Skip to main content
Provision once with OpenTofu, configure with Ansible, run forever.
The infrastructure layer is OpenTofu-managed — the terraform-* repo names are legacy; the engine inside is tofu (see IaC tooling). Every module is opinionated about deployment shape: LXC for production homelab workloads, Docker on a dedicated VM only when vendor-locked, AWS for disaster recovery and managed services.

The Proxmox stack

OpenTofu builds VMs and LXCs (coral). Ansible takes the inventory and configures hosts (green), then deploys the app stack on top.

AWS module map

RepoPurpose
tofu-awsSplunk DR footprint — cold capacity for failover
tofu-runs-onSelf-hosted GitHub Actions runners on AWS spot instances
tf-splunk-awsCost-optimised Splunk deployment on AWS

Repos in this section

tofu-proxmox

VMs and LXC containers on the Proxmox cluster.

tofu-unifi

UniFi networks, VLANs, port profiles, firewall rules — network-as-code.

ansible-proxmox

Host config — ZFS, networking, users, hardening.

ansible-proxmox-apps

App deploy — HAProxy, Cribl Edge, Cribl Stream.

tofu-aws

AWS DR footprint for Splunk failover. Cold infra, ready to go warm.

CI/CD

GitHub Actions strategy: self-hosted RunsOn AWS spot, OIDC, plan/apply pattern.

orbstack-kubernetes

Local Kubernetes cluster on macOS — monitoring stack + AI gateway.

tf-splunk-aws

Cost-optimized Splunk deployment on AWS.

Cross-cutting topics

Terraform on AWS

Per-project IAM role, GitHub OIDC, S3 native locking, SSE-S3 — the standard for any new AWS-backed Terraform repo.

Kubernetes overview

OrbStack as the local control plane; what runs on K8s vs LXC vs Docker.

LXC vs Docker

The four-question decision tree for every new workload.

SOPS for IaC

Encrypted-at-rest secrets across OpenTofu and Ansible repos.

Self-hosted Netflix

Media library on a dedicated VLAN.

What runs where

WorkloadWhereWhy
Proxmox hostBare metalHypervisor
HAProxyLXCLightweight, native systemd unit
Cribl EdgeLXCNative package, network-heavy
Splunk EnterpriseBare-metal-ish VMVendor-only Docker option ruled out for network volume
Home AssistantLXCNative install via supervised path
Self-hosted NetflixLXC chain on a dedicated VLANGoverned by the same UniFi policy + Proxmox placement patterns as the rest of the homelab
docker-hostVMIsolated landing pad for vendor Docker images
GitHub Actions runnersDocker on docker-host VM + dedicated runner on LLM boxEphemeral container-per-job, isolated ci_runners network; the LLM-box runner handles workflows that need live access to homelab infrastructure
Qdrant (vector DB)LXC (nesting)Vendor Docker image, lightweight, RAG workload
Local LLM inferenceBare-metal NixOSGPU-bound; kept off Proxmox to avoid passthrough overhead and to run whatever OS gives the fastest ROCm path

Deployment philosophy

LXC is the default for production homelab services. Native packages where possible. Docker only when a vendor ships Docker-only images and there’s no native path — and only on a dedicated docker-host VM so high-volume network traffic never crosses Docker’s virtualized network stack.
For configuration of provisioned hosts, see Configuration.