diff --git a/.github/labeler.yaml b/.github/labeler.yaml index 1d12c4da8..d4e12942b 100644 --- a/.github/labeler.yaml +++ b/.github/labeler.yaml @@ -1,7 +1,7 @@ --- area/ansible: - changed-files: - - any-glob-to-any-file: "infrastructure/ansible/**/*" + - any-glob-to-any-file: "ansible/**/*" area/ci: - changed-files: - any-glob-to-any-file: ".github/**/*" @@ -14,6 +14,3 @@ area/docker: area/kubernetes: - changed-files: - any-glob-to-any-file: "kubernetes/**/*" -area/terraform: - - changed-files: - - any-glob-to-any-file: "infrastructure/terraform/**/*" diff --git a/.github/linters/.ansible-lint b/.github/linters/.ansible-lint deleted file mode 100644 index 34b9144d5..000000000 --- a/.github/linters/.ansible-lint +++ /dev/null @@ -1,9 +0,0 @@ -# .ansible-lint -skip_list: - - yaml[line-length] - - no-changed-when - - deprecated-command-syntax - -warn_list: - - command-instead-of-shell - - template-instead-of-copy diff --git a/.github/scripts/cloudflareNetworks.mjs b/.github/scripts/cloudflareNetworks.mjs deleted file mode 100644 index 894fdf675..000000000 --- a/.github/scripts/cloudflareNetworks.mjs +++ /dev/null @@ -1,6 +0,0 @@ -#!/usr/bin/env zx -$.verbose = false -const response = await fetch('https://api.cloudflare.com/client/v4/ips') -const body = await response.json() -const ips = body.result.ipv4_cidrs.concat(body.result.ipv6_cidrs); -echo(ips.join("\\,")) diff --git a/.github/scripts/extract-images.mjs b/.github/scripts/extract-images.mjs deleted file mode 100644 index d7ab061d3..000000000 --- a/.github/scripts/extract-images.mjs +++ /dev/null @@ -1,127 +0,0 @@ -#!/usr/bin/env zx -$.verbose = false - -/** - * * extract-images.mjs - * * Extracts all container images from a HelmRelease and renders them as a JSON object - * @param --helmrelease : The source Flux HelmRelease to compare against the target - * @param --kubernetes-dir : The directory containing your Flux manifests including the HelmRepository manifests - */ -const HelmRelease = argv["helmrelease"] -const KubernetesDir = argv["kubernetes-dir"] - -const helm = await which("helm") -const kustomize = await which("kustomize") - -function extractImageValues(data) { - const imageValues = [] - function extractValues(obj) { - for (const key in obj) { - if (typeof obj[key] === "object") { - extractValues(obj[key]) - } else if (key === "image") { - imageValues.push(obj[key]) - } - } - } - extractValues(data) - return imageValues -} - -async function parseHelmRelease(releaseFile) { - const helmRelease = await fs.readFile(releaseFile, "utf8") - const doc = YAML.parseAllDocuments(helmRelease).map((item) => item.toJS()) - const release = doc.filter( - (item) => - item.apiVersion === "helm.toolkit.fluxcd.io/v2" && - item.kind === "HelmRelease" - ) - return release[0] -} - -async function parseHelmRepository(kubernetesDir, releaseName) { - const files = await globby([`${kubernetesDir}/**/*.yaml`]) - for await (const file of files) { - const contents = await fs.readFile(file, "utf8") - const repository = YAML.parseAllDocuments(contents).map((item) => - item.toJS() - ) - if ( - repository[0] && - "apiVersion" in repository[0] && - repository[0].apiVersion === "source.toolkit.fluxcd.io/v1beta2" && - "kind" in repository[0] && - repository[0].kind === "HelmRepository" && - "metadata" in repository[0] && - "name" in repository[0].metadata && - repository[0].metadata.name === releaseName - ) { - return repository[0] - } - } -} - -async function renderKustomize(releaseBaseDir, releaseName) { - const build = - await $`${kustomize} build --load-restrictor=LoadRestrictionsNone ${releaseBaseDir}` - const docs = YAML.parseAllDocuments(build.stdout).map((item) => item.toJS()) - const release = docs.filter( - (item) => - item.apiVersion === "helm.toolkit.fluxcd.io/v2" && - item.kind === "HelmRelease" && - item.metadata.name === releaseName - ) - return release[0] -} - -async function helmTemplate(release, repository) { - const values = new YAML.Document() - values.contents = release.spec.values - const valuesFile = await $`mktemp` - await fs.writeFile(valuesFile.stdout.trim(), values.toString()) - - // Template out helm values into Kubernetes manifests - let manifests - if ("type" in repository.spec && repository.spec.type == "oci") { - manifests = await $`${helm} template --kube-version 1.28.0 --release-name ${ - release.metadata.name - } --include-crds=false ${repository.spec.url}/${ - release.spec.chart.spec.chart - } --version ${ - release.spec.chart.spec.version - } --values ${valuesFile.stdout.trim()}` - } else { - await $`${helm} repo add ${release.spec.chart.spec.sourceRef.name} ${repository.spec.url}` - manifests = await $`${helm} template --kube-version 1.28.0 --release-name ${ - release.metadata.name - } --include-crds=false ${release.spec.chart.spec.sourceRef.name}/${ - release.spec.chart.spec.chart - } --version ${ - release.spec.chart.spec.version - } --values ${valuesFile.stdout.trim()}` - } - - let documents = YAML.parseAllDocuments(manifests.stdout.trim()).map((item) => - item.toJS() - ) - - const images = [] - documents.forEach((doc) => { - const docImageValues = extractImageValues(doc) - images.push(...docImageValues) - }) - return images -} - -const helmRelease = await parseHelmRelease(HelmRelease) -const kustomizeBuild = await renderKustomize( - path.dirname(HelmRelease), - helmRelease.metadata.name -) -const helmRepository = await parseHelmRepository( - KubernetesDir, - kustomizeBuild.spec.chart.spec.sourceRef.name -) -const images = await helmTemplate(kustomizeBuild, helmRepository) - -echo(JSON.stringify(images)) diff --git a/.github/scripts/kubernetes-version.sh b/.github/scripts/kubernetes-version.sh index 04c479c78..4bc0b634e 100755 --- a/.github/scripts/kubernetes-version.sh +++ b/.github/scripts/kubernetes-version.sh @@ -1,7 +1,7 @@ #!/bin/bash # Find current Talos version .taskfiles/sidero.yaml -TALOS_VERSION="$(sed -n 's/.*talosVersion: \([v0-9.]*\)/\1/p' infrastructure/talos/talconfig.yaml)" +TALOS_VERSION="$(sed -n 's/.*talosVersion: \([v0-9.]*\)/\1/p' kubernetes/talos/talconfig.yaml)" # Get file from Talos repo that includes default Kubernetes version SOURCE_CONSTANTS=$(curl -s https://raw.githubusercontent.com/siderolabs/talos/$TALOS_VERSION/pkg/machinery/constants/constants.go) diff --git a/.github/workflows/create-issue-on-kubernetes-update.yaml b/.github/workflows/create-issue-on-kubernetes-update.yaml index c24cbd050..680cd1bf6 100644 --- a/.github/workflows/create-issue-on-kubernetes-update.yaml +++ b/.github/workflows/create-issue-on-kubernetes-update.yaml @@ -6,7 +6,7 @@ on: branches: - main paths: - - "infrastructure/talos/talconfig.yaml" + - "kubernetes/talos/talconfig.yaml" concurrency: group: ${{ github.ref }}-${{ github.workflow }} diff --git a/.github/workflows/create-issue-on-talos-update.yaml b/.github/workflows/create-issue-on-talos-update.yaml index ad48ae867..e9e9c20c2 100644 --- a/.github/workflows/create-issue-on-talos-update.yaml +++ b/.github/workflows/create-issue-on-talos-update.yaml @@ -6,7 +6,7 @@ on: branches: - main paths: - - "infrastructure/talos/talconfig.yaml" + - "kubernetes/talos/talconfig.yaml" concurrency: group: ${{ github.ref }}-${{ github.workflow }} diff --git a/.github/workflows/scan-supported-k8s-version.yaml b/.github/workflows/scan-supported-k8s-version.yaml index ecc94dbaa..aa81b4248 100644 --- a/.github/workflows/scan-supported-k8s-version.yaml +++ b/.github/workflows/scan-supported-k8s-version.yaml @@ -7,7 +7,7 @@ on: # yamllint disable-line rule:truthy branches: - main paths: - - "infrastructure/talos/talconfig.yaml" + - "kubernetes/talos/talconfig.yaml" concurrency: group: ${{ github.ref }}-${{ github.workflow }} diff --git a/.gitignore b/.gitignore index ef96799e4..d85c30e6f 100644 --- a/.gitignore +++ b/.gitignore @@ -14,4 +14,3 @@ talosconfig* *.iso .task/checksum **/Brewfile.lock.json -docker/**/*.env diff --git a/.github/linters/.markdownlint.yaml b/.markdownlint.yaml similarity index 100% rename from .github/linters/.markdownlint.yaml rename to .markdownlint.yaml diff --git a/.minijinja.toml b/.minijinja.toml new file mode 100644 index 000000000..05c2a7b6a --- /dev/null +++ b/.minijinja.toml @@ -0,0 +1,5 @@ +autoescape = "none" +newline = true +trim-blocks = true +lstrip-blocks = true +env = true diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml deleted file mode 100644 index 1e738125c..000000000 --- a/.pre-commit-config.yaml +++ /dev/null @@ -1,46 +0,0 @@ ---- -fail_fast: false -repos: - - repo: https://github.com/adrienverge/yamllint.git - rev: v1.37.1 - hooks: - - id: yamllint - args: - - -c - - ".github/linters/.yamllint.yaml" - - - repo: https://github.com/pre-commit/pre-commit-hooks - rev: v6.0.0 - hooks: - - id: trailing-whitespace - - id: end-of-file-fixer - - id: mixed-line-ending - - id: check-executables-have-shebangs - - id: fix-byte-order-marker - - id: check-added-large-files - args: [--maxkb=2048] - - id: check-merge-conflict - - - repo: https://github.com/Lucas-C/pre-commit-hooks - rev: v1.5.5 - hooks: - - id: remove-crlf - - id: remove-tabs - - - repo: https://github.com/sirosen/fix-smartquotes - rev: 0.2.0 - hooks: - - id: fix-smartquotes - - - repo: https://github.com/zricethezav/gitleaks - rev: v8.28.0 - hooks: - - id: gitleaks - - - repo: https://github.com/jumanjihouse/pre-commit-hooks - rev: 3.0.0 - hooks: - - id: shellcheck - language: script - args: [--severity=error] - additional_dependencies: [] diff --git a/.github/linters/.prettierignore b/.prettierignore similarity index 100% rename from .github/linters/.prettierignore rename to .prettierignore diff --git a/.github/linters/.prettierrc.yaml b/.prettierrc.yaml similarity index 100% rename from .github/linters/.prettierrc.yaml rename to .prettierrc.yaml diff --git a/.renovate/regexManagers.json5 b/.renovate/regexManagers.json5 index 04331c57d..00a6fd032 100644 --- a/.renovate/regexManagers.json5 +++ b/.renovate/regexManagers.json5 @@ -13,7 +13,7 @@ { customType: "regex", description: "Process Kubernetes versions", - fileMatch: ["infrastructure/talos/talconfig.yaml"], + fileMatch: ["kubernetes/talos/talconfig.yaml"], matchStrings: ["kubernetesVersion: (?.*)"], depNameTemplate: "ghcr.io/siderolabs/kubelet", datasourceTemplate: "docker", @@ -22,7 +22,7 @@ customType: "regex", description: "Process Talos versions", fileMatch: [ - "infrastructure/talos/talconfig.yaml", + "kubernetes/talos/talconfig.yaml", ".taskfiles/talos/taskfile.yaml", ], matchStrings: [ @@ -46,8 +46,7 @@ customType: "regex", description: "Process GitHub release URLs", fileMatch: [ - "kubernetes/.+\\.ya?ml(?:\\.j2)?$", - "infrastructure/.+\\.ya?ml(?:\\.j2)?$" + "kubernetes/.+\\.ya?ml(?:\\.j2)?$" ], matchStrings: [ "https:\\/\\/github.com\\/(?[\\w\\d\\-_]+\\/[\\w\\d\\-_]+)\\/releases\\/download\\/v(?[\\w\\d\\.\\-_]+)\\/.*", diff --git a/.sourceignore b/.sourceignore index 98eac7053..318e185af 100644 --- a/.sourceignore +++ b/.sourceignore @@ -2,12 +2,11 @@ /.github/ /.taskfiles/ /.vscode/ -/infrastructure/ +/ansible/ /docs/ /.env /.gitattributes /.gitignore -/.pre-commit-config.yaml /LICENSE /README.md /Taskfile.yaml diff --git a/.taskfiles/bootstrap/taskfile.yaml b/.taskfiles/bootstrap/taskfile.yaml index 9bbef3780..9b93d0a89 100644 --- a/.taskfiles/bootstrap/taskfile.yaml +++ b/.taskfiles/bootstrap/taskfile.yaml @@ -2,12 +2,48 @@ # yaml-language-server: $schema=https://taskfile.dev/schema.json version: "3" +vars: + CONTEXT: + sh: talosctl config info --output json | jq --raw-output '.context' + CONTROLLER: + sh: talosctl config info --output json | jq --raw-output '.endpoints[]' | shuf -n 1 + tasks: - cluster: - desc: Bootstrap Talos and K8s cluster + talos: + desc: Bootstrap Talos + preconditions: + - talosctl config info + - talosctl --nodes {{.CONTROLLER}} get machineconfig + - which jq talosctl cmds: - - task: :tools:brew - - task: :tools:krew - - task: :talos:bootstrap - - task: :rook:wipe - - task: :flux:bootstrap + - until talosctl --nodes {{.CONTROLLER}} bootstrap; do sleep 5; done + - task: kubeconfig + + kubeconfig: + desc: Generate kubeconfig + cmds: + - talosctl kubeconfig --nodes {{.CONTROLLER}} --force --force-context-name {{.CONTEXT}} {{.KUBECONFIG}} + - kubectl config set-cluster {{.CONTEXT}} --server https://{{.CONTROLLER}}:6443 + vars: + CONTROLLER: + sh: talosctl config info --output yaml | yq --exit-status '.endpoints[0]' + preconditions: + - talosctl --nodes {{.CONTROLLER}} get machineconfig + - which talosctl yq + + apps: + desc: Bootstrap Kubernetes Apps + preconditions: + - which helmfile yq jq kubectl op talosctl + - test -f {{.K8S_DIR}}/bootstrap/helmfile.d/00-crds.yaml + - test -f {{.K8S_DIR}}/bootstrap/helmfile.d/01-apps.yaml + - test -f {{.K8S_DIR}}/bootstrap/resources.yaml.j2 + - op user get --me + - talosctl config info + - talosctl --nodes {{.CONTROLLER}} get machineconfig + cmds: + - task: kubeconfig + - op run --env-file {{.K8S_DIR}}/bootstrap/resources.env --no-masking -- + minijinja-cli {{.K8S_DIR}}/bootstrap/resources.yaml.j2 | kubectl apply --server-side --filename - + - helmfile --quiet --file {{.K8S_DIR}}/bootstrap/helmfile.d/00-crds.yaml template | kubectl apply --server-side --filename - + - helmfile --file {{.K8S_DIR}}/bootstrap/helmfile.d/01-apps.yaml sync --hide-notes diff --git a/.taskfiles/kubernetes/resources/buoy-pod.tmpl.yaml b/.taskfiles/kubernetes/resources/buoy-pod.tmpl.yaml deleted file mode 100644 index 7d8bcde07..000000000 --- a/.taskfiles/kubernetes/resources/buoy-pod.tmpl.yaml +++ /dev/null @@ -1,45 +0,0 @@ ---- -apiVersion: v1 -spec: - containers: - - name: buoy - image: ghcr.io/ahinko/buoy:1.4.14 - command: ["/bin/sh"] - stdin: true - stdinOnce: true - tty: true - securityContext: - allowPrivilegeEscalation: true - capabilities: - add: - - ALL - privileged: true - fsGroup: 0 - volumeMounts: - - mountPath: /rootfs - name: rootfs - - name: dev - mountPath: /dev - - mountPath: /sys/firmware/efi/efivars - name: efivars - - mountPath: /run/containerd - name: containerd - dnsPolicy: ClusterFirstWithHostNet - hostIPC: true - hostNetwork: true - hostPID: true - nodeName: ${node} - restartPolicy: Never - volumes: - - name: dev - hostPath: - path: /dev - - name: rootfs - hostPath: - path: / - - name: efivars - hostPath: - path: /sys/firmware/efi/efivars - - name: containerd - hostPath: - path: /run/containerd diff --git a/.taskfiles/kubernetes/taskfile.yaml b/.taskfiles/kubernetes/taskfile.yaml index 1c97131fd..7050efb66 100644 --- a/.taskfiles/kubernetes/taskfile.yaml +++ b/.taskfiles/kubernetes/taskfile.yaml @@ -2,15 +2,16 @@ # yaml-language-server: $schema=https://taskfile.dev/schema.json version: 3 -vars: - KUBERNETES_RESOURCES_DIR: "{{.ROOT_DIR}}/.taskfiles/kubernetes/resources" - tasks: - delete-failed-succeeded-pods: - desc: Deletes pods with Failed and Succeeded phase + delete-pods: + desc: Cleanse pods with a Failed/Pending/Succeeded phase cmds: - - kubectl delete pods --field-selector status.phase=Failed -A --ignore-not-found=true - - kubectl delete pods --field-selector status.phase=Succeeded -A --ignore-not-found=true + - for: + matrix: + PHASE: [Failed, Pending, Succeeded] + cmd: kubectl delete pods --all-namespaces --field-selector status.phase={{.ITEM.PHASE}} --ignore-not-found=true + preconditions: + - which kubectl list-not-running-pods: desc: Lists pods that are not running @@ -28,12 +29,13 @@ tasks: - kubectl node-shell --version - which kubectl - buoy: - desc: Run a buoy shell (privileged pod) - cmd: | - kubectl run buoy-{{.node}} -i --rm --image=null \ - --overrides="$(yq {{.KUBERNETES_RESOURCES_DIR}}/buoy-pod.tmpl.yaml -o=json | envsubst)" - env: - node: "{{.node}}" + upgrade-arc: + desc: Upgrade the ARC + cmds: + - helm -n actions-runner-system uninstall arc-homelab + - helm -n actions-runner-system uninstall actions-runner-controller + - sleep 30 + - flux -n actions-runner-system reconcile hr actions-runner-controller + - flux -n actions-runner-system reconcile hr arc-homelab preconditions: - - test -f {{.KUBERNETES_RESOURCES_DIR}}/buoy-pod.tmpl.yaml + - which flux helm diff --git a/.taskfiles/rook/taskfile.yaml b/.taskfiles/rook/taskfile.yaml deleted file mode 100644 index bf0cf6a4d..000000000 --- a/.taskfiles/rook/taskfile.yaml +++ /dev/null @@ -1,15 +0,0 @@ ---- -version: "3" - -tasks: - dashboard-password: - desc: Get password for Rook/Ceph dashboard - cmds: - - kubectl -n rook-ceph get secret rook-ceph-dashboard-password -o jsonpath="{['data']['password']}" | base64 --decode && echo - silent: true - - wipe: - desc: Wipe rook disks - prompt: This will wipe all disks used by Rook/Ceph... continue? - cmds: - - kubectl apply -f kubernetes/tools/rook/wipe-job.yaml diff --git a/.taskfiles/talos/taskfile.yaml b/.taskfiles/talos/taskfile.yaml index 66df51ffa..09f1ad0bb 100644 --- a/.taskfiles/talos/taskfile.yaml +++ b/.taskfiles/talos/taskfile.yaml @@ -3,56 +3,10 @@ version: "3" vars: - TALOS_CONTROLLER: + CONTROLLER: sh: talosctl config info --output json | jq --raw-output '.endpoints[]' | shuf -n 1 tasks: - generate: - desc: Generate Talos machine configurations - dir: "{{.TALOS_DIR}}" - env: - VAULT: "Homelab" - cmds: - - op run --env-file="./op.env" -- talhelper genconfig - sources: - - talconfig.yaml - - talsecret.yaml - generates: - - clusterconfig/*.yaml - - clusterconfig/talosconfig - - apply-config: - desc: Apply Talos config on a node - dir: "{{.TALOS_DIR}}" - cmds: - - task: generate - - task: wait_for_health - vars: { TIMEOUT: 30s } - - talhelper gencommand apply -n {{.node}} | bash - requires: - vars: ["node"] - - upgrade-talos: - desc: Upgrade Talos on a node - dir: "{{.TALOS_DIR}}" - cmds: - - task: generate - - task: wait_for_health - vars: { TIMEOUT: 30s } - - talhelper gencommand upgrade -n {{.node}} --extra-flags=--stage | bash - requires: - vars: ["node"] - - upgrade-k8s: - desc: Upgrade Kubernetes - dir: "{{.TALOS_DIR}}" - cmds: - - task: generate - - task: wait_for_health - vars: { TIMEOUT: 30s } - - talosctl -n {{.TALOS_CONTROLLER}} etcd snapshot etcd.backup - - talhelper gencommand upgrade-k8s | bash - wait_for_health: internal: True desc: Wait for services in cluster to be healthy @@ -62,60 +16,72 @@ tasks: # Ensure CloudNative-PG cluster has 3 ready instances - kubectl -n databases wait --for jsonpath='{.status.readyInstances}'='3' --timeout {{ .TIMEOUT | default "30s" }} cluster postgres17 - bootstrap: - desc: Bootstrap Talos - - cmds: - - task: :talos:generate - - task: :talos:bootstrap-apply-config - - task: :talos:bootstrap-etcd - - task: :talos:kubeconfig - - task: :talos:bootstrap-core-apps - - bootstrap-apply-config: - desc: Apply Talos config on all nodes - dir: "{{.TALOS_DIR}}" - cmds: - - talhelper gencommand apply --extra-flags=--insecure | bash - - bootstrap-etcd: - desc: Bootstrap etcd - cmds: - - until talosctl --nodes {{.TALOS_CONTROLLER}} bootstrap; do sleep 10; done - talosconfig: desc: Get an updated version of talosconfig cmds: - - cp infrastructure/talos/clusterconfig/talosconfig ~/.talos/config + - cp {{ .TALOS_DIR }}/clusterconfig/talosconfig {{ .TALOSCONFIG }} - kubeconfig: - desc: Get an updated version of kubeconfig with updated/rotated certificates + generate: + desc: Generate Talos machine configurations + dir: "{{.TALOS_DIR}}" cmds: - - talosctl kubeconfig ~/.kube/configs/mainframe -n {{.TALOS_CONTROLLER}} - - kubectl config rename-context admin@mainframe mainframe + - op run --env-file="./talsecret.env" -- talhelper genconfig + sources: + - talconfig.yaml + - talsecret.yaml + generates: + - clusterconfig/*.yaml + - clusterconfig/talosconfig - bootstrap-core-apps: - desc: Bootstrap core helm apps + apply: + desc: Apply Talos config on a node, NODE=required + requires: + vars: + - NODE + dir: "{{.TALOS_DIR}}" + cmds: + - task: generate + - task: wait_for_health + vars: { TIMEOUT: 30s } + - talhelper gencommand apply -n {{.NODE}} | bash + + upgrade: + desc: Upgrade Talos on a node, NODE=required + requires: + vars: + - NODE + dir: "{{.TALOS_DIR}}" + cmds: + - task: generate + - task: wait_for_health + vars: { TIMEOUT: 30s } + - talhelper gencommand upgrade -n {{.NODE}} --extra-flags=--stage | bash + preconditions: + - talosctl --nodes {{.NODE}} get machineconfig + - which talosctl yq + + upgrade:k8s: + desc: Upgrade Kubernetes + dir: "{{.TALOS_DIR}}" + cmds: + - task: generate + - task: wait_for_health + vars: { TIMEOUT: 30s } + - talosctl -n {{.CONTROLLER}} etcd snapshot etcd.backup + - talhelper gencommand upgrade-k8s | bash + + write-to-usb: + desc: Write Talos image to USB drive, use configuration to determine architecture and schematic, NODE=required + dir: "{{.TALOS_DIR}}" + requires: + vars: + - NODE vars: - BOOTSTRAP_TEMPLATES: - sh: ls {{.CLUSTER_DIR}}/bootstrap/secrets/*.j2 - env: - VAULT: "Homelab" + IMAGE_URL: + sh: talhelper genurl image -n {{.NODE}} -c {{.TALOS_DIR}}/talconfig.yaml cmds: - - until kubectl wait --for=condition=Ready=False nodes --all --timeout=600s; do sleep 10; done - - for: { var: BOOTSTRAP_TEMPLATES } - cmd: > - op run --env-file {{.CLUSTER_DIR}}/bootstrap/op.env --no-masking -- - minijinja-cli --env --trim-blocks --lstrip-blocks --autoescape=none {{.ITEM}} - | kubectl apply --server-side --filename - - - helmfile --file {{.CLUSTER_DIR}}/bootstrap/helmfile.yaml apply --skip-diff-on-install --suppress-diff - - until kubectl wait --for=condition=Ready nodes --all --timeout=600s; do sleep 10; done - - write-talos-amd64-to-usb: - desc: Write Talos image to USB drive to be used with amd64 machines - silent: true - cmds: - - "curl -LOC - https://factory.talos.dev/image/07fc545562cc6c5d76cf282c30a95d10b86286cd345bac2fa963c786397475cd/v1.10.7/metal-amd64.raw.xz && xz -d metal-amd64.raw.xz" + - echo "Downloading image from {{.IMAGE_URL}}" + - curl -L -o {{.ROOT_DIR}}/talos-{{.NODE}}.raw.xz {{.IMAGE_URL}} && xz -d {{.ROOT_DIR}}/talos-{{.NODE}}.raw.xz - "diskutil list" - | echo "Path to USB drive:" @@ -123,20 +89,5 @@ tasks: diskutil unmount ${path} || true diskutil unmountDisk ${path} || true echo "Writing image to: ${path}"; - sudo dd if=metal-amd64.raw of=${path} bs=4m && sync - - "rm metal-amd64.raw" - - write-talos-arm64-to-usb: - desc: Write Talos image to USB drive to be used with Raspberry Pi 4 - silent: true - cmds: - - "curl -LO https://factory.talos.dev/image/7688f6b5647f1a548661fc91e8bec62277dc0e3028bbace8547a21998563b4b0/v1.10.7/metal-arm64.raw.xz && xz -d metal-arm64.raw.xz" - - "diskutil list" - - | - echo "Path to USB drive:" - read path; - diskutil unmount ${path} || true - diskutil unmountDisk ${path} || true - echo "Writing image to: ${path}"; - sudo dd if=metal-arm64.raw of=${path} conv=fsync bs=4M - - "rm metal-arm64.raw" + sudo dd if={{.ROOT_DIR}}/talos-{{.NODE}}.raw of=${path} conv=fsync bs=4M + - "rm {{.ROOT_DIR}}/talos-{{.NODE}}.raw" diff --git a/.taskfiles/tools/taskfile.yaml b/.taskfiles/tools/taskfile.yaml deleted file mode 100644 index 25433f830..000000000 --- a/.taskfiles/tools/taskfile.yaml +++ /dev/null @@ -1,38 +0,0 @@ -# yaml-language-server: $schema=https://taskfile.dev/schema.json ---- -version: 3 - -env: - BREWFILE: "{{.ROOT_DIR}}/.taskfiles/tools/resources/Brewfile" - KREW: |- - cnpg rook-ceph browse-pvc view-secret node-shell - -tasks: - brew: - desc: Set up Homebrew tools - cmd: brew bundle --file {{.BREWFILE}} - generates: - - "{{.BREWFILE}}.lock.json" - preconditions: - - command -v brew - - test -f {{.BREWFILE}} - - pre-commit: - desc: Set up pre-commit hooks - cmd: pre-commit install-hooks - - krew: - desc: Install/update all required dependencies - silent: true - cmds: - # Install krew plugins - - kubectl krew install {{.KREW}} - - kubectl krew update - - kubectl krew upgrade - - ansible: - desc: Intall/update Ansible roles - silent: true - cmds: - - ansible-galaxy install -r {{.ROOT_DIR}}/infrastructure/ansible/requirements.yaml --force - - ansible-galaxy collection install -r {{.ROOT_DIR}}/infrastructure/ansible/requirements.yaml --force diff --git a/.taskfiles/tools/resources/Brewfile b/.taskfiles/workstation/resources/Brewfile similarity index 90% rename from .taskfiles/tools/resources/Brewfile rename to .taskfiles/workstation/resources/Brewfile index 5d7d89f83..e69c404f2 100644 --- a/.taskfiles/tools/resources/Brewfile +++ b/.taskfiles/workstation/resources/Brewfile @@ -2,7 +2,6 @@ tap "fluxcd/tap" tap "go-task/tap" tap "siderolabs/tap" -tap "controlplaneio-fluxcd/tap" # Terminal brew "fish" @@ -11,7 +10,6 @@ brew "viddy" # Command line tools brew "bash" brew "ansible" -brew "pre-commit" brew "go-task/tap/go-task" brew "git" brew "nano" @@ -33,7 +31,7 @@ brew "talhelper" brew "siderolabs/tap/talosctl" brew "helmfile" brew "krew" -brew "controlplaneio-fluxcd/tap/flux-operator-mcp" +brew "minijinja-cli" # git signed commit brew "gpg2" diff --git a/.taskfiles/workstation/taskfile.yaml b/.taskfiles/workstation/taskfile.yaml new file mode 100644 index 000000000..03c6819dc --- /dev/null +++ b/.taskfiles/workstation/taskfile.yaml @@ -0,0 +1,25 @@ +# yaml-language-server: $schema=https://taskfile.dev/schema.json +--- +version: 3 + +env: + WORKSTATION_RESOURCES_DIR: "{{.ROOT_DIR}}/.taskfiles/workstation/resources" + +tasks: + brew: + desc: Set up Homebrew tools + cmd: brew bundle --file {{.WORKSTATION_RESOURCES_DIR}}/Brewfile + generates: + - "{{.WORKSTATION_RESOURCES_DIR}}/Brewfile.lock.json" + preconditions: + - command -v brew + - test -f {{.WORKSTATION_RESOURCES_DIR}}/Brewfile + + krew: + desc: Install/update all required dependencies + silent: true + cmds: + - kubectl krew install cnpg rook-ceph browse-pvc view-secret node-shell + preconditions: + - kubectl krew version + - which kubectl diff --git a/.vscode/settings.json b/.vscode/settings.json index 3e5c2f887..b7bbc07db 100644 --- a/.vscode/settings.json +++ b/.vscode/settings.json @@ -1,17 +1,18 @@ { "files.associations": { "*.json5": "json5", - "**/infrastructure/ansible/**/*.yaml": "ansible", - "**/infrastructure/**/inventory/**/*.yaml": "yaml", + "**/ansible/**/*.yaml": "ansible", + "**/**/inventory/**/*.yaml": "yaml", }, "material-icon-theme.folders.associations": { - // top level + "*.gotmpl": "smarty", ".github/workflows": "ci", ".private": "archive", ".renovate": "robot", "bootstrap": "seeders", "flux": "pipe", "talos": "linux", + "bootstrap/helmfile.d": "helm", // namespaces "actions-runner-system": "github", "cert-manager": "guard", diff --git a/.github/linters/.yamllint.yaml b/.yamllint.yaml similarity index 94% rename from .github/linters/.yamllint.yaml rename to .yamllint.yaml index 4ba716d4c..3b9640537 100644 --- a/.github/linters/.yamllint.yaml +++ b/.yamllint.yaml @@ -2,7 +2,7 @@ ignore: | .github/ crds.yaml - infrastructure/talos/ + kubernetes/talos/ extends: default diff --git a/Taskfile.yml b/Taskfile.yml index edb6f768c..d94dce44c 100644 --- a/Taskfile.yml +++ b/Taskfile.yml @@ -2,20 +2,30 @@ # yaml-language-server: $schema=https://taskfile.dev/schema.json version: "3" +set: + - pipefail +shopt: + - globstar + vars: - TALOS_DIR: "{{.ROOT_DIR}}/infrastructure/talos" - CLUSTER_DIR: "{{.ROOT_DIR}}/kubernetes" + K8S_DIR: "{{.ROOT_DIR}}/kubernetes" + MINIJINJA_CONFIG_FILE: "{{.ROOT_DIR}}/.minijinja.toml" + TALOS_DIR: "{{.K8S_DIR}}/talos" + +env: + KUBECONFIG: "~/.kube/configs/mainframe" + MINIJINJA_CONFIG_FILE: "{{.ROOT_DIR}}/.minijinja.toml" + TALOSCONFIG: "~/.talos/config" + +includes: + bootstrap: .taskfiles/bootstrap/taskfile.yaml + flux: .taskfiles/flux/taskfile.yaml + k8s: .taskfiles/kubernetes/taskfile.yaml + talos: .taskfiles/talos/taskfile.yaml + workstation: .taskfiles/workstation/taskfile.yaml tasks: default: silent: true cmds: - task --list - -includes: - bootstrap: .taskfiles/bootstrap/taskfile.yaml - flux: .taskfiles/flux/taskfile.yaml - k8s: .taskfiles/kubernetes/taskfile.yaml - rook: .taskfiles/rook/taskfile.yaml - talos: .taskfiles/talos/taskfile.yaml - tools: .taskfiles/tools/taskfile.yaml diff --git a/infrastructure/ansible/.envrc b/ansible/.envrc similarity index 100% rename from infrastructure/ansible/.envrc rename to ansible/.envrc diff --git a/infrastructure/ansible/ansible.cfg b/ansible/ansible.cfg similarity index 100% rename from infrastructure/ansible/ansible.cfg rename to ansible/ansible.cfg diff --git a/infrastructure/ansible/inventory/group_vars/metal/ansible.yml b/ansible/inventory/group_vars/metal/ansible.yml similarity index 100% rename from infrastructure/ansible/inventory/group_vars/metal/ansible.yml rename to ansible/inventory/group_vars/metal/ansible.yml diff --git a/infrastructure/ansible/inventory/group_vars/metal/apt.yaml b/ansible/inventory/group_vars/metal/apt.yaml similarity index 100% rename from infrastructure/ansible/inventory/group_vars/metal/apt.yaml rename to ansible/inventory/group_vars/metal/apt.yaml diff --git a/infrastructure/ansible/inventory/group_vars/metal/fish_users.yaml b/ansible/inventory/group_vars/metal/fish_users.yaml similarity index 100% rename from infrastructure/ansible/inventory/group_vars/metal/fish_users.yaml rename to ansible/inventory/group_vars/metal/fish_users.yaml diff --git a/infrastructure/ansible/inventory/group_vars/metal/hostname.yaml b/ansible/inventory/group_vars/metal/hostname.yaml similarity index 100% rename from infrastructure/ansible/inventory/group_vars/metal/hostname.yaml rename to ansible/inventory/group_vars/metal/hostname.yaml diff --git a/infrastructure/ansible/inventory/group_vars/metal/sshkeys.yaml b/ansible/inventory/group_vars/metal/sshkeys.yaml similarity index 100% rename from infrastructure/ansible/inventory/group_vars/metal/sshkeys.yaml rename to ansible/inventory/group_vars/metal/sshkeys.yaml diff --git a/infrastructure/ansible/inventory/group_vars/metal/sudoers.yaml b/ansible/inventory/group_vars/metal/sudoers.yaml similarity index 100% rename from infrastructure/ansible/inventory/group_vars/metal/sudoers.yaml rename to ansible/inventory/group_vars/metal/sudoers.yaml diff --git a/infrastructure/ansible/inventory/group_vars/metal/users.yaml b/ansible/inventory/group_vars/metal/users.yaml similarity index 100% rename from infrastructure/ansible/inventory/group_vars/metal/users.yaml rename to ansible/inventory/group_vars/metal/users.yaml diff --git a/infrastructure/ansible/inventory/host_vars/.gitignore b/ansible/inventory/host_vars/.gitignore similarity index 100% rename from infrastructure/ansible/inventory/host_vars/.gitignore rename to ansible/inventory/host_vars/.gitignore diff --git a/infrastructure/ansible/inventory/hosts.yaml b/ansible/inventory/hosts.yaml similarity index 100% rename from infrastructure/ansible/inventory/hosts.yaml rename to ansible/inventory/hosts.yaml diff --git a/infrastructure/ansible/provision_iot.yaml b/ansible/provision_iot.yaml similarity index 100% rename from infrastructure/ansible/provision_iot.yaml rename to ansible/provision_iot.yaml diff --git a/infrastructure/ansible/provision_metal.yaml b/ansible/provision_metal.yaml similarity index 100% rename from infrastructure/ansible/provision_metal.yaml rename to ansible/provision_metal.yaml diff --git a/infrastructure/ansible/provision_pikvm.yaml b/ansible/provision_pikvm.yaml similarity index 100% rename from infrastructure/ansible/provision_pikvm.yaml rename to ansible/provision_pikvm.yaml diff --git a/infrastructure/ansible/requirements.yaml b/ansible/requirements.yaml similarity index 100% rename from infrastructure/ansible/requirements.yaml rename to ansible/requirements.yaml diff --git a/infrastructure/ansible/roles/apt/defaults/main.yaml b/ansible/roles/apt/defaults/main.yaml similarity index 100% rename from infrastructure/ansible/roles/apt/defaults/main.yaml rename to ansible/roles/apt/defaults/main.yaml diff --git a/infrastructure/ansible/roles/apt/tasks/configure.yaml b/ansible/roles/apt/tasks/configure.yaml similarity index 100% rename from infrastructure/ansible/roles/apt/tasks/configure.yaml rename to ansible/roles/apt/tasks/configure.yaml diff --git a/infrastructure/ansible/roles/apt/tasks/install.yaml b/ansible/roles/apt/tasks/install.yaml similarity index 100% rename from infrastructure/ansible/roles/apt/tasks/install.yaml rename to ansible/roles/apt/tasks/install.yaml diff --git a/infrastructure/ansible/roles/apt/tasks/main.yaml b/ansible/roles/apt/tasks/main.yaml similarity index 100% rename from infrastructure/ansible/roles/apt/tasks/main.yaml rename to ansible/roles/apt/tasks/main.yaml diff --git a/infrastructure/ansible/roles/apt/tasks/remove.yaml b/ansible/roles/apt/tasks/remove.yaml similarity index 100% rename from infrastructure/ansible/roles/apt/tasks/remove.yaml rename to ansible/roles/apt/tasks/remove.yaml diff --git a/infrastructure/ansible/roles/apt/tasks/unattended-upgrades.yaml b/ansible/roles/apt/tasks/unattended-upgrades.yaml similarity index 100% rename from infrastructure/ansible/roles/apt/tasks/unattended-upgrades.yaml rename to ansible/roles/apt/tasks/unattended-upgrades.yaml diff --git a/infrastructure/ansible/roles/apt/tasks/upgrade.yaml b/ansible/roles/apt/tasks/upgrade.yaml similarity index 100% rename from infrastructure/ansible/roles/apt/tasks/upgrade.yaml rename to ansible/roles/apt/tasks/upgrade.yaml diff --git a/infrastructure/ansible/roles/fish/tasks/configure.yaml b/ansible/roles/fish/tasks/configure.yaml similarity index 100% rename from infrastructure/ansible/roles/fish/tasks/configure.yaml rename to ansible/roles/fish/tasks/configure.yaml diff --git a/infrastructure/ansible/roles/fish/tasks/install.yaml b/ansible/roles/fish/tasks/install.yaml similarity index 100% rename from infrastructure/ansible/roles/fish/tasks/install.yaml rename to ansible/roles/fish/tasks/install.yaml diff --git a/infrastructure/ansible/roles/fish/tasks/main.yaml b/ansible/roles/fish/tasks/main.yaml similarity index 100% rename from infrastructure/ansible/roles/fish/tasks/main.yaml rename to ansible/roles/fish/tasks/main.yaml diff --git a/infrastructure/ansible/roles/fish/templates/starship.toml.j2 b/ansible/roles/fish/templates/starship.toml.j2 similarity index 100% rename from infrastructure/ansible/roles/fish/templates/starship.toml.j2 rename to ansible/roles/fish/templates/starship.toml.j2 diff --git a/infrastructure/ansible/roles/hostname/tasks/main.yaml b/ansible/roles/hostname/tasks/main.yaml similarity index 100% rename from infrastructure/ansible/roles/hostname/tasks/main.yaml rename to ansible/roles/hostname/tasks/main.yaml diff --git a/infrastructure/ansible/roles/pikvm_os/defaults/main.yaml b/ansible/roles/pikvm_os/defaults/main.yaml similarity index 100% rename from infrastructure/ansible/roles/pikvm_os/defaults/main.yaml rename to ansible/roles/pikvm_os/defaults/main.yaml diff --git a/infrastructure/ansible/roles/pikvm_os/handlers/main.yaml b/ansible/roles/pikvm_os/handlers/main.yaml similarity index 100% rename from infrastructure/ansible/roles/pikvm_os/handlers/main.yaml rename to ansible/roles/pikvm_os/handlers/main.yaml diff --git a/infrastructure/ansible/roles/pikvm_os/tasks/main.yaml b/ansible/roles/pikvm_os/tasks/main.yaml similarity index 100% rename from infrastructure/ansible/roles/pikvm_os/tasks/main.yaml rename to ansible/roles/pikvm_os/tasks/main.yaml diff --git a/infrastructure/ansible/roles/pikvm_os/templates/override.yaml.j2 b/ansible/roles/pikvm_os/templates/override.yaml.j2 similarity index 100% rename from infrastructure/ansible/roles/pikvm_os/templates/override.yaml.j2 rename to ansible/roles/pikvm_os/templates/override.yaml.j2 diff --git a/infrastructure/ansible/roles/pikvm_os/templates/tc358743-edid.hex.j2 b/ansible/roles/pikvm_os/templates/tc358743-edid.hex.j2 similarity index 100% rename from infrastructure/ansible/roles/pikvm_os/templates/tc358743-edid.hex.j2 rename to ansible/roles/pikvm_os/templates/tc358743-edid.hex.j2 diff --git a/infrastructure/ansible/roles/pikvm_os/vars/main.yaml b/ansible/roles/pikvm_os/vars/main.yaml similarity index 100% rename from infrastructure/ansible/roles/pikvm_os/vars/main.yaml rename to ansible/roles/pikvm_os/vars/main.yaml diff --git a/infrastructure/ansible/roles/readonly/tasks/main.yaml b/ansible/roles/readonly/tasks/main.yaml similarity index 100% rename from infrastructure/ansible/roles/readonly/tasks/main.yaml rename to ansible/roles/readonly/tasks/main.yaml diff --git a/infrastructure/ansible/roles/ser2net/handlers/main.yaml b/ansible/roles/ser2net/handlers/main.yaml similarity index 100% rename from infrastructure/ansible/roles/ser2net/handlers/main.yaml rename to ansible/roles/ser2net/handlers/main.yaml diff --git a/infrastructure/ansible/roles/ser2net/tasks/main.yaml b/ansible/roles/ser2net/tasks/main.yaml similarity index 100% rename from infrastructure/ansible/roles/ser2net/tasks/main.yaml rename to ansible/roles/ser2net/tasks/main.yaml diff --git a/infrastructure/ansible/roles/ser2net/templates/ser2net.yaml.j2 b/ansible/roles/ser2net/templates/ser2net.yaml.j2 similarity index 100% rename from infrastructure/ansible/roles/ser2net/templates/ser2net.yaml.j2 rename to ansible/roles/ser2net/templates/ser2net.yaml.j2 diff --git a/infrastructure/ansible/roles/ser2net/vars/main.yaml b/ansible/roles/ser2net/vars/main.yaml similarity index 100% rename from infrastructure/ansible/roles/ser2net/vars/main.yaml rename to ansible/roles/ser2net/vars/main.yaml diff --git a/infrastructure/ansible/roles/sshkeys/tasks/main.yml b/ansible/roles/sshkeys/tasks/main.yml similarity index 100% rename from infrastructure/ansible/roles/sshkeys/tasks/main.yml rename to ansible/roles/sshkeys/tasks/main.yml diff --git a/infrastructure/ansible/roles/sudoers/tasks/main.yaml b/ansible/roles/sudoers/tasks/main.yaml similarity index 100% rename from infrastructure/ansible/roles/sudoers/tasks/main.yaml rename to ansible/roles/sudoers/tasks/main.yaml diff --git a/infrastructure/ansible/roles/timezone/tasks/main.yaml b/ansible/roles/timezone/tasks/main.yaml similarity index 100% rename from infrastructure/ansible/roles/timezone/tasks/main.yaml rename to ansible/roles/timezone/tasks/main.yaml diff --git a/infrastructure/ansible/roles/udev/handlers/main.yaml b/ansible/roles/udev/handlers/main.yaml similarity index 100% rename from infrastructure/ansible/roles/udev/handlers/main.yaml rename to ansible/roles/udev/handlers/main.yaml diff --git a/infrastructure/ansible/roles/udev/tasks/main.yaml b/ansible/roles/udev/tasks/main.yaml similarity index 100% rename from infrastructure/ansible/roles/udev/tasks/main.yaml rename to ansible/roles/udev/tasks/main.yaml diff --git a/infrastructure/ansible/roles/users/tasks/groups.yaml b/ansible/roles/users/tasks/groups.yaml similarity index 100% rename from infrastructure/ansible/roles/users/tasks/groups.yaml rename to ansible/roles/users/tasks/groups.yaml diff --git a/infrastructure/ansible/roles/users/tasks/main.yaml b/ansible/roles/users/tasks/main.yaml similarity index 100% rename from infrastructure/ansible/roles/users/tasks/main.yaml rename to ansible/roles/users/tasks/main.yaml diff --git a/infrastructure/ansible/roles/users/tasks/users.yaml b/ansible/roles/users/tasks/users.yaml similarity index 100% rename from infrastructure/ansible/roles/users/tasks/users.yaml rename to ansible/roles/users/tasks/users.yaml diff --git a/infrastructure/ansible/roles/wmbusmeters/defaults/main.yaml b/ansible/roles/wmbusmeters/defaults/main.yaml similarity index 100% rename from infrastructure/ansible/roles/wmbusmeters/defaults/main.yaml rename to ansible/roles/wmbusmeters/defaults/main.yaml diff --git a/infrastructure/ansible/roles/wmbusmeters/handlers/main.yaml b/ansible/roles/wmbusmeters/handlers/main.yaml similarity index 100% rename from infrastructure/ansible/roles/wmbusmeters/handlers/main.yaml rename to ansible/roles/wmbusmeters/handlers/main.yaml diff --git a/infrastructure/ansible/roles/wmbusmeters/tasks/main.yaml b/ansible/roles/wmbusmeters/tasks/main.yaml similarity index 100% rename from infrastructure/ansible/roles/wmbusmeters/tasks/main.yaml rename to ansible/roles/wmbusmeters/tasks/main.yaml diff --git a/infrastructure/ansible/roles/wmbusmeters/templates/meter.conf.j2 b/ansible/roles/wmbusmeters/templates/meter.conf.j2 similarity index 100% rename from infrastructure/ansible/roles/wmbusmeters/templates/meter.conf.j2 rename to ansible/roles/wmbusmeters/templates/meter.conf.j2 diff --git a/infrastructure/ansible/roles/wmbusmeters/templates/send_ha_discovery.sh.j2 b/ansible/roles/wmbusmeters/templates/send_ha_discovery.sh.j2 similarity index 100% rename from infrastructure/ansible/roles/wmbusmeters/templates/send_ha_discovery.sh.j2 rename to ansible/roles/wmbusmeters/templates/send_ha_discovery.sh.j2 diff --git a/infrastructure/ansible/roles/wmbusmeters/templates/wmbusmeters.conf.j2 b/ansible/roles/wmbusmeters/templates/wmbusmeters.conf.j2 similarity index 100% rename from infrastructure/ansible/roles/wmbusmeters/templates/wmbusmeters.conf.j2 rename to ansible/roles/wmbusmeters/templates/wmbusmeters.conf.j2 diff --git a/infrastructure/ansible/roles/wmbusmeters/templates/wmbusmeters.service.j2 b/ansible/roles/wmbusmeters/templates/wmbusmeters.service.j2 similarity index 100% rename from infrastructure/ansible/roles/wmbusmeters/templates/wmbusmeters.service.j2 rename to ansible/roles/wmbusmeters/templates/wmbusmeters.service.j2 diff --git a/docs/snippets.md b/docs/snippets.md index e5a3d4487..e95629aac 100644 --- a/docs/snippets.md +++ b/docs/snippets.md @@ -46,7 +46,7 @@ I ran in to an issue where I had to reset the Rook-Ceph cluster due to restructu * Delete all CRDs that starts with ceph* * Wipe disks: `kubectl apply -f kubernetes/tools/rook/wipe-job.yaml` * Reset nodes and reboot: `talosctl reset --system-labels-to-wipe=STATE,EPHEMERAL --reboot --graceful=true -n ` - * Apply config again: `talosctl apply-config -n -f infrastructure/talos/clusterconfig/.yaml --insecure` + * Apply config again: `talosctl apply-config -n -f kubernetes/talos/clusterconfig/.yaml --insecure` ## Upgrade Tube's Zigbee Gateway firmware diff --git a/infrastructure/ansible/inventory/host_vars/kronos/sshkeys.yaml b/infrastructure/ansible/inventory/host_vars/kronos/sshkeys.yaml deleted file mode 100644 index b94a074cf..000000000 --- a/infrastructure/ansible/inventory/host_vars/kronos/sshkeys.yaml +++ /dev/null @@ -1,6 +0,0 @@ ---- -ssh_authorized_keys: - - owner: peter - key: "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC5Yw1MlnY1gs9/fX9zz8qgTjTcdJfjXFXg58Icb7KLE/CPc86qYSg3j+3Fy/5FNDj31KhPHL0JenEWaLPMruGwwn4or2By5GQZGOJggx9qjyyZcgQCPuGO7V4GPlDKRX+SyZ+FAY4/aZPUL2Ig2vZz0bt/nnovg1EOwaXvnTaYAAXspgn/6YoLj4SOeIz1p7VVFxQNmiyNrjfq0cK8YFfL1Z2+kTsa0jJxyFjTD22IBX7aUIbhjSGeFpwLYo52/WKhVOycNaHu0Evz6C9pu9DzSADTCsw5TdQxcsGQDtZ8M1tvDpGLPFABTmflMznYmYlXvCWSn+KTUolSsiEbFQEt john@localhost.dev" - - owner: root - key: "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDIHNGNGlbvILqxJvYhwBxveAOFJt/R9IQW6v3y03r4gdnpWepGNbfgGMj6Ud/mOfGHywMUqT0t4Lj9mcKbLwjf8oFy9L5yRYehm19ogcmjhwzd2toal9QOSRCRCDUlVe1Y5S0+C8b2I4KHoKvJ0Qbqe4jGIeC9PjFrCCdBh6aoZI3Bd/fILkFQIrK8crIoq/E/I349z2GmrOfEBZa9GahVF2ONFR7qTJBaPA5U03NPL4Gt6Y+f5Z2Y17EQnysTh40zXkiO6PSpYLEhhR+/spRjxe1OEV2cqKR9m5glJ52ltRaoKJoOFB2uFOMh4QaDoPS2/4IoQgQXaKWmBoGCWhkKVsUoD7JPQrPHuwSjUaXgJjKsyCWTYLnPQOmMU+Clx/xOheBGqUZJ3i3/wEJMCbOlAvKj9hYXrhQSemV5djBzafTO90sv203BoM6WNd1DJbBkycXnXQcxJfsXIQv8Ww6dDsfnSRq6WGr1bAeggn1zZYg4dNoQ/5YBJwargPKYkbOYeD1Cu/vptlxnht4d/Vq0iIHi4AQmEYAynTDRvMCfkxBwIUj4p2bKbEyCWIYeImCedtivbT7EyWQ3OfzEv9ds4lmsX/g2J+zx11mxfoKue7AiK1qWnFR15a3QnOtnkRjJ+tGb9QXyT51EIdPT58F1Mu3i0cUlEcLuRUnqcHuxRw== peter@localhost" diff --git a/infrastructure/talos/op.env b/infrastructure/talos/op.env deleted file mode 100644 index f891d3b78..000000000 --- a/infrastructure/talos/op.env +++ /dev/null @@ -1,14 +0,0 @@ -TALOS_CLUSTER_ID="op://$VAULT/talos/TALOS_CLUSTER_ID" -TALOS_CLUSTER_SECRET="op://$VAULT/talos/TALOS_CLUSTER_SECRET" -TALOS_SECRETS_BOOTSTRAP_TOKEN="op://$VAULT/talos/TALOS_SECRETS_BOOTSTRAP_TOKEN" -TALOS_SECRETS_SECRETBOX_ENCRYPTION_SECRET="op://$VAULT/talos/TALOS_SECRETS_SECRETBOX_ENCRYPTION_SECRET" -TALOS_TRUSTD_INFO_TOKEN="op://$VAULT/talos/TALOS_TRUSTD_INFO_TOKEN" -TALOS_CERTS_ETCD_CRT="op://$VAULT/talos/TALOS_CERTS_ETCD_CRT" -TALOS_CERTS_ETCD_KEY="op://$VAULT/talos/TALOS_CERTS_ETCD_KEY" -TALOS_CERTS_K8S_CRT="op://$VAULT/talos/TALOS_CERTS_K8S_CRT" -TALOS_CERTS_K8S_KEY="op://$VAULT/talos/TALOS_CERTS_K8S_KEY" -TALOS_CERTS_K8SAGGREGATOR_CRT="op://$VAULT/talos/TALOS_CERTS_K8SAGGREGATOR_CRT" -TALOS_CERTS_K8SAGGREGATOR_KEY="op://$VAULT/talos/TALOS_CERTS_K8SAGGREGATOR_KEY" -TALOS_CERTS_K8SSERVICEACCOUNT_KEY="op://$VAULT/talos/TALOS_CERTS_K8SSERVICEACCOUNT_KEY" -TALOS_CERTS_OS_CRT="op://$VAULT/talos/TALOS_CERTS_OS_CRT" -TALOS_CERTS_OS_KEY="op://$VAULT/talos/TALOS_CERTS_OS_KEY" diff --git a/kubernetes/apps/cert-manager/cert-manager/app/helm-release.yaml b/kubernetes/apps/cert-manager/cert-manager/app/helm-release.yaml index 5bb5ff8f8..4153fe8fb 100644 --- a/kubernetes/apps/cert-manager/cert-manager/app/helm-release.yaml +++ b/kubernetes/apps/cert-manager/cert-manager/app/helm-release.yaml @@ -16,6 +16,13 @@ spec: remediation: strategy: rollback retries: 3 - valuesFrom: - - kind: ConfigMap - name: cert-manager-helm-values + values: + crds: + enabled: true + replicaCount: 2 + dns01RecursiveNameservers: https://1.1.1.1:443/dns-query,https://1.0.0.1:443/dns-query + dns01RecursiveNameserversOnly: true + prometheus: + enabled: true + servicemonitor: + enabled: true diff --git a/kubernetes/apps/cert-manager/cert-manager/app/helm-values.yaml b/kubernetes/apps/cert-manager/cert-manager/app/helm-values.yaml deleted file mode 100644 index 5e796114c..000000000 --- a/kubernetes/apps/cert-manager/cert-manager/app/helm-values.yaml +++ /dev/null @@ -1,10 +0,0 @@ ---- -crds: - enabled: true -replicaCount: 2 -dns01RecursiveNameservers: https://1.1.1.1:443/dns-query,https://1.0.0.1:443/dns-query -dns01RecursiveNameserversOnly: true -prometheus: - enabled: true - servicemonitor: - enabled: true diff --git a/kubernetes/apps/cert-manager/cert-manager/app/kustomization.yaml b/kubernetes/apps/cert-manager/cert-manager/app/kustomization.yaml index e331b75c7..dffaa0675 100644 --- a/kubernetes/apps/cert-manager/cert-manager/app/kustomization.yaml +++ b/kubernetes/apps/cert-manager/cert-manager/app/kustomization.yaml @@ -5,9 +5,3 @@ resources: - ./oci-repository.yaml - ./helm-release.yaml - ./prometheus-rules.yaml -configMapGenerator: - - name: cert-manager-helm-values - files: - - values.yaml=./helm-values.yaml -generatorOptions: - disableNameSuffixHash: true diff --git a/kubernetes/apps/flux-system/flux-instance/app/helm-release.yaml b/kubernetes/apps/flux-system/flux-instance/app/helm-release.yaml new file mode 100644 index 000000000..131aaeb1f --- /dev/null +++ b/kubernetes/apps/flux-system/flux-instance/app/helm-release.yaml @@ -0,0 +1,126 @@ +--- +apiVersion: helm.toolkit.fluxcd.io/v2 +kind: HelmRelease +metadata: + name: flux-instance +spec: + interval: 1h + chartRef: + kind: OCIRepository + name: flux-instance + install: + remediation: + retries: 3 + upgrade: + cleanupOnFail: true + remediation: + strategy: rollback + retries: 3 + values: + instance: + distribution: + # renovate: datasource=github-releases depName=controlplaneio-fluxcd/distribution + version: 2.6.4 + cluster: + networkPolicy: false + components: + - source-controller + - kustomize-controller + - helm-controller + - notification-controller + sync: + kind: GitRepository + url: ssh://git@github.com/ahinko/homelab + ref: refs/heads/main + path: kubernetes/flux/cluster + pullSecret: homelab-flux-secret + commonMetadata: + labels: + app.kubernetes.io/name: flux + kustomize: + patches: + # Allow flux components to run on control plane nodes + - patch: | + apiVersion: apps/v1 + kind: Deployment + metadata: + name: not-used + spec: + template: + spec: + tolerations: + - key: node-role.kubernetes.io/control-plane + operator: Exists + effect: NoSchedule + target: + kind: Deployment + - # Increase the number of workers + patch: | + - op: add + path: /spec/template/spec/containers/0/args/- + value: --concurrent=10 + - op: add + path: /spec/template/spec/containers/0/args/- + value: --requeue-dependency=5s + target: + kind: Deployment + name: (kustomize-controller|helm-controller|source-controller) + - # Increase the memory limits + patch: | + apiVersion: apps/v1 + kind: Deployment + metadata: + name: all + spec: + template: + spec: + containers: + - name: manager + resources: + limits: + memory: 2Gi + target: + kind: Deployment + name: (kustomize-controller|helm-controller|source-controller) + - # Enable in-memory kustomize builds + patch: | + - op: add + path: /spec/template/spec/containers/0/args/- + value: --concurrent=20 + - op: replace + path: /spec/template/spec/volumes/0 + value: + name: temp + emptyDir: + medium: Memory + target: + kind: Deployment + name: kustomize-controller + - # Enable Helm repositories caching + patch: | + - op: add + path: /spec/template/spec/containers/0/args/- + value: --helm-cache-max-size=10 + - op: add + path: /spec/template/spec/containers/0/args/- + value: --helm-cache-ttl=60m + - op: add + path: /spec/template/spec/containers/0/args/- + value: --helm-cache-purge-interval=5m + target: + kind: Deployment + name: source-controller + - # Flux near OOM detection for Helm + patch: | + - op: add + path: /spec/template/spec/containers/0/args/- + value: --feature-gates=OOMWatch=true + - op: add + path: /spec/template/spec/containers/0/args/- + value: --oom-watch-memory-threshold=95 + - op: add + path: /spec/template/spec/containers/0/args/- + value: --oom-watch-interval=500ms + target: + kind: Deployment + name: helm-controller diff --git a/kubernetes/apps/flux-system/operator/instance/kustomization.yaml b/kubernetes/apps/flux-system/flux-instance/app/kustomization.yaml similarity index 52% rename from kubernetes/apps/flux-system/operator/instance/kustomization.yaml rename to kubernetes/apps/flux-system/flux-instance/app/kustomization.yaml index 9074b9996..7ec68be6f 100644 --- a/kubernetes/apps/flux-system/operator/instance/kustomization.yaml +++ b/kubernetes/apps/flux-system/flux-instance/app/kustomization.yaml @@ -6,9 +6,3 @@ resources: - ./helm-release.yaml - ./prometheus-rule.yaml - ./webhook -configMapGenerator: - - name: flux-instance-helm-values - files: - - values.yaml=./helm/values.yaml -generatorOptions: - disableNameSuffixHash: true diff --git a/kubernetes/apps/flux-system/operator/instance/oci-repository.yaml b/kubernetes/apps/flux-system/flux-instance/app/oci-repository.yaml similarity index 100% rename from kubernetes/apps/flux-system/operator/instance/oci-repository.yaml rename to kubernetes/apps/flux-system/flux-instance/app/oci-repository.yaml diff --git a/kubernetes/apps/flux-system/operator/instance/prometheus-rule.yaml b/kubernetes/apps/flux-system/flux-instance/app/prometheus-rule.yaml similarity index 100% rename from kubernetes/apps/flux-system/operator/instance/prometheus-rule.yaml rename to kubernetes/apps/flux-system/flux-instance/app/prometheus-rule.yaml diff --git a/kubernetes/apps/flux-system/operator/instance/webhook/external-secret.yaml b/kubernetes/apps/flux-system/flux-instance/app/webhook/external-secret.yaml similarity index 100% rename from kubernetes/apps/flux-system/operator/instance/webhook/external-secret.yaml rename to kubernetes/apps/flux-system/flux-instance/app/webhook/external-secret.yaml diff --git a/kubernetes/apps/flux-system/operator/instance/webhook/httproute.yaml b/kubernetes/apps/flux-system/flux-instance/app/webhook/httproute.yaml similarity index 100% rename from kubernetes/apps/flux-system/operator/instance/webhook/httproute.yaml rename to kubernetes/apps/flux-system/flux-instance/app/webhook/httproute.yaml diff --git a/kubernetes/apps/flux-system/operator/instance/webhook/kustomization.yaml b/kubernetes/apps/flux-system/flux-instance/app/webhook/kustomization.yaml similarity index 100% rename from kubernetes/apps/flux-system/operator/instance/webhook/kustomization.yaml rename to kubernetes/apps/flux-system/flux-instance/app/webhook/kustomization.yaml diff --git a/kubernetes/apps/flux-system/operator/instance/webhook/receiver.yaml b/kubernetes/apps/flux-system/flux-instance/app/webhook/receiver.yaml similarity index 100% rename from kubernetes/apps/flux-system/operator/instance/webhook/receiver.yaml rename to kubernetes/apps/flux-system/flux-instance/app/webhook/receiver.yaml diff --git a/kubernetes/apps/flux-system/flux-instance/install.yaml b/kubernetes/apps/flux-system/flux-instance/install.yaml new file mode 100644 index 000000000..685d10475 --- /dev/null +++ b/kubernetes/apps/flux-system/flux-instance/install.yaml @@ -0,0 +1,23 @@ +--- +apiVersion: kustomize.toolkit.fluxcd.io/v1 +kind: Kustomization +metadata: + name: &app flux-instance + namespace: &namespace flux-system +spec: + commonMetadata: + labels: + app.kubernetes.io/name: *app + dependsOn: + - name: flux-operator + namespace: *namespace + interval: 1h + path: ./kubernetes/apps/flux-system/flux-instance/app + prune: false + sourceRef: + kind: GitRepository + name: flux-system + namespace: flux-system + targetNamespace: *namespace + timeout: 5m + wait: true diff --git a/kubernetes/apps/flux-system/operator/app/helm-release.yaml b/kubernetes/apps/flux-system/flux-operator/app/helm-release.yaml similarity index 50% rename from kubernetes/apps/flux-system/operator/app/helm-release.yaml rename to kubernetes/apps/flux-system/flux-operator/app/helm-release.yaml index aed8cb89f..b592cf3b8 100644 --- a/kubernetes/apps/flux-system/operator/app/helm-release.yaml +++ b/kubernetes/apps/flux-system/flux-operator/app/helm-release.yaml @@ -8,6 +8,10 @@ spec: chartRef: kind: OCIRepository name: flux-operator - valuesFrom: - - kind: ConfigMap - name: flux-operator-helm-values + values: + tolerations: + - key: node-role.kubernetes.io/control-plane + operator: Exists + effect: NoSchedule + serviceMonitor: + create: true diff --git a/kubernetes/apps/flux-system/flux-operator/app/kustomization.yaml b/kubernetes/apps/flux-system/flux-operator/app/kustomization.yaml new file mode 100644 index 000000000..9da9afb94 --- /dev/null +++ b/kubernetes/apps/flux-system/flux-operator/app/kustomization.yaml @@ -0,0 +1,6 @@ +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - ./oci-repository.yaml + - ./helm-release.yaml diff --git a/kubernetes/apps/flux-system/operator/app/oci-repository.yaml b/kubernetes/apps/flux-system/flux-operator/app/oci-repository.yaml similarity index 100% rename from kubernetes/apps/flux-system/operator/app/oci-repository.yaml rename to kubernetes/apps/flux-system/flux-operator/app/oci-repository.yaml diff --git a/kubernetes/apps/flux-system/flux-operator/install.yaml b/kubernetes/apps/flux-system/flux-operator/install.yaml new file mode 100644 index 000000000..dcc10ac2a --- /dev/null +++ b/kubernetes/apps/flux-system/flux-operator/install.yaml @@ -0,0 +1,20 @@ +--- +apiVersion: kustomize.toolkit.fluxcd.io/v1 +kind: Kustomization +metadata: + name: &app flux-operator + namespace: &namespace flux-system +spec: + commonMetadata: + labels: + app.kubernetes.io/name: *app + interval: 1h + path: ./kubernetes/apps/flux-system/flux-operator/app + prune: true + sourceRef: + kind: GitRepository + name: flux-system + namespace: flux-system + targetNamespace: *namespace + timeout: 5m + wait: true diff --git a/kubernetes/apps/flux-system/kustomization.yaml b/kubernetes/apps/flux-system/kustomization.yaml index 67e5ba3ec..2e3eee103 100644 --- a/kubernetes/apps/flux-system/kustomization.yaml +++ b/kubernetes/apps/flux-system/kustomization.yaml @@ -3,7 +3,8 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization namespace: flux-system resources: - - ./operator/install.yaml + - ./flux-operator/install.yaml + - ./flux-instance/install.yaml components: - ../../components/namespace - ../../components/alerts diff --git a/kubernetes/apps/flux-system/operator/app/helm-values.yaml b/kubernetes/apps/flux-system/operator/app/helm-values.yaml deleted file mode 100644 index e226b8af9..000000000 --- a/kubernetes/apps/flux-system/operator/app/helm-values.yaml +++ /dev/null @@ -1,7 +0,0 @@ ---- -tolerations: - - key: node-role.kubernetes.io/control-plane - operator: Exists - effect: NoSchedule -serviceMonitor: - create: true diff --git a/kubernetes/apps/flux-system/operator/app/kustomization.yaml b/kubernetes/apps/flux-system/operator/app/kustomization.yaml deleted file mode 100644 index 754216e18..000000000 --- a/kubernetes/apps/flux-system/operator/app/kustomization.yaml +++ /dev/null @@ -1,12 +0,0 @@ ---- -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization -resources: - - ./oci-repository.yaml - - ./helm-release.yaml -configMapGenerator: - - name: flux-operator-helm-values - files: - - values.yaml=./helm-values.yaml -generatorOptions: - disableNameSuffixHash: true diff --git a/kubernetes/apps/flux-system/operator/install.yaml b/kubernetes/apps/flux-system/operator/install.yaml deleted file mode 100644 index aa8b4229c..000000000 --- a/kubernetes/apps/flux-system/operator/install.yaml +++ /dev/null @@ -1,43 +0,0 @@ ---- -apiVersion: kustomize.toolkit.fluxcd.io/v1 -kind: Kustomization -metadata: - name: &app flux-operator - namespace: &namespace flux-system -spec: - commonMetadata: - labels: - app.kubernetes.io/name: *app - interval: 1h - path: ./kubernetes/apps/flux-system/operator/app - prune: true - sourceRef: - kind: GitRepository - name: flux-system - namespace: flux-system - targetNamespace: *namespace - timeout: 5m - wait: true ---- -apiVersion: kustomize.toolkit.fluxcd.io/v1 -kind: Kustomization -metadata: - name: &app flux-instance - namespace: &namespace flux-system -spec: - commonMetadata: - labels: - app.kubernetes.io/name: *app - dependsOn: - - name: flux-operator - namespace: *namespace - interval: 1h - path: ./kubernetes/apps/flux-system/operator/instance - prune: false - sourceRef: - kind: GitRepository - name: flux-system - namespace: flux-system - targetNamespace: *namespace - timeout: 5m - wait: true diff --git a/kubernetes/apps/flux-system/operator/instance/helm-release.yaml b/kubernetes/apps/flux-system/operator/instance/helm-release.yaml deleted file mode 100644 index 7edfb42cb..000000000 --- a/kubernetes/apps/flux-system/operator/instance/helm-release.yaml +++ /dev/null @@ -1,21 +0,0 @@ ---- -apiVersion: helm.toolkit.fluxcd.io/v2 -kind: HelmRelease -metadata: - name: flux-instance -spec: - interval: 1h - chartRef: - kind: OCIRepository - name: flux-instance - install: - remediation: - retries: 3 - upgrade: - cleanupOnFail: true - remediation: - strategy: rollback - retries: 3 - valuesFrom: - - kind: ConfigMap - name: flux-instance-helm-values diff --git a/kubernetes/apps/flux-system/operator/instance/helm/values.yaml b/kubernetes/apps/flux-system/operator/instance/helm/values.yaml deleted file mode 100644 index cba45c114..000000000 --- a/kubernetes/apps/flux-system/operator/instance/helm/values.yaml +++ /dev/null @@ -1,108 +0,0 @@ ---- -instance: - distribution: - # renovate: datasource=github-releases depName=controlplaneio-fluxcd/distribution - version: 2.6.4 - cluster: - networkPolicy: false - components: - - source-controller - - kustomize-controller - - helm-controller - - notification-controller - sync: - kind: GitRepository - url: ssh://git@github.com/ahinko/home-ops - ref: refs/heads/main - path: kubernetes/flux/cluster - pullSecret: homelab-flux-secret - commonMetadata: - labels: - app.kubernetes.io/name: flux - kustomize: - patches: - # Allow flux components to run on control plane nodes - - patch: | - apiVersion: apps/v1 - kind: Deployment - metadata: - name: not-used - spec: - template: - spec: - tolerations: - - key: node-role.kubernetes.io/control-plane - operator: Exists - effect: NoSchedule - target: - kind: Deployment - - # Increase the number of workers - patch: | - - op: add - path: /spec/template/spec/containers/0/args/- - value: --concurrent=10 - - op: add - path: /spec/template/spec/containers/0/args/- - value: --requeue-dependency=5s - target: - kind: Deployment - name: (kustomize-controller|helm-controller|source-controller) - - # Increase the memory limits - patch: | - apiVersion: apps/v1 - kind: Deployment - metadata: - name: all - spec: - template: - spec: - containers: - - name: manager - resources: - limits: - memory: 2Gi - target: - kind: Deployment - name: (kustomize-controller|helm-controller|source-controller) - - # Enable in-memory kustomize builds - patch: | - - op: add - path: /spec/template/spec/containers/0/args/- - value: --concurrent=20 - - op: replace - path: /spec/template/spec/volumes/0 - value: - name: temp - emptyDir: - medium: Memory - target: - kind: Deployment - name: kustomize-controller - - # Enable Helm repositories caching - patch: | - - op: add - path: /spec/template/spec/containers/0/args/- - value: --helm-cache-max-size=10 - - op: add - path: /spec/template/spec/containers/0/args/- - value: --helm-cache-ttl=60m - - op: add - path: /spec/template/spec/containers/0/args/- - value: --helm-cache-purge-interval=5m - target: - kind: Deployment - name: source-controller - - # Flux near OOM detection for Helm - patch: | - - op: add - path: /spec/template/spec/containers/0/args/- - value: --feature-gates=OOMWatch=true - - op: add - path: /spec/template/spec/containers/0/args/- - value: --oom-watch-memory-threshold=95 - - op: add - path: /spec/template/spec/containers/0/args/- - value: --oom-watch-interval=500ms - target: - kind: Deployment - name: helm-controller diff --git a/kubernetes/apps/kube-system/cilium/app/helm-release.yaml b/kubernetes/apps/kube-system/cilium/app/helm-release.yaml index 729f42ee4..2e3f7d3d1 100644 --- a/kubernetes/apps/kube-system/cilium/app/helm-release.yaml +++ b/kubernetes/apps/kube-system/cilium/app/helm-release.yaml @@ -26,6 +26,89 @@ spec: retries: 3 uninstall: keepHistory: false - valuesFrom: - - kind: ConfigMap - name: cilium-values + values: + autoDirectNodeRoutes: true + bandwidthManager: + bbr: true + enabled: true + bgpControlPlane: + enabled: true + bpf: + datapathMode: netkit + masquerade: true + preallocateMaps: true + cgroup: + automount: + enabled: false + hostRoot: /sys/fs/cgroup + cluster: + id: 1 + name: mainframe + cni: + exclusive: false + dashboards: + enabled: true + enableIPv4BIGTCP: true + endpointRoutes: + enabled: true + envoy: + enabled: true + rollOutPods: true + prometheus: + serviceMonitor: + enabled: true + gatewayAPI: + enableAlpn: true + enabled: true + xffNumTrustedHops: 1 + hubble: + enabled: false + ipam: + mode: "kubernetes" + ipv4NativeRoutingCIDR: 10.244.0.0/16 + k8sServiceHost: 127.0.0.1 + k8sServicePort: 7445 + kubeProxyReplacement: true + kubeProxyReplacementHealthzBindAddr: 0.0.0.0:10256 + l2announcements: + enabled: false + loadBalancer: + algorithm: maglev + mode: dsr + localRedirectPolicy: true + operator: + dashboards: + enabled: true + prometheus: + enabled: true + serviceMonitor: + enabled: true + replicas: 2 + rollOutPods: true + prometheus: + enabled: true + serviceMonitor: + enabled: true + trustCRDsExist: true + rollOutCiliumPods: true + routingMode: native + securityContext: + capabilities: + ciliumAgent: + - CHOWN + - KILL + - NET_ADMIN + - NET_RAW + - IPC_LOCK + - SYS_ADMIN + - SYS_RESOURCE + - PERFMON + - BPF + - DAC_OVERRIDE + - FOWNER + - SETGID + - SETUID + cleanCiliumState: + - NET_ADMIN + - SYS_ADMIN + - SYS_RESOURCE diff --git a/kubernetes/apps/kube-system/cilium/app/kustomization.yaml b/kubernetes/apps/kube-system/cilium/app/kustomization.yaml index 80219f846..bfe61558b 100644 --- a/kubernetes/apps/kube-system/cilium/app/kustomization.yaml +++ b/kubernetes/apps/kube-system/cilium/app/kustomization.yaml @@ -3,9 +3,3 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: - ./helm-release.yaml -configMapGenerator: - - name: cilium-values - files: - - values.yaml=./values.yaml -generatorOptions: - disableNameSuffixHash: true diff --git a/kubernetes/apps/kube-system/cilium/app/values.yaml b/kubernetes/apps/kube-system/cilium/app/values.yaml deleted file mode 100644 index d34656427..000000000 --- a/kubernetes/apps/kube-system/cilium/app/values.yaml +++ /dev/null @@ -1,86 +0,0 @@ ---- -autoDirectNodeRoutes: true -bandwidthManager: - bbr: true - enabled: true -bgpControlPlane: - enabled: true -bpf: - datapathMode: netkit - masquerade: true - preallocateMaps: true -cgroup: - automount: - enabled: false - hostRoot: /sys/fs/cgroup -cluster: - id: 1 - name: mainframe -cni: - exclusive: false -dashboards: - enabled: true -enableIPv4BIGTCP: true -endpointRoutes: - enabled: true -envoy: - enabled: true - rollOutPods: true - prometheus: - serviceMonitor: - enabled: true -gatewayAPI: - enableAlpn: true - enabled: true - xffNumTrustedHops: 1 -hubble: - enabled: false -ipam: - mode: "kubernetes" -ipv4NativeRoutingCIDR: 10.244.0.0/16 -k8sServiceHost: 127.0.0.1 -k8sServicePort: 7445 -kubeProxyReplacement: true -kubeProxyReplacementHealthzBindAddr: 0.0.0.0:10256 -l2announcements: - enabled: false -loadBalancer: - algorithm: maglev - mode: dsr -localRedirectPolicy: true -operator: - dashboards: - enabled: true - prometheus: - enabled: true - serviceMonitor: - enabled: true - replicas: 2 - rollOutPods: true -prometheus: - enabled: true - serviceMonitor: - enabled: true - trustCRDsExist: true -rollOutCiliumPods: true -routingMode: native -securityContext: - capabilities: - ciliumAgent: - - CHOWN - - KILL - - NET_ADMIN - - NET_RAW - - IPC_LOCK - - SYS_ADMIN - - SYS_RESOURCE - - PERFMON - - BPF - - DAC_OVERRIDE - - FOWNER - - SETGID - - SETUID - cleanCiliumState: - - NET_ADMIN - - SYS_ADMIN - - SYS_RESOURCE diff --git a/kubernetes/apps/kube-system/coredns/app/helm-release.yaml b/kubernetes/apps/kube-system/coredns/app/helm-release.yaml index 0396b9441..33e4d82f7 100644 --- a/kubernetes/apps/kube-system/coredns/app/helm-release.yaml +++ b/kubernetes/apps/kube-system/coredns/app/helm-release.yaml @@ -8,7 +8,75 @@ spec: kind: OCIRepository name: coredns interval: 1h - - valuesFrom: - - kind: ConfigMap - name: coredns-values + install: + remediation: + retries: 3 + upgrade: + cleanupOnFail: true + remediation: + strategy: rollback + retries: 3 + values: + fullnameOverride: coredns + image: + repository: mirror.gcr.io/coredns/coredns + replicaCount: 2 + k8sAppLabelOverride: kube-dns + serviceAccount: + create: true + service: + name: kube-dns + clusterIP: 10.96.0.10 + servers: + - zones: + - zone: . + scheme: dns:// + use_tcp: true + port: 53 + plugins: + - name: errors + - name: health + configBlock: |- + lameduck 5s + - name: ready + - name: kubernetes + parameters: cluster.local in-addr.arpa ip6.arpa + configBlock: |- + pods verified + fallthrough in-addr.arpa ip6.arpa + - name: autopath + parameters: "@kubernetes" + - name: forward + parameters: . /etc/resolv.conf + - name: cache + configBlock: |- + prefetch 20 + serve_stale + - name: loop + - name: reload + - name: loadbalance + - name: prometheus + parameters: 0.0.0.0:9153 + - name: log + configBlock: |- + class error + affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: node-role.kubernetes.io/control-plane + operator: Exists + tolerations: + - key: CriticalAddonsOnly + operator: Exists + - key: node-role.kubernetes.io/control-plane + operator: Exists + effect: NoSchedule + topologySpreadConstraints: + - maxSkew: 1 + topologyKey: kubernetes.io/hostname + whenUnsatisfiable: DoNotSchedule + labelSelector: + matchLabels: + app.kubernetes.io/instance: coredns diff --git a/kubernetes/apps/kube-system/coredns/app/helm-values.yaml b/kubernetes/apps/kube-system/coredns/app/helm-values.yaml deleted file mode 100644 index f2798b092..000000000 --- a/kubernetes/apps/kube-system/coredns/app/helm-values.yaml +++ /dev/null @@ -1,64 +0,0 @@ ---- -fullnameOverride: coredns -image: - repository: mirror.gcr.io/coredns/coredns -replicaCount: 2 -k8sAppLabelOverride: kube-dns -serviceAccount: - create: true -service: - name: kube-dns - clusterIP: 10.96.0.10 -servers: - - zones: - - zone: . - scheme: dns:// - use_tcp: true - port: 53 - plugins: - - name: errors - - name: health - configBlock: |- - lameduck 5s - - name: ready - - name: kubernetes - parameters: cluster.local in-addr.arpa ip6.arpa - configBlock: |- - pods verified - fallthrough in-addr.arpa ip6.arpa - - name: autopath - parameters: "@kubernetes" - - name: forward - parameters: . /etc/resolv.conf - - name: cache - configBlock: |- - prefetch 20 - serve_stale - - name: loop - - name: reload - - name: loadbalance - - name: prometheus - parameters: 0.0.0.0:9153 - - name: log - configBlock: |- - class error -affinity: - nodeAffinity: - requiredDuringSchedulingIgnoredDuringExecution: - nodeSelectorTerms: - - matchExpressions: - - key: node-role.kubernetes.io/control-plane - operator: Exists -tolerations: - - key: CriticalAddonsOnly - operator: Exists - - key: node-role.kubernetes.io/control-plane - operator: Exists - effect: NoSchedule -topologySpreadConstraints: - - maxSkew: 1 - topologyKey: kubernetes.io/hostname - whenUnsatisfiable: DoNotSchedule - labelSelector: - matchLabels: - app.kubernetes.io/instance: coredns diff --git a/kubernetes/apps/kube-system/coredns/app/kustomization.yaml b/kubernetes/apps/kube-system/coredns/app/kustomization.yaml index 76834c4cc..9da9afb94 100644 --- a/kubernetes/apps/kube-system/coredns/app/kustomization.yaml +++ b/kubernetes/apps/kube-system/coredns/app/kustomization.yaml @@ -4,9 +4,3 @@ kind: Kustomization resources: - ./oci-repository.yaml - ./helm-release.yaml -configMapGenerator: - - name: coredns-values - files: - - values.yaml=./helm-values.yaml -generatorOptions: - disableNameSuffixHash: true diff --git a/kubernetes/apps/observability/grafana/app/helm-release.yaml b/kubernetes/apps/observability/grafana/app/helm-release.yaml index 93cc960ff..cf156aaee 100644 --- a/kubernetes/apps/observability/grafana/app/helm-release.yaml +++ b/kubernetes/apps/observability/grafana/app/helm-release.yaml @@ -12,7 +12,7 @@ spec: kind: HelmRepository name: grafana-charts namespace: flux-system - version: 9.3.6 + version: 9.4.0 interval: 60m timeout: 20m maxHistory: 2 diff --git a/kubernetes/apps/selfhosted/mastodon/app/helm-release.yaml b/kubernetes/apps/selfhosted/mastodon/app/helm-release.yaml index 816ea4099..ab302a16b 100644 --- a/kubernetes/apps/selfhosted/mastodon/app/helm-release.yaml +++ b/kubernetes/apps/selfhosted/mastodon/app/helm-release.yaml @@ -180,7 +180,7 @@ spec: persistence: data: type: persistentVolumeClaim - existingClaim: mastodon + existingClaim: mastodon-data advancedMounts: sidekiq: main: diff --git a/kubernetes/apps/selfhosted/mastodon/app/pvc.yaml b/kubernetes/apps/selfhosted/mastodon/app/pvc.yaml index 87c0d4159..45b327f16 100644 --- a/kubernetes/apps/selfhosted/mastodon/app/pvc.yaml +++ b/kubernetes/apps/selfhosted/mastodon/app/pvc.yaml @@ -1,11 +1,12 @@ +--- apiVersion: v1 kind: PersistentVolumeClaim metadata: - name: mastodon + name: mastodon-data spec: accessModes: - - ReadWriteMany + - ReadWriteOnce resources: requests: storage: 100Gi - storageClassName: ceph-filesystem + storageClassName: ceph-block diff --git a/kubernetes/apps/storage/openebs/app/helm-release.yaml b/kubernetes/apps/storage/openebs/app/helm-release.yaml index 963497230..5d9c292d0 100644 --- a/kubernetes/apps/storage/openebs/app/helm-release.yaml +++ b/kubernetes/apps/storage/openebs/app/helm-release.yaml @@ -8,7 +8,7 @@ spec: chart: spec: chart: openebs - version: 4.3.2 + version: 4.3.3 interval: 1h sourceRef: kind: HelmRepository diff --git a/kubernetes/apps/system/spegel/app/helm-release.yaml b/kubernetes/apps/system/spegel/app/helm-release.yaml index 544b39313..2221db0ee 100644 --- a/kubernetes/apps/system/spegel/app/helm-release.yaml +++ b/kubernetes/apps/system/spegel/app/helm-release.yaml @@ -8,6 +8,15 @@ spec: chartRef: kind: OCIRepository name: spegel - valuesFrom: - - kind: ConfigMap - name: spegel-helm-values + values: + spegel: + appendMirrors: true + containerdSock: /run/containerd/containerd.sock + containerdRegistryConfigPath: /etc/cri/conf.d/hosts + service: + registry: + hostPort: 29999 + grafanaDashboard: + enabled: true + serviceMonitor: + enabled: true diff --git a/kubernetes/apps/system/spegel/app/kustomization.yaml b/kubernetes/apps/system/spegel/app/kustomization.yaml index 27df3aea1..9da9afb94 100644 --- a/kubernetes/apps/system/spegel/app/kustomization.yaml +++ b/kubernetes/apps/system/spegel/app/kustomization.yaml @@ -4,9 +4,3 @@ kind: Kustomization resources: - ./oci-repository.yaml - ./helm-release.yaml -configMapGenerator: - - name: spegel-helm-values - files: - - values.yaml=./values.yaml -generatorOptions: - disableNameSuffixHash: true diff --git a/kubernetes/apps/system/spegel/app/values.yaml b/kubernetes/apps/system/spegel/app/values.yaml deleted file mode 100644 index a034098f3..000000000 --- a/kubernetes/apps/system/spegel/app/values.yaml +++ /dev/null @@ -1,12 +0,0 @@ ---- -spegel: - appendMirrors: true - containerdSock: /run/containerd/containerd.sock - containerdRegistryConfigPath: /etc/cri/conf.d/hosts -service: - registry: - hostPort: 29999 -grafanaDashboard: - enabled: true -serviceMonitor: - enabled: true diff --git a/kubernetes/bootstrap/helmfile.d/00-crds.yaml b/kubernetes/bootstrap/helmfile.d/00-crds.yaml new file mode 100644 index 000000000..b36bd2527 --- /dev/null +++ b/kubernetes/bootstrap/helmfile.d/00-crds.yaml @@ -0,0 +1,29 @@ +--- +# yaml-language-server: $schema=https://json.schemastore.org/helmfile + +# This helmfile is for installing Custom Resource Definitions (CRDs) from Helm charts. +# It is not intended to be used with helmfile apply or sync. + +helmDefaults: + args: ["--include-crds", "--no-hooks"] # Prevent helmfile apply or sync + +releases: + - name: cloudflare-dns + namespace: network + chart: oci://ghcr.io/home-operations/charts-mirror/external-dns + version: 1.18.0 + + - name: external-secrets + namespace: external-secrets + chart: oci://ghcr.io/external-secrets/charts/external-secrets + version: 0.19.2 + + - name: gateway-api-crds + namespace: kube-system + chart: oci://ghcr.io/wiremind/wiremind-helm-charts/gateway-api-crds + version: 1.3.0 + + - name: kube-prometheus-stack + namespace: observability + chart: oci://ghcr.io/prometheus-community/charts/kube-prometheus-stack + version: 77.0.2 diff --git a/kubernetes/bootstrap/helmfile.yaml b/kubernetes/bootstrap/helmfile.d/01-apps.yaml similarity index 51% rename from kubernetes/bootstrap/helmfile.yaml rename to kubernetes/bootstrap/helmfile.d/01-apps.yaml index 793b6fdf1..588928f79 100644 --- a/kubernetes/bootstrap/helmfile.yaml +++ b/kubernetes/bootstrap/helmfile.d/01-apps.yaml @@ -1,63 +1,65 @@ --- # yaml-language-server: $schema=https://json.schemastore.org/helmfile -# renovate: depName=ghcr.io/siderolabs/kubelet datasource=docker -kubeVersion: v1.32.0 - helmDefaults: + cleanupOnFail: true wait: true waitForJobs: true - timeout: 600 - recreatePods: true - force: true - -repositories: - - name: cilium - url: https://helm.cilium.io - - name: jetstack - url: https://charts.jetstack.io releases: - name: cilium namespace: kube-system - chart: cilium/cilium + chart: oci://ghcr.io/home-operations/charts-mirror/cilium version: 1.18.1 values: - - "../apps/kube-system/cilium/app/values.yaml" + - ../templates/values.yaml.gotmpl + hooks: + # Apply cilium network configuration + - events: + - postsync + command: kubectl + args: + - apply + - --namespace=kube-system + - --server-side + - --field-manager=kustomize-controller + - --kustomize + - ../../apps/kube-system/cilium/config/ + showlogs: true - name: coredns namespace: kube-system chart: oci://ghcr.io/coredns/charts/coredns version: 1.43.2 values: - - ../apps/kube-system/coredns/app/helm-values.yaml + - ../templates/values.yaml.gotmpl needs: - kube-system/cilium - - name: cert-manager - namespace: cert-manager - chart: jetstack/cert-manager - version: v1.18.2 + - name: spegel + namespace: system + chart: oci://ghcr.io/spegel-org/helm-charts/spegel + version: 0.3.0 values: - - ../apps/cert-manager/cert-manager/app/helm-values.yaml + - ../templates/values.yaml.gotmpl needs: - kube-system/coredns - - name: external-secrets - namespace: security - chart: oci://ghcr.io/external-secrets/charts/external-secrets - version: 0.19.2 + - name: cert-manager + namespace: cert-manager + chart: oci://quay.io/jetstack/charts/cert-manager + version: v1.18.2 values: - - ../apps/security/external-secrets/app/helm-values.yaml + - ../templates/values.yaml.gotmpl needs: - - cert-manager/cert-manager + - kube-system/coredns - name: flux-operator namespace: flux-system chart: oci://ghcr.io/controlplaneio-fluxcd/charts/flux-operator version: 0.28.0 values: - - ../apps/flux-system/operator/app/helm-values.yaml + - ../templates/values.yaml.gotmpl needs: - "security/external-secrets" @@ -67,6 +69,6 @@ releases: version: 0.28.0 wait: false values: - - ../apps/flux-system/operator/instance/helm/values.yaml + - ../templates/values.yaml.gotmpl needs: - flux-system/flux-operator diff --git a/kubernetes/bootstrap/op.env b/kubernetes/bootstrap/resources.env similarity index 82% rename from kubernetes/bootstrap/op.env rename to kubernetes/bootstrap/resources.env index 8a4c7757f..6865ff55c 100644 --- a/kubernetes/bootstrap/op.env +++ b/kubernetes/bootstrap/resources.env @@ -1,4 +1,5 @@ FLUX_GITHUB_DEPLOY_KEY="op://$VAULT/flux/FLUX_GITHUB_DEPLOY_KEY" FLUX_IDENTITY_PUB="op://$VAULT/flux/FLUX_IDENTITY_PUB" +FLUX_KNOWN_HOSTS="op://$VAULT/flux/FLUX_KNOWN_HOSTS" ONEPASSWORD_CONNECT_CREDENTIALS="op://$VAULT/op-connect/CREDENTIALS" ONEPASSWORD_CONNECT_TOKEN="op://$VAULT/op-connect/TOKEN" diff --git a/kubernetes/bootstrap/resources.yaml.j2 b/kubernetes/bootstrap/resources.yaml.j2 new file mode 100644 index 000000000..8d5cd9d53 --- /dev/null +++ b/kubernetes/bootstrap/resources.yaml.j2 @@ -0,0 +1,30 @@ +--- +apiVersion: v1 +kind: Namespace +metadata: + name: security +--- +apiVersion: v1 +kind: Secret +metadata: + name: onepassword-connect-secret + namespace: dev #security +stringData: + 1password-credentials.json: { { ENV.ONEPASSWORD_CONNECT_CREDENTIALS } } + token: { { ENV.ONEPASSWORD_CONNECT_TOKEN } } +--- +apiVersion: v1 +kind: Namespace +metadata: + name: flux-system +--- +apiVersion: v1 +kind: Secret +metadata: + name: homelab-flux-secret + namespace: dev #flux-system +stringData: + identity.pub: { { ENV.FLUX_IDENTITY_PUB } } + known_hosts: { { ENV.FLUX_KNOWN_HOSTS } } + identity: | + {{ ENV.FLUX_GITHUB_DEPLOY_KEY | indent(4) }} diff --git a/kubernetes/bootstrap/secrets/github-deploy-key.secret.yaml.j2 b/kubernetes/bootstrap/secrets/github-deploy-key.secret.yaml.j2 deleted file mode 100644 index d93ce0fa9..000000000 --- a/kubernetes/bootstrap/secrets/github-deploy-key.secret.yaml.j2 +++ /dev/null @@ -1,11 +0,0 @@ ---- -apiVersion: v1 -kind: Secret -metadata: - name: homelab-flux-secret - namespace: flux-system -stringData: - identity: | - {{ ENV.FLUX_GITHUB_DEPLOY_KEY | indent(4) }} - identity.pub: {{ ENV.FLUX_IDENTITY_PUB }} - known_hosts: github.com ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBEmKSENjQEezOmxkZMy7opKgwFB9nkt5YRrYMjNuG5N87uRgg6CLrbo5wAdT/y6v0mKV0U2w0WZ2YB/++Tpockg= diff --git a/kubernetes/bootstrap/secrets/onepassword-connect.secret.yaml.j2 b/kubernetes/bootstrap/secrets/onepassword-connect.secret.yaml.j2 deleted file mode 100644 index 5b50b8296..000000000 --- a/kubernetes/bootstrap/secrets/onepassword-connect.secret.yaml.j2 +++ /dev/null @@ -1,16 +0,0 @@ - ---- -apiVersion: v1 -kind: Namespace -metadata: - name: security - ---- -apiVersion: v1 -kind: Secret -metadata: - name: onepassword-connect-secret - namespace: security -stringData: - 1password-credentials.json: {{ ENV.ONEPASSWORD_CONNECT_CREDENTIALS }} - token: {{ ENV.ONEPASSWORD_CONNECT_TOKEN }} diff --git a/kubernetes/bootstrap/templates/values.yaml.gotmpl b/kubernetes/bootstrap/templates/values.yaml.gotmpl new file mode 100644 index 000000000..d340fb92d --- /dev/null +++ b/kubernetes/bootstrap/templates/values.yaml.gotmpl @@ -0,0 +1 @@ +{{ exec "yq" (list "select(.kind == \"HelmRelease\").spec.values" (printf "../../apps/%s/%s/app/helm-release.yaml" .Release.Namespace .Release.Name)) }} diff --git a/infrastructure/talos/talconfig.yaml b/kubernetes/talos/talconfig.yaml similarity index 81% rename from infrastructure/talos/talconfig.yaml rename to kubernetes/talos/talconfig.yaml index e5509c5bc..b1356785c 100644 --- a/infrastructure/talos/talconfig.yaml +++ b/kubernetes/talos/talconfig.yaml @@ -28,6 +28,11 @@ nodes: dhcp: true vip: ip: *clusterEndpointIp + machineSpec: &rpi-spec + mode: metal + arch: arm64 + bootMethod: disk-image + imageSuffix: raw.xz schematic: &rpi-schematic overlay: image: siderolabs/sbc-raspberrypi @@ -57,6 +62,7 @@ nodes: dhcp: true vip: ip: *clusterEndpointIp + machineSpec: *rpi-spec schematic: *rpi-schematic - hostname: cp03 @@ -71,6 +77,7 @@ nodes: dhcp: true vip: ip: *clusterEndpointIp + machineSpec: *rpi-spec schematic: *rpi-schematic - hostname: w01 @@ -84,28 +91,33 @@ nodes: addresses: - 192.168.20.34/24 dhcp: true - schematic: &nuc-schematic + machineSpec: &nuc8-spec + mode: metal + arch: amd64 + bootMethod: disk-image + imageSuffix: raw.xz + schematic: &nuc8-schematic customization: extraKernelArgs: - - -selinux # Less security, faster puter - - -init_on_alloc # Less security, faster puter - - -init_on_free # Less security, faster puter - - apparmor=0 # Less security, faster puter - - init_on_alloc=0 # Less security, faster puter - - init_on_free=0 # Less security, faster puter - - intel_iommu=on # PCI Passthrough - - iommu=pt # PCI Passthrough - - mitigations=off # Less security, faster puter - - security=none # Less security, faster puter - - talos.auditd.disabled=1 # Less security, faster puter - - net.ifnames=1 # Enable predictable NIC naming + - -selinux # Less security, faster puter + - -init_on_alloc # Less security, faster puter + - -init_on_free # Less security, faster puter + - apparmor=0 # Less security, faster puter + - init_on_alloc=0 # Less security, faster puter + - init_on_free=0 # Less security, faster puter + - intel_iommu=on # PCI Passthrough + - iommu=pt # PCI Passthrough + - mitigations=off # Less security, faster puter + - security=none # Less security, faster puter + - talos.auditd.disabled=1 # Less security, faster puter + - net.ifnames=1 # Enable predictable NIC naming systemExtensions: officialExtensions: - siderolabs/usb-modem-drivers - siderolabs/i915 - siderolabs/intel-ucode patches: - - &nuc-patches |- + - &nuc8-patches |- machine: kernel: modules: @@ -132,9 +144,10 @@ nodes: addresses: - 192.168.20.36/24 dhcp: true - schematic: *nuc-schematic + machineSpec: *nuc8-spec + schematic: *nuc8-schematic patches: - - *nuc-patches + - *nuc8-patches - hostname: w04 ipAddress: 192.168.20.33 @@ -147,9 +160,10 @@ nodes: addresses: - 192.168.20.33/24 dhcp: true - schematic: *nuc-schematic + machineSpec: *nuc8-spec + schematic: *nuc8-schematic patches: - - *nuc-patches + - *nuc8-patches - hostname: s01 ipAddress: 192.168.20.37 @@ -164,23 +178,28 @@ nodes: dhcp: true nodeLabels: openebs.io/nodeid: s01 + machineSpec: + mode: metal + arch: amd64 + bootMethod: disk-image + imageSuffix: raw.xz kernelModules: - name: zfs schematic: customization: extraKernelArgs: - - -selinux # Less security, faster puter - - -init_on_alloc # Less security, faster puter - - -init_on_free # Less security, faster puter - - apparmor=0 # Less security, faster puter - - init_on_alloc=0 # Less security, faster puter - - init_on_free=0 # Less security, faster puter - - intel_iommu=on # PCI Passthrough - - iommu=pt # PCI Passthrough - - mitigations=off # Less security, faster puter - - security=none # Less security, faster puter - - talos.auditd.disabled=1 # Less security, faster puter - - net.ifnames=1 # Enable predictable NIC naming + - -selinux # Less security, faster puter + - -init_on_alloc # Less security, faster puter + - -init_on_free # Less security, faster puter + - apparmor=0 # Less security, faster puter + - init_on_alloc=0 # Less security, faster puter + - init_on_free=0 # Less security, faster puter + - intel_iommu=on # PCI Passthrough + - iommu=pt # PCI Passthrough + - mitigations=off # Less security, faster puter + - security=none # Less security, faster puter + - talos.auditd.disabled=1 # Less security, faster puter + - net.ifnames=1 # Enable predictable NIC naming systemExtensions: officialExtensions: - siderolabs/i915 @@ -221,6 +240,11 @@ nodes: addresses: - 192.168.20.21/24 dhcp: true + machineSpec: &nuc14-spec + mode: metal + arch: amd64 + bootMethod: disk-image + imageSuffix: raw.xz schematic: &nuc14-schematic customization: extraKernelArgs: @@ -299,15 +323,6 @@ controlPlane: runtime-config: admissionregistration.k8s.io/v1alpha1=true feature-gates: MutatingAdmissionPolicy=true - # Bootstrap manifests - - |- - cluster: - extraManifests: - - # renovate: datasource=github-releases depName=kubernetes-sigs/gateway-api - https://github.com/kubernetes-sigs/gateway-api/releases/download/v1.3.0/experimental-install.yaml - - # renovate: datasource=github-releases depName=prometheus-operator/prometheus-operator - https://github.com/prometheus-operator/prometheus-operator/releases/download/v0.85.0/stripped-down-crds.yaml - # Cluster configuration - |- cluster: diff --git a/kubernetes/talos/talsecret.env b/kubernetes/talos/talsecret.env new file mode 100644 index 000000000..1d68c063a --- /dev/null +++ b/kubernetes/talos/talsecret.env @@ -0,0 +1,14 @@ +TALOS_CLUSTER_ID="op://Homelab/talos/TALOS_CLUSTER_ID" +TALOS_CLUSTER_SECRET="op://Homelab/talos/TALOS_CLUSTER_SECRET" +TALOS_SECRETS_BOOTSTRAP_TOKEN="op://Homelab/talos/TALOS_SECRETS_BOOTSTRAP_TOKEN" +TALOS_SECRETS_SECRETBOX_ENCRYPTION_SECRET="op://Homelab/talos/TALOS_SECRETS_SECRETBOX_ENCRYPTION_SECRET" +TALOS_TRUSTD_INFO_TOKEN="op://Homelab/talos/TALOS_TRUSTD_INFO_TOKEN" +TALOS_CERTS_ETCD_CRT="op://Homelab/talos/TALOS_CERTS_ETCD_CRT" +TALOS_CERTS_ETCD_KEY="op://Homelab/talos/TALOS_CERTS_ETCD_KEY" +TALOS_CERTS_K8S_CRT="op://Homelab/talos/TALOS_CERTS_K8S_CRT" +TALOS_CERTS_K8S_KEY="op://Homelab/talos/TALOS_CERTS_K8S_KEY" +TALOS_CERTS_K8SAGGREGATOR_CRT="op://Homelab/talos/TALOS_CERTS_K8SAGGREGATOR_CRT" +TALOS_CERTS_K8SAGGREGATOR_KEY="op://Homelab/talos/TALOS_CERTS_K8SAGGREGATOR_KEY" +TALOS_CERTS_K8SSERVICEACCOUNT_KEY="op://Homelab/talos/TALOS_CERTS_K8SSERVICEACCOUNT_KEY" +TALOS_CERTS_OS_CRT="op://Homelab/talos/TALOS_CERTS_OS_CRT" +TALOS_CERTS_OS_KEY="op://Homelab/talos/TALOS_CERTS_OS_KEY" diff --git a/infrastructure/talos/talsecret.yaml b/kubernetes/talos/talsecret.yaml similarity index 100% rename from infrastructure/talos/talsecret.yaml rename to kubernetes/talos/talsecret.yaml