☸️ Platform Template
A GitHub template that provisions a complete, batteries-included Kubernetes platform for you — managed end-to-end with Flux GitOps, KSail, and Talos Linux. It runs locally on Docker for development and in production on Hetzner Cloud, and every change is validated in CI before it reaches the cluster. It is a genericized, fully-automated-bootstrap version of the devantler-tech platform, from which it is derived.
Repository: devantler-tech/platform-template
Use it as a starting point for your own homelab or small-team platform — instantiate it, point it at your accounts, and you get a production-grade cluster with networking, certificates, secrets management, SSO, policy/runtime security, storage, databases, observability, backups, and autoscaling already wired together.
What’s Inside
Section titled “What’s Inside”A high-level inventory of what Flux reconciles onto the cluster. The exact set is overlay-dependent — local/CI (Docker) deploys the full base set, while the Hetzner/prod overlay opts out of a few controllers to save resources.
- GitOps & config — Flux Operator, Reloader
- Networking — Cilium (CNI + Gateway API), CoreDNS, external-dns (Cloudflare), Hetzner CCM (prod)
- Certificates — cert-manager, trust-manager, Cloudflare Origin CA issuer
- Secrets — OpenBao + External Secrets Operator (runtime), SOPS + Age (at-rest seeds)
- Identity / SSO — Dex (OIDC) with oauth2-proxy / auth-proxy
- Policy & runtime security — Kyverno (admission policy), Kubescape (posture + runtime detection), Tetragon (runtime enforcement)
- Storage — Longhorn (replicated block / RWX), CloudNativePG (PostgreSQL operator)
- Autoscaling — Cluster Autoscaler, Vertical Pod Autoscaler, KEDA + KEDA HTTP add-on
- Observability — kube-prometheus-stack (Prometheus, Grafana, Alertmanager), Loki (logs), Grafana Alloy (collection), OpenCost (cost)
- Backup / DR — Velero with CloudNativePG backups to S3-compatible storage (Cloudflare R2 in prod)
- Demo apps — Homepage (dashboard), Headlamp (Kubernetes web UI), and whoami, so the platform stands up with something to look at
To run your own application on the platform, add it as a GitOps tenant from its own repository — see the GitOps Tenant Template.
Getting Started
Section titled “Getting Started”The headline feature is the Bootstrap workflow: it takes a fresh instance from “Use this template + GitHub config” all the way to a running Hetzner cluster, fully unattended.
# Create a new repo from the templategh repo create my-platform --template devantler-tech/platform-template --private --cloneThen, in your new repository:
- Install a GitHub App (or fine-grained PAT) granted Contents: write, Secrets: write, Environments: write, Actions: write — the bootstrap writes cluster-derived credentials back as
prodenvironment secrets, which the defaultGITHUB_TOKENcannot do. - Set the Variables + Secrets (
DOMAIN,CLOUDFLARE_ZONE,ADMIN_EMAIL,HETZNER_LOCATION,HCLOUD_TOKEN,CLOUDFLARE_API_TOKEN, …). A few cluster secrets (SOPS_AGE_KEY,KUBE_CONFIG,TALOS_CONFIG) are auto-generated — you never set those. - Run the Bootstrap workflow (Actions → 🌱 Bootstrap → Run workflow, choose
prod, typeyes). It provisions the Talos cluster viaksail cluster create, persists credentials back asprodsecrets, points Cloudflare DNS at the new load balancer, and commits the rendered + encrypted tree back to your repo.
The authoritative, step-by-step guide — prerequisites, configuration tables, verification, teardown, and troubleshooting — lives in the template’s docs/BOOTSTRAP.md.
Local development
Section titled “Local development”You don’t need Hetzner or the Bootstrap workflow to develop locally — the local cluster runs entirely on Docker via KSail, using Talos with the Docker provider. With Docker and KSail installed:
ksail cluster createksail workload pushksail workload reconcile- 📦 Template on GitHub
- 🚀 Bootstrap guide
- 🛰️ The devantler-tech platform (the upstream this template is derived from)
- 🚀 GitOps Tenant Template (run your own app on the platform)