My Homelab Stack in 2026

A complete tour of my single-node Kubernetes homelab: Talos Linux, Cilium, Traefik, Longhorn, Authentik, and 15+ self-hosted services.

My Homelab Stack in 2026

I run a single-node Kubernetes cluster on a Dell laptop in my home office. It hosts 15+ services, monitors itself, sends push notifications to my phone, and every change deploys through Git. Here's the full stack.

Hardware

Nothing fancy: a Dell laptop with 16 GB RAM and a 512 GB NVMe drive. It sits on a shelf, lid closed, running 24/7. Total power draw is around 15-25W. For storage-heavy workloads like audiobooks and music, I have an NFS share on a separate NAS.

Operating System: Talos Linux

The laptop runs Talos Linux, an immutable OS purpose-built for Kubernetes. There's no SSH, no shell, no package manager. Everything is managed through the talosctl API. This sounds limiting until you realize it eliminates entire categories of problems: no configuration drift, no unauthorized changes, no "someone installed something weird on the node."

Kubernetes & GitOps

Kubernetes v1.35 managed by Flux. Every manifest lives in a Git repository. Push to main, Flux reconciles within 10 minutes. No kubectl apply in production, ever.

The repo has two layers:

  • Infrastructure deploys first: Cilium (CNI), Traefik (ingress), Longhorn (storage), cert-manager (TLS), Authentik (SSO), monitoring
  • Apps deploys after infrastructure is healthy: everything else

Networking: Cilium

Cilium replaced three separate components, Flannel (CNI), kube-proxy, and MetalLB (load balancer), with a single eBPF-powered solution. It handles pod networking, L2 load balancing (Traefik gets a stable IP at 192.168.50.200), and network policy enforcement. Fewer moving parts, better observability.

Ingress: Traefik + Cloudflare Tunnel

Traefik handles all ingress at 192.168.50.200. Every service gets two hostnames:

  • app.homelab.local: for LAN access with self-signed TLS
  • app.naviauxlab.com: for external access via Cloudflare Tunnel

Cloudflare Tunnel connects the cluster to the internet with no port forwarding, no dynamic DNS, no exposed ports on my router. Traffic flows: Internet → Cloudflare edge → encrypted tunnel → Traefik → pod.

Storage: Longhorn

Longhorn provides persistent storage with daily and weekly snapshots. On a single-node cluster it's essentially a snapshot-capable local storage provider. Every PVC gets automatic backup protection.

Identity: Authentik

Authentik provides SSO across the cluster. Most services use Traefik forward-auth (one login protects everything behind it). Grafana and Miniflux use OIDC for native integration. Ghost has its own authentication, so it skips Authentik.

The Services

Here's what's running:

  • Ghost: this blog
  • Vaultwarden: password manager (Bitwarden-compatible)
  • Miniflux: RSS reader
  • Navidrome: music streaming (Subsonic API, works with iOS apps)
  • Audiobookshelf: audiobooks and podcasts
  • Mealie: recipe manager
  • Linkding: bookmarks
  • Actual Budget: personal finance
  • Homepage: dashboard
  • IT-Tools: developer utilities
  • Stirling PDF: PDF toolkit
  • Uptime Kuma: health monitoring
  • ntfy: push notifications

Monitoring

Prometheus scrapes metrics from everything. Grafana has dashboards for cluster health, ISP speed trends, GitOps status, storage, and certificates. Alertmanager fires alerts through ntfy to my phone. Uptime Kuma runs 20 declarative health checks via AutoKuma CRDs.

If a pod crashes at 3 AM, I get a push notification. If my ISP gets slow, I have the data to prove it.

Security Posture

Every namespace has default-deny network policies. Pods run as non-root with dropped capabilities. All images are pinned to specific versions. Secrets are encrypted in Git with SOPS + age. The OS is immutable. There's no SSH to compromise.

What's Next

The cluster is stable and I'm happy with it. Next priorities are offsite backups (currently only Longhorn snapshots), possibly adding a second node for real HA, and writing more about the patterns I've learned along the way.