Stefan Zhelev
This site documents the stefanzhelev platform — a self-hosted, GitOps-driven infrastructure stack running on Hetzner Cloud. Everything from the underlying VMs to the running applications is declared in Git and reconciled automatically.
Architecture
Section titled “Architecture”
How the platform is layered
Section titled “How the platform is layered”| Layer | What it covers | Where to look |
|---|---|---|
| Data Apps | Dagster, dlt, ClickHouse, dbt, and Lightdash — the ingest-to-dashboard analytics stack | ClickHouse |
| Coding | Claude Code — Anthropic’s terminal agent that drives the platform’s day-to-day operations and infrastructure changes | planned |
| Identity & Access | Authentik for SSO and Headscale for VPN access — the only services reachable on the public internet | Authentik |
| Observability | The Grafana family (Grafana + Loki + Tempo + Mimir + Alloy) for the operational telemetry layer, and Elementary for data-quality observability over the dbt project | Grafana |
| Infra | Kubernetes — the container orchestrator that hosts every other component | Kubernetes |
| GitOps | Flux CD reconciling the cluster from Git, with Forgejo and Harbor as the internal Git forge and container registry | Flux CD |
| Secrets | Vault as the source of truth for every credential the platform consumes | Vault |
Guiding principles
Section titled “Guiding principles”- Everything in Git. No
kubectl applyoutside of Flux. If it isn’t committed, it doesn’t exist. - Immutable nodes. Talos has no SSH; nodes are managed entirely through its API and recreated rather than mutated in place.
- Secrets through Vault. Applications never hold credentials directly — they pull from Vault via the External Secrets Operator.
- One identity provider. Authentik provides SSO across every web UI on the platform, including Kubernetes API authentication.
- Reproducible from scratch. A complete teardown and rebuild is a
tofu applyfollowed by a Flux bootstrap.
Where to start
Section titled “Where to start”If you’re new to the platform:
- Read Kubernetes to understand the cluster shape and how it gets provisioned.
- Read Flux CD to see how applications are organized and rolled out.
- Browse the per-app pages under Identity & Access, Secrets, Data Platform, or Observability.