| apps | ||
| flux-system | ||
| infrastructure | ||
| kustomization.yaml | ||
| README.md | ||
vicke-flux
Flux GitOps configuration for the home server.
Repository structure
.
├── flux-system/ # Flux controllers and CRDs (managed by flux bootstrap)
├── infrastructure/
│ ├── controllers/ # Cluster infrastructure controllers (cert-manager, ingress-nginx, etc.)
│ └── configs/ # Cluster-wide config (ClusterIssuers, IngressClasses, namespaces, etc.)
└── apps/ # Application workloads
Flux applies resources in this order: flux-system → infrastructure/controllers → infrastructure/configs → apps.
Adding a new service
-
Create a directory under
apps/named after the service:apps/ └── my-service/ ├── kustomization.yaml ├── namespace.yaml ├── deployment.yaml └── service.yaml -
Write a
kustomization.yamlinside the service directory that lists its manifests:apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: - namespace.yaml - deployment.yaml - service.yaml -
Register the service by adding it to
apps/kustomization.yaml:resources: - my-service # add this line -
Commit and push. Flux will reconcile the change automatically.
Adding infrastructure controllers
Place HelmRelease / HelmRepository manifests (or plain manifests) under infrastructure/controllers/ and register them in infrastructure/controllers/kustomization.yaml. Anything that apps depend on (CRDs, admission webhooks) belongs here so it is applied before apps/.
Adding cluster-wide config
Place ClusterIssuers, default StorageClasses, shared namespaces, etc. under infrastructure/configs/ and register them in infrastructure/configs/kustomization.yaml.
Secrets
Secrets should not be committed in plain text. Options:
- Sealed Secrets — encrypt with
kubeseal, commit theSealedSecretmanifest. - SOPS — encrypt secrets files; Flux decrypts them at apply time.