets Argo CD reconcile from app workers. Infrastructure path stays manual through lab.sh, including PXE/Pimox template builder, NVMe-backed worker clones, Kyverno policy placement, ihuan opt-in OpenWrt firewall VM, while OCI edge routes public traffic back through private path.

Diagram intentionally operational: quinextia app delivery loop, image flow, provisioning path, worker-placement boundary, monitoring layer, OpenWrt firewall option, ihuan public traffic path ahmo hiding practical bits in quichihua small lab behave like platform.

Xiquitta Christmas-tree version

Nehuatl mostla, judging

Melahuac: tleica niquichihua nochi inin ihuan ahmo zan ome containers quen normal person?

Nehuatl, coffee ipan noma

Pampa onciquitta "host a website" ihuan oniquilhuia: "tlein panos tla inin quipia control plane, GitOps, retained storage, image registry, ihuan miec yancuic ways para nimopinahuiz?" Melahuac goal catca practice: provision infra, quipia config ipan Git, deploy ika automation, xitlapana, xicyecana, ihuan xiquitta tla huel rebuild ahmo ika shell history ihuan vibes.

Nehuatl mostla, judging

Tleica kubeadm? Managed clusters catca too emotionally stable?

Nehuatl, coffee ipan noma

Quena. kubeadm quicahua cluster nechca metal; in polite way quitosnequi niquita nochi sharp edge. Debian node quipia control plane, Raspberry Pi joins quen arm64 worker, ihuan Pimox ipan Orange Pi 5 Plus quimaca repeatable Debian 13 arm64 VM workers. Suddenly networking, storage, container runtimes, certs, ihuan node recovery amo cloud magic: no problema.

Nehuatl mostla, judging

Canin motlatia CI/CD part?

Nehuatl, coffee ipan noma

Tepiton, zan real. OpenTofu quichihua cluster, platform, apps, ihuan edge layers. Argo CD quitta Git ipan app workers, Kyverno quimaca policy pressure, Docker Buildx quichihua linux/arm64 images, ihuan local registry quimaca cluster. Clean loop: Git mopatla, image omochiuh, cluster updated, ahmo aca monequi kubectl-edit 2 AM.

Nehuatl mostla, judging

Tleica own registry ihuan Gitea? Simple option amo oncatca?

Nehuatl, coffee ipan noma

Simple option huel oncatca, ic heroic oniquignore. Registry quitosnequi experiments amo monequi yasque public image repo, ihuan external Gitea quimaca lab own Git service ahmo quichihua Kubernetes responsible para source of truth. In ome quichihua setup ma nesi quen tepiton platform ika opinions, responsibilities, ihuan storage drama.

Nehuatl mostla, judging

Tlein achi cualani?

Nehuatl, coffee ipan noma

Storage. Nochipa storage. Kubernetes, Docker, retained volumes, ihuan build caches huel quitemitia root disk ika quiet confidence of bad decision. Moving OpenEBS local volumes ihuan Docker data ipan external SSD quicuep lab de "tleica nochi tlatla?" ica "okay, axcan huel tlatequipanoa." Growth, supposedly.

Nehuatl mostla, judging

Platform controllers finally moved off control plane?

Nehuatl, coffee ipan noma

Quena. Argo CD ihuan Kyverno axcan target homelab.dev/node-role=app workers, including Kyverno hook jobs, para Debian node ma mocahua focus ipan control-plane duties. Inin change quichihua lab ma nesi amo nochi balanced ipan achto machine in boot.

Nehuatl mostla, judging

Current cluster huel quipia nochi inin, o tiquchichinos Pi?

Nehuatl, coffee ipan noma

Pi survives pampa demos cateh intentionally local-first ihuan now ship as separate static artifact. Website pod mocahua portfolio shell, demos-static pod serves static bundles, ihuan browser quichihua expensive work. Tla later onicship real ONNX object detection, Transformers.js, o full video transcoding models, monequi lazy-load ipan browser o yasque beefier node.

Nehuatl mostla, judging

Axcan lab huel quichihua own worker nodes?

Nehuatl, coffee ipan noma

Quena, ihuan axcan ika fewer crossed fingers. Debian quipia provisioning layer ika dnsmasq, nginx, PXE boot files, GRUB, ihuan Debian 13 arm64 preseed. OpenTofu notza Pimox through qm, quichihua VM 9000 ipan local storage, quiboota from network, quinstala OS, quichihua golden-node prep, disables swap, verifies cgroups, installs containerd ihuan kubeadm tooling, then seals it as template. Worker clones cateh idempotent by VMID ihuan now land on nvme_thin_pool.

Nehuatl mostla, judging

Ihuan OpenWrt no quisa nican?

Nehuatl, coffee ipan noma

Zan simple firewall, ahmo networking science project. Pipeline huel quichihua opt-in OpenWrt ARM SystemReady VM, attach vmbr0 quen WAN ihuan vmbr1 quen LAN, ihuan configure LAN side ahmo rewriting Orange Pi host networking. DHCP stays optional, VLANs wait until onca managed switch ihuan local test window.

Nehuatl mostla, judging

Tlein omopatla ipan observability ihuan scheduling side?

Nehuatl, coffee ipan noma

Monitoring moved de "someday" to "running," ihuan scheduling moved de "whatever fits" to explicit worker placement. Prometheus Stack, Grafana, Loki, Promtail, node-exporter, ihuan kube-state-metrics quimaca useful signals; next step quitosnequi elegir few alerts in melahuac nechixitisque para right reasons.

Yancuic activity log

Tlein omopatla since first build

Lab omocuep de working Kubernetes experiment into more complete self-hosted delivery system. Latest work focused on trust, repeatability, VM-based expansion, controller placement, ihuan making deploys match exact commit in passed validation.

01 Moved Gitea out of Kubernetes ihuan onto Raspberry Pi as local Git service, while keeping public /git/ route through edge stack.
02 Installed ihuan validated Debian-hosted Gitea Actions runner para pushes to main can build, scan, ihuan deploy without laptop session.
03 Added custom checkout flow para /git/ subpath ihuan kept persistent Debian checkout para deployment scripts.
04 Added Gitleaks secret scanning ihuan Trivy scanning para app ihuan infrastructure tree.
05 Changed deployment so validated commit is pushed into local GitOps mirror before lab.sh runs, preventing Argo CD from reconciling older tree.
06 Hardened website, demos-static, ihuan registry workloads ika non-root containers, read-only root filesystems, resource limits, ihuan explicit writable volumes.
07 Split demos into dedicated demos-static image ihuan Argo CD application so PHP website stays small and boring.
08 Changed Gitea backups to dump from Raspberry Pi Docker container ihuan store archives on Debian host.
09 Validated full main-branch deployment path: fetch main, apply OpenTofu layers, build ihuan push arm64 images, refresh Argo CD, ihuan confirm runner completes successfully.
10 Built Debian 13 arm64 Pimox template end to end ika PXE, preseed, qemu-guest-agent discovery, cgroup validation, swap disabled, ihuan final seal step.
11 Added NVMe-backed Pimox worker clone automation para VM 9000 ma mocahua ipan local storage mientras worker nodes mochihuah ipan nvme_thin_pool.
12 Added opt-in OpenWrt VM path para simple firewall between vmbr0 ihuan vmbr1, ika guardrails in avoid Orange Pi host networking changes.
13 Installed monitoring stack ihuan moved platform add-ons such as Argo CD, Kyverno, ihuan prometheus-stack toward app-worker placement instead of treating control plane as spare capacity.

Tlamantli ihuan tleica nemi nican

Debian Linux quimaca steady adult in room: control plane host, deployment workstation, PXE/preseed server, ihuan canin OpenTofu, Docker, kubeadm, ihuan scripts quichihua tequitl.
Source:lab.sh cluster/main.tf provisioning/main.tf
Raspberry Pi keeps external Gitea service close to lab, while Pimox ipan Orange Pi 5 Plus provides app-worker pool. Debian template mocahua ipan local storage ihuan Kubernetes worker clones yahui ipan nvme_thin_pool.
Source:cluster/main.tf provisioning/main.tf
OpenTofu quichihua cluster, platform, apps, edge, ihuan provisioning layers repeatable, pampa "I swear I remember the command" amo disaster recovery strategy.
Source:lab.sh cluster platform apps provisioning edge
Calico handles pod networking, ihuan OpenEBS hostpath storage keeps important data after rebuilds, pampa deleting everything by accident zan funny once.
Source:platform/main.tf
Argo CD quimaca GitOps referee ihuan now runs on app workers: manifests cateh ipan Git, cluster follows along, ihuan manual drift gets side-eyed back into place.
Source:apps/main.tf
OCI edge host runs nginx, HAProxy, Varnish, ihuan Squid para TLS, routing, ihuan caching stay outside home network while Tailscale quihuica traffic back to worker node.
Source:edge/main.tf nginx template HAProxy template
Shared theme toggle quipia plain CSS ihuan JavaScript: dark mode old-console green-on-black, light mode black cursive on ivory ipan website ihuan demo catalog.
Source:theme script theme toolbar website CSS demo theme script
First demo keeps files ipan browser. Image crunching uses native Canvas APIs axcan, while fast serious path para video conversion is Rust compiled to WebAssembly ika TypeScript UI.
Source:media-cruncher.js media-cruncher page
Yancuic demos cover network jitter graphs, local JSON/JWT/log tools, architecture simulator, offline traveler converter, redactor prototype, sentiment analysis, model-drift simulation, ihuan reserved MLOps platform page.
Source:demo catalog network-quality.js dev-toolbelt.js architecture-simulator.js
Serious MLOps page intentionally zan placeholder axcan. Target design is production-shaped inference demo ika FastAPI, Kubernetes deployment, metrics, drift signals, canary o blue-green rollout, ihuan rollback notes.
Source:MLOps placeholder page sentiment-sandbox.js model-drift.js privacy-redactor.js
Demo code axcan builds into own demos-static image ihuan Argo CD app, exposed at /demo-apps/. PHP website zan owns catalog link, inin achi less cursed.
Source:demos Dockerfile demos web-app.yaml website demos.php
Pimox worker pipeline uses qm over SSH para create OVMF/virtio-scsi Debian 13 arm64 VM, wait for qemu-guest-agent, seal it, ihuan convert VM 9000 into reusable template on local storage.
Source:provisioning/main.tf lab.sh Pimox pipeline provisioning README
Golden image bakes in Kubernetes prerequisites: swap disabled, cgroup boot options checked, kernel modules loaded, containerd configured for systemd cgroups, kubeadm/kubelet/kubectl installed, ihuan qemu-guest-agent enabled.
Source:preseed.cfg golden-node prepare prepare-template
Worker clone automation is count-based ihuan idempotent: LAB_PIMOX_WORKER_COUNT=1 quitosnequi ensure VM 9010 exists, amo create fresh worker every run. New workers refused tla target storage is local.
Source:lab.sh worker storage guardrail README Pimox defaults
OpenWrt handled separately from Debian golden-node template. Lab downloads upstream ARM SystemReady EFI image, imports it as VM 9050 on nvme_thin_pool, ihuan keeps disabled unless LAB_OPENWRT_VM=true.
Source:lab.sh OpenWrt pipeline README OpenWrt notes
Monitoring layer axcan includes Prometheus Stack, Grafana, Loki, Promtail, node-exporter, ihuan kube-state-metrics, ika placement guardrails para platform add-ons ma amo default to control plane.
Source:platform/main.tf README monitoring

Improvement tlatecpanaliztli

Todo list para next homelab pass

Inin cateh improvement proposals, amo chores zan pampa chores. Each item either reduces rebuild risk, tightens supply-chain hygiene, o makes platform easier to operate quema tlein fails.

Move Gitea data from Raspberry Pi SD card to SSD-backed storage.
Keep Debian bare GitOps mirror as cluster source ihuan add object-storage backups quema OCI storage ready.
Add real OpenTofu remote state backend ika backup, locking, ihuan documented recovery path.
Replace remaining mutable latest image references ika immutable tags o digest pins para demo workloads; website image axcan uses content-hash tag.
Generate SBOMs ihuan sign images so local registry can prove tlein serving.
Add Renovate o Dependabot-style dependency updates para base images, Helm charts, ihuan GitHub/Gitea Actions.
Expand Kyverno baseline policy coverage: non-root, read-only roots, resource requests, allowed registries, ihuan documented exceptions para platform components.
Turn installed observability stack into useful operations views: few high-signal dashboards, alerts para node health, storage pressure, certificate expiry, ihuan failed app syncs.
Schedule backup restore drills para external Gitea ihuan OpenEBS volumes, then write exact restore runbook.
Tighten TLS, SSH, ihuan token rotation around OCI edge, Gitea, registry, ihuan runner credentials.
Document new storage split: local para Pimox template, nvme_thin_pool para VM workers, OpenEBS para Kubernetes app data, ihuan backup targets para tlein must survive rebuild.
Move sensitive app configuration into Sealed Secrets, External Secrets, o occe explicit secret-management path.
After new disk has breathing room, clone first Pimox worker from VM 9000, join it ika kubeadm, ihuan verify labels, taints, CNI, storage, ihuan workload scheduling.
Test OpenWrt VM ipan maintenance window before making it gateway: confirm WAN, LAN, rollback access, DHCP settings, ihuan Pimox remains reachable.
Buy o configure managed switch before VLAN work. Until then, keep OpenWrt as simple two-interface firewall ihuan avoid risky remote bridge rewrites.

Visitor tlamachiliztli

Tlein tijpatlaz next?

Xititla ce practical idea para homelab backlog. Submissions mocahua quen plain text, limited size, ihuan escaped quema rendered.