$ ls -la ~/homelab/

Homelab portfolio

Three intertwined projects, each solving a different layer of the same problem: how do you actually run AI agents in production-grade infrastructure without paying a hyperscaler for the privilege?

ORION

active

The brain. A multi-agent orchestration platform that runs the homelab itself.

ORION is a Next.js + Prisma web app paired with a Node worker that drives agents through real work. Agents can be Claude (via MCP), Ollama, or any OpenAI-compatible endpoint. They share a chat-room model with @mentions, ring leader routing, and explicit room goals.

Tools are exposed through a central registry with tiered authorization (read / create / modify / destructive) and audit attribution on every write. The same agents that talk to humans can call gitops_propose to open PRs that the cluster auto-applies.

Notable bits — a Claude sidecar that writes per-request MCP configs so Claude calls ORION tools natively; an Ollama path that routes through OpenAI-compat endpoints because Ollama's native chat API doesn't support structured tool calls; a retry pipeline with transient-error detection and exponential backoff on the worker.

Next.js 14PrismaPostgreSQLRedisTalos K8sMCPClaude Code SDKGiteaTypeScript

→ read the full case study

Orion's Belt

active

The local twin. Flask app you can hand someone as a single executable.

Same agent model as ORION, but designed to run entirely on a laptop. PyInstaller-packaged so you can hand a non-technical user a single file, and they get an LLM agent with tool calling, memory, and a chat UI.

Notable layers — a three-stage PII guard (Presidio rules → GLiNER zero-shot NER → DeBERTa zero-shot classifier) that runs before any prompt leaves the machine. LanceDB vector store for memory recall. MCP-style tool registry with file ops, SQL queries, and email search (Windows + Outlook MAPI).

Where ORION optimizes for shared infrastructure, Belt optimizes for single-user data sovereignty — nothing leaves the machine unless the user picks an external model.

FlaskSQLAlchemyLanceDBtransformersPresidioGLiNERMCPPyInstaller

Homelab platform

online

The substrate. Talos cluster + GitOps + auth + ingress. This site is served from it.

A Talos Linux Kubernetes cluster (no SSH, immutable, declarative) running on bare metal. Workloads land via GitOps PRs into a Gitea repo — the cluster watches the repo and reconciles itself. Agents in ORION open PRs through the gitops_propose tool, with policy gates deciding what auto-merges.

Public ingress sits behind Authentik (SSO + OIDC) and CrowdSec (behavioral intrusion detection). Internal services route through the same chain so there's exactly one auth surface to harden.

Observability — Prometheus + Grafana + Loki. Every agent action, every tool call, every PR is auditable. SOC2-aligned controls implemented end-to-end (encryption at rest, retention policies, audit trail, backup/recovery).

Talos LinuxKubernetesGiteaAuthentikCrowdSecPrometheusGrafanaLoki

$ curl --head https://khalisio.com

This site is itself a homelab demo — served from the Talos cluster described above, behind the same Authentik + CrowdSec ingress, deployed through the same GitOps PR pipeline as everything else.