Start a project
← All work
Infrastructure · 2026

Private Kubernetes Platform on Hetzner (OpenTofu + Flux GitOps)

An AI-cofounder / autonomous-startup-builder SaaS

Overview

The self-hosted platform infrastructure for an AI-cofounder / autonomous-startup-builder SaaS: a single private Kubernetes cluster on Hetzner Cloud, provisioned with OpenTofu and managed by Flux GitOps, running the internal services the product depends on with zero public exposure.

Why It Exists

The platform needs reliable, private homes for git (agent repos), an LLM gateway, analytics and error tracking, without exposing any of it to the public internet. A GitOps-driven cluster makes that infrastructure declarative, reproducible and auditable, while Cloudflare Zero Trust keeps inbound ports closed.

What We Built

An OpenTofu configuration (opentofu/) that provisions a Hetzner cluster, network, firewall, and six servers (3 control-plane cx33, 3 workers cx43, all in hel1), running k3s on openSUSE MicroOS via the kube-hetzner module, with state in Hetzner Object Storage (S3 backend with native locking). A flux/ tree installs Flux via the Flux Operator (a single FluxInstance CR, not legacy flux bootstrap) and reconciles everything under flux/clusters/production/ on every push. The cluster runs Forgejo, Umami, LiteLLM and Sentry with their PostgreSQL databases managed by CloudNative-PG. A firm convention pins cluster operators to control-plane nodes and reserves workers for application pods. Nothing is publicly exposed, no ingress controller, no load balancer, no public DNS, with selected services to be reached through Cloudflare Tunnel + Access (egress-only).

Technologies & Approach

HCL/OpenTofu for provisioning and YAML/Flux for continuous reconciliation, deliberately split so infrastructure and workloads each have a clear source of truth. The security posture is zero open inbound ports with Cloudflare Zero Trust brokering access, and the operator-on-control-plane / workloads-on-workers rule keeps scheduling predictable as the platform grows.

Outcome / Impact

Establishes a private, GitOps-managed application platform that hosts the project’s core internal services reproducibly and securely, with no public attack surface and declarative, push-to-deploy operations.

Capabilities Demonstrated

  • GitOps-managed private Kubernetes on Hetzner (k3s + Flux Operator)
  • OpenTofu provisioning with S3-backed remote state and locking
  • Zero-public-exposure networking via Cloudflare Tunnel + Access
  • Self-hosted Forgejo, LiteLLM, Umami and Sentry with CloudNative-PG
  • Disciplined node-role scheduling conventions
More work See all →
Product 2026

Agent Orchestration Platform for Autonomous Companies

AI/ML
Product 2026

Agent Sandbox Branch-Workflow

AI/ML
Product 2026

Agentic Local-Network Scanner (Claude Code)

Security