kryptonian.dev / k8s-cluster
this repo has no description
0
fork

Configure Feed

Select the types of activity you want to include in your feed.

Add most of the repo for Talos things.

Skyler Mäntysaari c4b19ee6 ef08e8dd

+3247
+18
.idea/dataSources.xml
··· 1 + <?xml version="1.0" encoding="UTF-8"?> 2 + <project version="4"> 3 + <component name="DataSourceManagerImpl" format="xml" multifile-model="true"> 4 + <data-source source="LOCAL" name="protu_2023@10.96.69.198" uuid="b0210e00-f60a-42d7-ae9d-994d8cffdae5"> 5 + <driver-ref>postgresql</driver-ref> 6 + <synchronize>true</synchronize> 7 + <jdbc-driver>org.postgresql.Driver</jdbc-driver> 8 + <jdbc-url>jdbc:postgresql://10.96.69.198:5432/protu_2023</jdbc-url> 9 + <jdbc-additional-properties> 10 + <property name="com.intellij.clouds.kubernetes.db.host.port" /> 11 + <property name="com.intellij.clouds.kubernetes.db.enabled" value="false" /> 12 + <property name="com.intellij.clouds.kubernetes.db.resource.type" value="Deployment" /> 13 + <property name="com.intellij.clouds.kubernetes.db.container.port" /> 14 + </jdbc-additional-properties> 15 + <working-dir>$ProjectFileDir$</working-dir> 16 + </data-source> 17 + </component> 18 + </project>
+18
.idea/material_theme_project_new.xml
··· 1 + <?xml version="1.0" encoding="UTF-8"?> 2 + <project version="4"> 3 + <component name="MaterialThemeProjectNewConfig"> 4 + <option name="metadata"> 5 + <MTProjectMetadataState> 6 + <option name="migrated" value="true" /> 7 + <option name="pristineConfig" value="false" /> 8 + <option name="userId" value="e0f5e5c:185ae4c6316:-8000" /> 9 + <option name="version" value="8.13.2" /> 10 + </MTProjectMetadataState> 11 + </option> 12 + <option name="titleBarState"> 13 + <MTProjectTitleBarConfigState> 14 + <option name="overrideColor" value="false" /> 15 + </MTProjectTitleBarConfigState> 16 + </option> 17 + </component> 18 + </project>
+43
.taskfiles/Repository/Taskfile.yaml
··· 1 + --- 2 + # yaml-language-server: $schema=https://taskfile.dev/schema.json 3 + version: "3" 4 + 5 + tasks: 6 + 7 + clean: 8 + desc: Clean files and directories no longer needed after cluster bootstrap 9 + cmds: 10 + - mkdir -p {{.PRIVATE_DIR}} 11 + # Clean up CI 12 + - rm -rf {{.ROOT_DIR}}/.github/tests 13 + - rm -rf {{.ROOT_DIR}}/.github/workflows/e2e.yaml 14 + # Clean up devcontainer 15 + - rm -rf {{.ROOT_DIR}}/.devcontainer/ci 16 + - rm -rf {{.ROOT_DIR}}/.github/workflows/devcontainer.yaml 17 + # Move bootstrap directory to gitignored directory 18 + - mv {{.BOOTSTRAP_DIR}} {{.PRIVATE_DIR}}/bootstrap-{{now | date "150405"}} 19 + - mv {{.MAKEJINJA_CONFIG_FILE}} {{.PRIVATE_DIR}}/makejinja-{{now | date "150405"}}.toml 20 + # Update renovate.json5 21 + - sed -i {{if eq OS "darwin"}}''{{end}} 's/(..\.j2)\?//g' {{.ROOT_DIR}}/.github/renovate.json5 22 + preconditions: 23 + - msg: Missing bootstrap directory 24 + sh: test -d {{.BOOTSTRAP_DIR}} 25 + - msg: Missing Renovate config file 26 + sh: test -f {{.ROOT_DIR}}/.github/renovate.json5 27 + 28 + reset: 29 + desc: Reset templated configuration files 30 + prompt: Reset templated configuration files... continue? 31 + cmds: 32 + - task: :kubernetes:.reset 33 + - task: :sops:.reset 34 + - task: :talos:.reset 35 + 36 + force-reset: 37 + desc: Reset repo back to HEAD 38 + prompt: Reset repo back to HEAD... continue? 39 + cmds: 40 + - task: reset 41 + - git reset --hard HEAD 42 + - git clean -f -d 43 + - git pull origin main
+36
.taskfiles/Sops/Taskfile.yaml
··· 1 + --- 2 + # yaml-language-server: $schema=https://taskfile.dev/schema.json 3 + version: "3" 4 + 5 + tasks: 6 + 7 + age-keygen: 8 + desc: Initialize Age Key for Sops 9 + cmd: age-keygen --output {{.AGE_FILE}} 10 + status: ["test -f {{.AGE_FILE}}"] 11 + 12 + encrypt: 13 + desc: Encrypt all Kubernetes SOPS secrets 14 + cmds: 15 + - for: { var: file } 16 + task: .encrypt-file 17 + vars: 18 + file: "{{.ITEM}}" 19 + vars: 20 + file: 21 + sh: find "{{.KUBERNETES_DIR}}" -type f -name "*.sops.*" -exec grep -L "ENC\[AES256_GCM" {} \; 22 + 23 + .encrypt-file: 24 + internal: true 25 + cmd: sops --encrypt --in-place {{.file}} 26 + requires: 27 + vars: ["file"] 28 + preconditions: 29 + - msg: Missing Sops config file 30 + sh: test -f {{.SOPS_CONFIG_FILE}} 31 + - msg: Missing Sops Age key file 32 + sh: test -f {{.AGE_FILE}} 33 + 34 + .reset: 35 + internal: true 36 + cmd: rm -rf {{.SOPS_CONFIG_FILE}}
+101
.taskfiles/Talos/Taskfile.yaml
··· 1 + --- 2 + # yaml-language-server: $schema=https://taskfile.dev/schema.json 3 + version: "3" 4 + 5 + vars: 6 + TALHELPER_CLUSTER_DIR: "{{.KUBERNETES_DIR}}/bootstrap/talos/clusterconfig" 7 + TALHELPER_SECRET_FILE: "{{.KUBERNETES_DIR}}/bootstrap/talos/talsecret.sops.yaml" 8 + TALHELPER_CONFIG_FILE: "{{.KUBERNETES_DIR}}/bootstrap/talos/talconfig.yaml" 9 + HELMFILE_FILE: "{{.KUBERNETES_DIR}}/bootstrap/helmfile.yaml" 10 + TALOSCONFIG_FILE: "{{.TALHELPER_CLUSTER_DIR}}/talosconfig" 11 + 12 + env: 13 + TALOSCONFIG: "{{.TALOSCONFIG_FILE}}" 14 + 15 + tasks: 16 + 17 + bootstrap: 18 + desc: Bootstrap the Talos cluster 19 + dir: "{{.KUBERNETES_DIR}}/bootstrap/talos" 20 + cmds: 21 + - | 22 + if [ ! -f "{{.TALHELPER_SECRET_FILE}}" ]; then 23 + talhelper gensecret > {{.TALHELPER_SECRET_FILE}} 24 + sops --encrypt --in-place {{.TALHELPER_SECRET_FILE}} 25 + fi 26 + - talhelper genconfig --config-file {{.TALHELPER_CONFIG_FILE}} --secret-file {{.TALHELPER_SECRET_FILE}} --out-dir {{.TALHELPER_CLUSTER_DIR}} 27 + - talhelper gencommand apply --config-file {{.TALHELPER_CONFIG_FILE}} --out-dir {{.TALHELPER_CLUSTER_DIR}} --extra-flags="--insecure" | bash 28 + - until talhelper gencommand bootstrap --config-file {{.TALHELPER_CONFIG_FILE}} --out-dir {{.TALHELPER_CLUSTER_DIR}} | bash; do sleep 10; done 29 + - task: fetch-kubeconfig 30 + - task: install-helm-apps 31 + - talosctl health --server=false 32 + preconditions: 33 + - msg: Missing talhelper config file 34 + sh: test -f {{.TALHELPER_CONFIG_FILE}} 35 + - msg: Missing Sops config file 36 + sh: test -f {{.SOPS_CONFIG_FILE}} 37 + - msg: Missing Sops Age key file 38 + sh: test -f {{.AGE_FILE}} 39 + 40 + fetch-kubeconfig: 41 + desc: Fetch kubeconfig 42 + dir: "{{.KUBERNETES_DIR}}/bootstrap/talos" 43 + cmd: until talhelper gencommand kubeconfig --config-file {{.TALHELPER_CONFIG_FILE}} --out-dir {{.TALHELPER_CLUSTER_DIR}} --extra-flags="{{.ROOT_DIR}} --force" | bash; do sleep 10; done 44 + preconditions: 45 + - msg: Missing talhelper config file 46 + sh: test -f {{.TALHELPER_CONFIG_FILE}} 47 + 48 + install-helm-apps: 49 + desc: Bootstrap core apps needed for Talos 50 + dir: "{{.KUBERNETES_DIR}}/bootstrap/talos" 51 + cmds: 52 + - until kubectl --kubeconfig {{.KUBECONFIG_FILE}} wait --for=condition=Ready=False nodes --all --timeout=600s; do sleep 10; done 53 + - helmfile --kubeconfig {{.KUBECONFIG_FILE}} --file {{.HELMFILE_FILE}} apply --skip-diff-on-install --suppress-diff 54 + - until kubectl --kubeconfig {{.KUBECONFIG_FILE}} wait --for=condition=Ready nodes --all --timeout=600s; do sleep 10; done 55 + preconditions: 56 + - msg: Missing kubeconfig 57 + sh: test -f {{.KUBECONFIG_FILE}} 58 + - msg: Missing helmfile 59 + sh: test -f {{.HELMFILE_FILE}} 60 + 61 + upgrade: 62 + desc: Upgrade Talos on a node 63 + dir: "{{.KUBERNETES_DIR}}/bootstrap/talos" 64 + cmds: 65 + - talosctl --nodes {{.node}} upgrade --image {{.image}} --wait=true --timeout=10m --preserve=true --reboot-mode={{.mode}} 66 + - talosctl --nodes {{.node}} health --wait-timeout=10m --server=false 67 + vars: 68 + mode: '{{.mode | default "default"}}' 69 + requires: 70 + vars: ["node", "image"] 71 + preconditions: 72 + - msg: Missing talosconfig 73 + sh: test -f {{.TALOSCONFIG_FILE}} 74 + - msg: Unable to retrieve Talos config 75 + sh: talosctl config info >/dev/null 2>&1 76 + - msg: Node not found 77 + sh: talosctl --nodes {{.node}} get machineconfig >/dev/null 2>&1 78 + 79 + upgrade-k8s: 80 + desc: Upgrade Kubernetes across the cluster 81 + dir: "{{.KUBERNETES_DIR}}/bootstrap/talos" 82 + cmd: talosctl --nodes {{.controller}} upgrade-k8s --to {{.to}} 83 + requires: 84 + vars: ["controller", "to"] 85 + preconditions: 86 + - msg: Missing talosconfig 87 + sh: test -f {{.TALOSCONFIG_FILE}} 88 + - msg: Unable to retrieve Talos config 89 + sh: talosctl config info >/dev/null 2>&1 90 + - msg: Node not found 91 + sh: talosctl --nodes {{.controller}} get machineconfig >/dev/null 2>&1 92 + 93 + nuke: 94 + desc: Resets nodes back to maintenance mode 95 + dir: "{{.KUBERNETES_DIR}}/bootstrap/talos" 96 + prompt: This will destroy your cluster and reset the nodes back to maintenance mode... continue? 97 + cmd: talhelper gencommand reset --config-file {{.TALHELPER_CONFIG_FILE}} --out-dir {{.TALHELPER_CLUSTER_DIR}} --extra-flags="--reboot {{- if eq .CLI_FORCE false }} --system-labels-to-wipe STATE --system-labels-to-wipe EPHEMERAL{{ end }} --graceful=false --wait=false" | bash 98 + 99 + .reset: 100 + internal: true 101 + cmd: rm -rf {{.TALHELPER_CLUSTER_DIR}} {{.TALHELPER_SECRET_FILE}} {{.TALHELPER_CONFIG_FILE}}
+17
.taskfiles/Workstation/Archfile
··· 1 + age 2 + cloudflared-bin 3 + direnv 4 + flux-bin 5 + go-task 6 + go-yq 7 + helm 8 + helmfile 9 + jq 10 + kubeconform 11 + kubectl-bin 12 + kustomize 13 + moreutils 14 + sops 15 + stern-bin 16 + talhelper-bin 17 + talosctl
+20
.taskfiles/Workstation/Brewfile
··· 1 + tap "fluxcd/tap" 2 + tap "go-task/tap" 3 + tap "siderolabs/tap" 4 + brew "age" 5 + brew "cloudflared" 6 + brew "direnv" 7 + brew "fluxcd/tap/flux" 8 + brew "go-task/tap/go-task" 9 + brew "helm" 10 + brew "helmfile" 11 + brew "jq" 12 + brew "kubeconform" 13 + brew "kubernetes-cli" 14 + brew "kustomize" 15 + brew "moreutils" 16 + brew "sops" 17 + brew "stern" 18 + brew "talhelper" 19 + brew "talosctl" 20 + brew "yq"
+71
.taskfiles/Workstation/Taskfile.yaml
··· 1 + --- 2 + # yaml-language-server: $schema=https://taskfile.dev/schema.json 3 + version: "3" 4 + 5 + vars: 6 + ARCHFILE: "{{.ROOT_DIR}}/.taskfiles/Workstation/Archfile" 7 + BREWFILE: "{{.ROOT_DIR}}/.taskfiles/Workstation/Brewfile" 8 + GENERIC_BIN_DIR: "{{.ROOT_DIR}}/.bin" 9 + 10 + tasks: 11 + 12 + direnv: 13 + desc: Run direnv hooks 14 + cmd: direnv allow . 15 + status: 16 + - "[[ $(direnv status --json | jq '.state.foundRC.allowed') == 0 ]]" 17 + - "[[ $(direnv status --json | jq '.state.loadedRC.allowed') == 0 ]]" 18 + 19 + venv: 20 + desc: Set up virtual environment 21 + cmds: 22 + - "{{.PYTHON_BIN}} -m venv {{.VIRTUAL_ENV}}" 23 + - '{{.VIRTUAL_ENV}}/bin/python3 -m pip install --upgrade pip setuptools wheel' 24 + - '{{.VIRTUAL_ENV}}/bin/python3 -m pip install --upgrade --requirement "{{.PIP_REQUIREMENTS_FILE}}"' 25 + sources: 26 + - "{{.PIP_REQUIREMENTS_FILE}}" 27 + generates: 28 + - "{{.VIRTUAL_ENV}}/pyvenv.cfg" 29 + preconditions: 30 + - { msg: "Missing Pip requirements file", sh: "test -f {{.PIP_REQUIREMENTS_FILE}}" } 31 + 32 + brew: 33 + desc: Install workstation dependencies with Brew 34 + cmd: brew bundle --file {{.BREWFILE}} 35 + preconditions: 36 + - { msg: "Missing Homebrew", sh: "command -v brew" } 37 + - { msg: "Missing Brewfile", sh: "test -f {{.BREWFILE}}" } 38 + 39 + arch: 40 + desc: Install Arch workstation dependencies with Paru Or Yay 41 + cmd: "{{.helper}} -Syu --needed --noconfirm --noprogressbar $(cat {{.ARCHFILE}} | xargs)" 42 + vars: 43 + helper: 44 + sh: "command -v yay || command -v paru" 45 + preconditions: 46 + - { msg: "Missing Archfile", sh: "test -f {{.ARCHFILE}}" } 47 + 48 + generic-linux: 49 + desc: Install CLI tools into the projects .bin directory using curl 50 + dir: "{{.GENERIC_BIN_DIR}}" 51 + platforms: ["linux/amd64", "linux/arm64"] 52 + cmds: 53 + - for: 54 + - budimanjojo/talhelper?as=talhelper&type=script 55 + - cloudflare/cloudflared?as=cloudflared&type=script 56 + - FiloSottile/age?as=age&type=script 57 + - fluxcd/flux2?as=flux&type=script 58 + - getsops/sops?as=sops&type=script 59 + - helmfile/helmfile?as=helmfile&type=script 60 + - jqlang/jq?as=jq&type=script 61 + - kubernetes-sigs/kustomize?as=kustomize&type=script 62 + - siderolabs/talos?as=talosctl&type=script 63 + - yannh/kubeconform?as=kubeconform&type=script 64 + - mikefarah/yq?as=yq&type=script 65 + cmd: curl -fsSL "https://i.jpillora.com/{{.ITEM}}" | bash 66 + - cmd: curl -LO "https://dl.k8s.io/release/$(curl -L -s https://dl.k8s.io/release/stable.txt)/bin/linux/amd64/kubectl" 67 + platforms: ["linux/amd64"] 68 + - cmd: curl -LO "https://dl.k8s.io/release/$(curl -L -s https://dl.k8s.io/release/stable.txt)/bin/linux/arm64/kubectl" 69 + platforms: ["linux/arm64"] 70 + - cmd: chmod +x kubectl 71 + - cmd: curl https://raw.githubusercontent.com/helm/helm/main/scripts/get-helm-3 | USE_SUDO="false" HELM_INSTALL_DIR="." bash
+5
bootstrap/overrides/readme.partial.yaml.j2
··· 1 + #| Place user jinja template overrides in this file's directory |# 2 + #| Docs: https://mirkolenz.github.io/makejinja/makejinja.html |# 3 + #| Example: https://github.com/mirkolenz/makejinja/blob/main/tests/data/makejinja.toml |# 4 + #| Example: https://github.com/mirkolenz/makejinja/blob/main/tests/data/input1/not-empty.yaml.jinja |# 5 + #| Example: https://github.com/mirkolenz/makejinja/blob/main/tests/data/input2/not-empty.yaml.jinja |#
+81
bootstrap/scripts/plugin.py
··· 1 + import importlib.util 2 + import sys 3 + from collections.abc import Callable 4 + from pathlib import Path 5 + from typing import Any 6 + 7 + from typing import Any 8 + from netaddr import IPNetwork 9 + 10 + import makejinja 11 + import validation 12 + 13 + 14 + # Return the filename of a path without the j2 extension 15 + def basename(value: str) -> str: 16 + return Path(value).stem 17 + 18 + 19 + # Return a list of files in the talos patches directory 20 + def talos_patches(value: str) -> list[str]: 21 + path = Path(f'bootstrap/templates/kubernetes/bootstrap/talos/patches/{value}') 22 + if not path.is_dir(): 23 + return [] 24 + return [str(f) for f in sorted(path.glob('*.yaml.j2')) if f.is_file()] 25 + 26 + 27 + # Return the nth host in a CIDR range 28 + def nthhost(value: str, query: int) -> str: 29 + value = IPNetwork(value) 30 + try: 31 + nth = int(query) 32 + if value.size > nth: 33 + return str(value[nth]) 34 + except ValueError: 35 + return False 36 + return value 37 + 38 + 39 + def import_filter(file: Path) -> Callable[[dict[str, Any]], bool]: 40 + module_path = file.relative_to(Path.cwd()).with_suffix("") 41 + module_name = str(module_path).replace("/", ".") 42 + spec = importlib.util.spec_from_file_location(module_name, file) 43 + assert spec is not None 44 + module = importlib.util.module_from_spec(spec) 45 + sys.modules[module_name] = module 46 + assert spec.loader is not None 47 + spec.loader.exec_module(module) 48 + return module.main 49 + 50 + 51 + class Plugin(makejinja.plugin.Plugin): 52 + def __init__(self, data: dict[str, Any], config: makejinja.config.Config): 53 + self._data = data 54 + self._config = config 55 + 56 + self._excluded_dirs: set[Path] = set() 57 + for input_path in config.inputs: 58 + for filter_file in input_path.rglob(".mjfilter.py"): 59 + filter_func = import_filter(filter_file) 60 + if filter_func(data) is False: 61 + self._excluded_dirs.add(filter_file.parent) 62 + 63 + validation.validate(data) 64 + 65 + 66 + def filters(self) -> makejinja.plugin.Filters: 67 + return [basename, nthhost] 68 + 69 + 70 + def functions(self) -> makejinja.plugin.Functions: 71 + return [talos_patches] 72 + 73 + 74 + def path_filters(self): 75 + return [self._mjfilter_func] 76 + 77 + 78 + def _mjfilter_func(self, path: Path) -> bool: 79 + return not any( 80 + path.is_relative_to(excluded_dir) for excluded_dir in self._excluded_dirs 81 + )
+113
bootstrap/scripts/validation.py
··· 1 + from functools import wraps 2 + from shutil import which 3 + from typing import Callable, cast 4 + from zoneinfo import available_timezones 5 + import netaddr 6 + import re 7 + import socket 8 + import sys 9 + 10 + GLOBAL_CLI_TOOLS = ["age", "flux", "helmfile", "sops", "jq", "kubeconform", "kustomize", "talosctl", "talhelper"] 11 + CLOUDFLARE_TOOLS = ["cloudflared"] 12 + 13 + 14 + def required(*keys: str): 15 + def wrapper_outter(func: Callable): 16 + @wraps(func) 17 + def wrapper(data: dict, *_, **kwargs) -> None: 18 + for key in keys: 19 + if data.get(key) is None: 20 + raise ValueError(f"Missing required key {key}") 21 + return func(*[data[key] for key in keys], **kwargs) 22 + 23 + return wrapper 24 + 25 + return wrapper_outter 26 + 27 + 28 + def validate_python_version() -> None: 29 + required_version = (3, 11, 0) 30 + if sys.version_info < required_version: 31 + raise ValueError(f"Python {sys.version_info} is below 3.11. Please upgrade.") 32 + 33 + 34 + def validate_ip(ip: str) -> str: 35 + try: 36 + netaddr.IPAddress(ip) 37 + except netaddr.core.AddrFormatError as e: 38 + raise ValueError(f"Invalid IP address {ip}") from e 39 + return ip 40 + 41 + 42 + def validate_network(cidr: str, family: int) -> str: 43 + try: 44 + network = netaddr.IPNetwork(cidr) 45 + if network.version != family: 46 + raise ValueError(f"Invalid CIDR family {network.version}") 47 + except netaddr.core.AddrFormatError as e: 48 + raise ValueError(f"Invalid CIDR {cidr}") from e 49 + return cidr 50 + 51 + 52 + def validate_node(node: dict, node_cidr: str) -> None: 53 + if not node.get("name"): 54 + raise ValueError(f"A node is missing a name") 55 + if not re.match(r"^[a-z0-9-]+$", node.get('name')): 56 + raise ValueError(f"Node {node.get('name')} has an invalid name") 57 + if not node.get("disk"): 58 + raise ValueError(f"Node {node.get('name')} is missing disk") 59 + if not node.get("mac_addr"): 60 + raise ValueError(f"Node {node.get('name')} is missing mac_addr") 61 + if not re.match(r"(?:[0-9a-fA-F]:?){12}", node.get("mac_addr")): 62 + raise ValueError(f"Node {node.get('name')} has an invalid mac_addr, is this a MAC address?") 63 + if node.get("address"): 64 + ip = validate_ip(node.get("address")) 65 + if netaddr.IPAddress(ip, 4) not in netaddr.IPNetwork(node_cidr): 66 + raise ValueError(f"Node {node.get('name')} is not in the node CIDR {node_cidr}") 67 + with socket.socket(socket.AF_INET, socket.SOCK_STREAM) as sock: 68 + sock.settimeout(5) 69 + result = sock.connect_ex((ip, 50000)) 70 + if result != 0: 71 + raise ValueError(f"Node {node.get('name')} port 50000 is not open") 72 + 73 + 74 + @required("bootstrap_cloudflare") 75 + def validate_cli_tools(cloudflare: dict, **_) -> None: 76 + for tool in GLOBAL_CLI_TOOLS: 77 + if not which(tool): 78 + raise ValueError(f"Missing required CLI tool {tool}") 79 + for tool in CLOUDFLARE_TOOLS if cloudflare.get("enabled", False) else []: 80 + if not which(tool): 81 + raise ValueError(f"Missing required CLI tool {tool}") 82 + 83 + 84 + @required("bootstrap_sops_age_pubkey") 85 + def validate_age(key: str, **_) -> None: 86 + if not re.match(r"^age1[a-z0-9]{0,58}$", key): 87 + raise ValueError(f"Invalid Age public key {key}") 88 + 89 + 90 + @required("bootstrap_node_network", "bootstrap_node_inventory") 91 + def validate_nodes(node_cidr: str, nodes: dict[list], **_) -> None: 92 + node_cidr = validate_network(node_cidr, 4) 93 + 94 + controllers = [node for node in nodes if node.get('controller') == True] 95 + if len(controllers) < 1: 96 + raise ValueError(f"Must have at least one controller node") 97 + if len(controllers) % 2 == 0: 98 + raise ValueError(f"Must have an odd number of controller nodes") 99 + for node in controllers: 100 + validate_node(node, node_cidr) 101 + 102 + workers = [node for node in nodes if node.get('controller') == False] 103 + for node in workers: 104 + validate_node(node, node_cidr) 105 + 106 + 107 + def validate(data: dict) -> None: 108 + validate_python_version() 109 + validate_cli_tools(data) 110 + validate_age(data) 111 + 112 + if not data.get("skip_tests", False): 113 + validate_nodes(data)
+12
bootstrap/templates/.sops.yaml.j2
··· 1 + --- 2 + creation_rules: 3 + - # IMPORTANT: This rule MUST be above the others 4 + path_regex: talos/.*\.sops\.ya?ml 5 + key_groups: 6 + - age: 7 + - "#{ bootstrap_sops_age_pubkey }#" 8 + - path_regex: kubernetes/.*\.sops\.ya?ml 9 + encrypted_regex: "^(data|stringData)$" 10 + key_groups: 11 + - age: 12 + - "#{ bootstrap_sops_age_pubkey }#"
+30
bootstrap/templates/kubernetes/apps/cert-manager/cert-manager/app/helmrelease.yaml.j2
··· 1 + --- 2 + apiVersion: helm.toolkit.fluxcd.io/v2 3 + kind: HelmRelease 4 + metadata: 5 + name: cert-manager 6 + spec: 7 + interval: 30m 8 + chart: 9 + spec: 10 + chart: cert-manager 11 + version: v1.15.1 12 + sourceRef: 13 + kind: HelmRepository 14 + name: jetstack 15 + namespace: flux-system 16 + install: 17 + remediation: 18 + retries: 3 19 + upgrade: 20 + cleanupOnFail: true 21 + remediation: 22 + retries: 3 23 + values: 24 + installCRDs: true 25 + dns01RecursiveNameservers: https://1.1.1.1:443/dns-query,https://1.0.0.1:443/dns-query 26 + dns01RecursiveNameserversOnly: true 27 + prometheus: 28 + enabled: true 29 + servicemonitor: 30 + enabled: true
+5
bootstrap/templates/kubernetes/apps/cert-manager/cert-manager/app/kustomization.yaml.j2
··· 1 + --- 2 + apiVersion: kustomize.config.k8s.io/v1beta1 3 + kind: Kustomization 4 + resources: 5 + - ./helmrelease.yaml
+1
bootstrap/templates/kubernetes/apps/cert-manager/cert-manager/issuers/.mjfilter.py
··· 1 + main = lambda data: data.get("bootstrap_cloudflare", {}).get("enabled", False) == True
+39
bootstrap/templates/kubernetes/apps/cert-manager/cert-manager/issuers/issuers.yaml.j2
··· 1 + apiVersion: cert-manager.io/v1 2 + kind: ClusterIssuer 3 + metadata: 4 + name: letsencrypt-production 5 + spec: 6 + acme: 7 + server: https://acme-v02.api.letsencrypt.org/directory 8 + email: "${SECRET_ACME_EMAIL}" 9 + privateKeySecretRef: 10 + name: letsencrypt-production 11 + solvers: 12 + - dns01: 13 + cloudflare: 14 + apiTokenSecretRef: 15 + name: cert-manager-secret 16 + key: api-token 17 + selector: 18 + dnsZones: 19 + - "${SECRET_DOMAIN}" 20 + --- 21 + apiVersion: cert-manager.io/v1 22 + kind: ClusterIssuer 23 + metadata: 24 + name: letsencrypt-staging 25 + spec: 26 + acme: 27 + server: https://acme-staging-v02.api.letsencrypt.org/directory 28 + email: "${SECRET_ACME_EMAIL}" 29 + privateKeySecretRef: 30 + name: letsencrypt-staging 31 + solvers: 32 + - dns01: 33 + cloudflare: 34 + apiTokenSecretRef: 35 + name: cert-manager-secret 36 + key: api-token 37 + selector: 38 + dnsZones: 39 + - "${SECRET_DOMAIN}"
+6
bootstrap/templates/kubernetes/apps/cert-manager/cert-manager/issuers/kustomization.yaml.j2
··· 1 + --- 2 + apiVersion: kustomize.config.k8s.io/v1beta1 3 + kind: Kustomization 4 + resources: 5 + - ./secret.sops.yaml 6 + - ./issuers.yaml
+7
bootstrap/templates/kubernetes/apps/cert-manager/cert-manager/issuers/secret.sops.yaml.j2
··· 1 + --- 2 + apiVersion: v1 3 + kind: Secret 4 + metadata: 5 + name: cert-manager-secret 6 + stringData: 7 + api-token: "#{ bootstrap_cloudflare.token }#"
+44
bootstrap/templates/kubernetes/apps/cert-manager/cert-manager/ks.yaml.j2
··· 1 + --- 2 + apiVersion: kustomize.toolkit.fluxcd.io/v1 3 + kind: Kustomization 4 + metadata: 5 + name: &app cert-manager 6 + namespace: flux-system 7 + spec: 8 + targetNamespace: cert-manager 9 + commonMetadata: 10 + labels: 11 + app.kubernetes.io/name: *app 12 + path: ./kubernetes/apps/cert-manager/cert-manager/app 13 + prune: true 14 + sourceRef: 15 + kind: GitRepository 16 + name: home-kubernetes 17 + wait: true 18 + interval: 30m 19 + retryInterval: 1m 20 + timeout: 5m 21 + #% if bootstrap_cloudflare.enabled %# 22 + --- 23 + apiVersion: kustomize.toolkit.fluxcd.io/v1 24 + kind: Kustomization 25 + metadata: 26 + name: &app cert-manager-issuers 27 + namespace: flux-system 28 + spec: 29 + targetNamespace: cert-manager 30 + commonMetadata: 31 + labels: 32 + app.kubernetes.io/name: *app 33 + dependsOn: 34 + - name: cert-manager 35 + path: ./kubernetes/apps/cert-manager/cert-manager/issuers 36 + prune: true 37 + sourceRef: 38 + kind: GitRepository 39 + name: home-kubernetes 40 + wait: true 41 + interval: 30m 42 + retryInterval: 1m 43 + timeout: 5m 44 + #% endif %#
+6
bootstrap/templates/kubernetes/apps/cert-manager/kustomization.yaml.j2
··· 1 + --- 2 + apiVersion: kustomize.config.k8s.io/v1beta1 3 + kind: Kustomization 4 + resources: 5 + - ./namespace.yaml 6 + - ./cert-manager/ks.yaml
+7
bootstrap/templates/kubernetes/apps/cert-manager/namespace.yaml.j2
··· 1 + --- 2 + apiVersion: v1 3 + kind: Namespace 4 + metadata: 5 + name: cert-manager 6 + labels: 7 + kustomize.toolkit.fluxcd.io/prune: disabled
+6
bootstrap/templates/kubernetes/apps/flux-system/kustomization.yaml.j2
··· 1 + --- 2 + apiVersion: kustomize.config.k8s.io/v1beta1 3 + kind: Kustomization 4 + resources: 5 + - ./namespace.yaml 6 + - ./webhooks/ks.yaml
+7
bootstrap/templates/kubernetes/apps/flux-system/namespace.yaml.j2
··· 1 + --- 2 + apiVersion: v1 3 + kind: Namespace 4 + metadata: 5 + name: flux-system 6 + labels: 7 + kustomize.toolkit.fluxcd.io/prune: disabled
+22
bootstrap/templates/kubernetes/apps/flux-system/webhooks/app/github/ingress.yaml.j2
··· 1 + #% if bootstrap_cloudflare.enabled %# 2 + --- 3 + apiVersion: networking.k8s.io/v1 4 + kind: Ingress 5 + metadata: 6 + name: flux-webhook 7 + annotations: 8 + external-dns.alpha.kubernetes.io/target: "external.${SECRET_DOMAIN}" 9 + spec: 10 + ingressClassName: external 11 + rules: 12 + - host: "flux-webhook.${SECRET_DOMAIN}" 13 + http: 14 + paths: 15 + - path: /hook/ 16 + pathType: Prefix 17 + backend: 18 + service: 19 + name: webhook-receiver 20 + port: 21 + number: 80 22 + #% endif %#
+9
bootstrap/templates/kubernetes/apps/flux-system/webhooks/app/github/kustomization.yaml.j2
··· 1 + --- 2 + apiVersion: kustomize.config.k8s.io/v1beta1 3 + kind: Kustomization 4 + resources: 5 + - ./secret.sops.yaml 6 + #% if bootstrap_cloudflare.enabled %# 7 + - ./ingress.yaml 8 + #% endif %# 9 + - ./receiver.yaml
+25
bootstrap/templates/kubernetes/apps/flux-system/webhooks/app/github/receiver.yaml.j2
··· 1 + --- 2 + apiVersion: notification.toolkit.fluxcd.io/v1 3 + kind: Receiver 4 + metadata: 5 + name: github-receiver 6 + spec: 7 + type: github 8 + events: 9 + - ping 10 + - push 11 + secretRef: 12 + name: github-webhook-token-secret 13 + resources: 14 + - apiVersion: source.toolkit.fluxcd.io/v1 15 + kind: GitRepository 16 + name: home-kubernetes 17 + namespace: flux-system 18 + - apiVersion: kustomize.toolkit.fluxcd.io/v1 19 + kind: Kustomization 20 + name: cluster 21 + namespace: flux-system 22 + - apiVersion: kustomize.toolkit.fluxcd.io/v1 23 + kind: Kustomization 24 + name: cluster-apps 25 + namespace: flux-system
+7
bootstrap/templates/kubernetes/apps/flux-system/webhooks/app/github/secret.sops.yaml.j2
··· 1 + --- 2 + apiVersion: v1 3 + kind: Secret 4 + metadata: 5 + name: github-webhook-token-secret 6 + stringData: 7 + token: "#{ bootstrap_github_webhook_token }#"
+5
bootstrap/templates/kubernetes/apps/flux-system/webhooks/app/kustomization.yaml.j2
··· 1 + --- 2 + apiVersion: kustomize.config.k8s.io/v1beta1 3 + kind: Kustomization 4 + resources: 5 + - ./github
+20
bootstrap/templates/kubernetes/apps/flux-system/webhooks/ks.yaml.j2
··· 1 + --- 2 + apiVersion: kustomize.toolkit.fluxcd.io/v1 3 + kind: Kustomization 4 + metadata: 5 + name: &app flux-webhooks 6 + namespace: flux-system 7 + spec: 8 + targetNamespace: flux-system 9 + commonMetadata: 10 + labels: 11 + app.kubernetes.io/name: *app 12 + path: ./kubernetes/apps/flux-system/webhooks/app 13 + prune: true 14 + sourceRef: 15 + kind: GitRepository 16 + name: home-kubernetes 17 + wait: true 18 + interval: 30m 19 + retryInterval: 1m 20 + timeout: 5m
+68
bootstrap/templates/kubernetes/apps/kube-system/cilium/app/helm-values.yaml.j2
··· 1 + --- 2 + autoDirectNodeRoutes: true 3 + #% if bootstrap_bgp.enabled %# 4 + bgpControlPlane: 5 + enabled: true 6 + #% endif %# 7 + bpf: 8 + masquerade: false # Required for Talos `.machine.features.hostDNS.forwardKubeDNSToHost` 9 + cgroup: 10 + automount: 11 + enabled: false 12 + hostRoot: /sys/fs/cgroup 13 + cluster: 14 + id: 1 15 + name: "#{ bootstrap_cluster_name|default('home-kubernetes', true) }#" 16 + cni: 17 + exclusive: false 18 + # NOTE: devices might need to be set if you have more than one active NIC on your hosts 19 + # devices: eno+ eth+ 20 + endpointRoutes: 21 + enabled: true 22 + hubble: 23 + enabled: false 24 + ipam: 25 + mode: kubernetes 26 + ipv4NativeRoutingCIDR: "#{ bootstrap_pod_network.split(',')[0] }#" 27 + #% if bootstrap_feature_gates.dual_stack_ipv4_first %# 28 + ipv6NativeRoutingCIDR: "#{ bootstrap_pod_network.split(',')[1] }#" 29 + ipv6: 30 + enabled: true 31 + #% endif %# 32 + k8sServiceHost: 127.0.0.1 33 + k8sServicePort: 7445 34 + kubeProxyReplacement: true 35 + kubeProxyReplacementHealthzBindAddr: 0.0.0.0:10256 36 + l2announcements: 37 + #% if ((bootstrap_bgp.enabled) or (bootstrap_feature_gates.dual_stack_ipv4_first)) %# 38 + enabled: false # https://github.com/cilium/cilium/issues/28985 39 + #% else %# 40 + enabled: true 41 + #% endif %# 42 + loadBalancer: 43 + algorithm: maglev 44 + mode: snat 45 + localRedirectPolicy: true 46 + operator: 47 + replicas: 1 48 + rollOutPods: true 49 + rollOutCiliumPods: true 50 + routingMode: native 51 + securityContext: 52 + capabilities: 53 + ciliumAgent: 54 + - CHOWN 55 + - KILL 56 + - NET_ADMIN 57 + - NET_RAW 58 + - IPC_LOCK 59 + - SYS_ADMIN 60 + - SYS_RESOURCE 61 + - DAC_OVERRIDE 62 + - FOWNER 63 + - SETGID 64 + - SETUID 65 + cleanCiliumState: 66 + - NET_ADMIN 67 + - SYS_ADMIN 68 + - SYS_RESOURCE
+76
bootstrap/templates/kubernetes/apps/kube-system/cilium/app/helmrelease.yaml.j2
··· 1 + --- 2 + apiVersion: helm.toolkit.fluxcd.io/v2 3 + kind: HelmRelease 4 + metadata: 5 + name: cilium 6 + spec: 7 + interval: 30m 8 + chart: 9 + spec: 10 + chart: cilium 11 + version: 1.15.6 12 + sourceRef: 13 + kind: HelmRepository 14 + name: cilium 15 + namespace: flux-system 16 + install: 17 + remediation: 18 + retries: 3 19 + upgrade: 20 + cleanupOnFail: true 21 + remediation: 22 + retries: 3 23 + valuesFrom: 24 + - kind: ConfigMap 25 + name: cilium-helm-values 26 + values: 27 + #% if bootstrap_cloudflare.enabled %# 28 + hubble: 29 + enabled: true 30 + metrics: 31 + enabled: 32 + - dns:query 33 + - drop 34 + - tcp 35 + - flow 36 + - port-distribution 37 + - icmp 38 + - http 39 + serviceMonitor: 40 + enabled: true 41 + dashboards: 42 + enabled: true 43 + annotations: 44 + grafana_folder: Cilium 45 + relay: 46 + enabled: true 47 + rollOutPods: true 48 + prometheus: 49 + serviceMonitor: 50 + enabled: true 51 + ui: 52 + enabled: true 53 + rollOutPods: true 54 + ingress: 55 + enabled: true 56 + className: internal 57 + hosts: ["hubble.${SECRET_DOMAIN}"] 58 + #% endif %# 59 + operator: 60 + prometheus: 61 + enabled: true 62 + serviceMonitor: 63 + enabled: true 64 + dashboards: 65 + enabled: true 66 + annotations: 67 + grafana_folder: Cilium 68 + prometheus: 69 + enabled: true 70 + serviceMonitor: 71 + enabled: true 72 + trustCRDsExist: true 73 + dashboards: 74 + enabled: true 75 + annotations: 76 + grafana_folder: Cilium
+11
bootstrap/templates/kubernetes/apps/kube-system/cilium/app/kustomization.yaml.j2
··· 1 + --- 2 + apiVersion: kustomize.config.k8s.io/v1beta1 3 + kind: Kustomization 4 + resources: 5 + - ./helmrelease.yaml 6 + configMapGenerator: 7 + - name: cilium-helm-values 8 + files: 9 + - values.yaml=./helm-values.yaml 10 + configurations: 11 + - kustomizeconfig.yaml
+7
bootstrap/templates/kubernetes/apps/kube-system/cilium/app/kustomizeconfig.yaml.j2
··· 1 + --- 2 + nameReference: 3 + - kind: ConfigMap 4 + version: v1 5 + fieldSpecs: 6 + - path: spec/valuesFrom/name 7 + kind: HelmRelease
+26
bootstrap/templates/kubernetes/apps/kube-system/cilium/config/cilium-l2.yaml.j2
··· 1 + #% if ((not bootstrap_bgp.enabled) and (not bootstrap_feature_gates.dual_stack_ipv4_first)) %# 2 + --- 3 + # https://docs.cilium.io/en/latest/network/l2-announcements 4 + apiVersion: cilium.io/v2alpha1 5 + kind: CiliumL2AnnouncementPolicy 6 + metadata: 7 + name: l2-policy 8 + spec: 9 + loadBalancerIPs: true 10 + # NOTE: interfaces might need to be set if you have more than one active NIC on your hosts 11 + # interfaces: 12 + # - ^eno[0-9]+ 13 + # - ^eth[0-9]+ 14 + nodeSelector: 15 + matchLabels: 16 + kubernetes.io/os: linux 17 + --- 18 + apiVersion: cilium.io/v2alpha1 19 + kind: CiliumLoadBalancerIPPool 20 + metadata: 21 + name: l2-pool 22 + spec: 23 + allowFirstLastIPs: "Yes" 24 + blocks: 25 + - cidr: "#{ bootstrap_node_network }#" 26 + #% endif %#
+41
bootstrap/templates/kubernetes/apps/kube-system/cilium/config/cilium-l3.yaml.j2
··· 1 + #% if bootstrap_bgp.enabled %# 2 + --- 3 + # https://docs.cilium.io/en/latest/network/bgp-control-plane/ 4 + apiVersion: cilium.io/v2alpha1 5 + kind: CiliumBGPPeeringPolicy 6 + metadata: 7 + name: l3-policy 8 + spec: 9 + nodeSelector: 10 + matchLabels: 11 + kubernetes.io/os: linux 12 + virtualRouters: 13 + - localASN: #{ bootstrap_bgp.local_asn }# 14 + neighbors: 15 + #% if bootstrap_bgp.peers %# 16 + #% for item in bootstrap_bgp.peers %# 17 + - peerAddress: "#{ item }#/32" 18 + peerASN: #{ bootstrap_bgp.peer_asn }# 19 + peerPort: #{ bootstrap_bgp.peer_port | default(179) }# 20 + #% endfor %# 21 + #% else %# 22 + #% if bootstrap_node_default_gateway %# 23 + - peerAddress: "#{ bootstrap_node_default_gateway }#/32" 24 + #% else %# 25 + - peerAddress: "#{ bootstrap_node_network | nthhost(1) }#/32" 26 + #% endif %# 27 + peerASN: #{ bootstrap_bgp.peer_asn }# 28 + #% endif %# 29 + serviceSelector: 30 + matchExpressions: 31 + - {key: somekey, operator: NotIn, values: ['never-used-value']} 32 + --- 33 + apiVersion: cilium.io/v2alpha1 34 + kind: CiliumLoadBalancerIPPool 35 + metadata: 36 + name: l3-pool 37 + spec: 38 + allowFirstLastIPs: "Yes" 39 + blocks: 40 + - cidr: "#{ bootstrap_bgp.advertised_network }#" 41 + #% endif %#
+11
bootstrap/templates/kubernetes/apps/kube-system/cilium/config/kustomization.yaml.j2
··· 1 + --- 2 + apiVersion: kustomize.config.k8s.io/v1beta1 3 + kind: Kustomization 4 + resources: 5 + #% if bootstrap_bgp.enabled %# 6 + - ./cilium-l3.yaml 7 + #% elif not bootstrap_feature_gates.dual_stack_ipv4_first %# 8 + - ./cilium-l2.yaml 9 + #% else %# 10 + [] 11 + #% endif %#
+42
bootstrap/templates/kubernetes/apps/kube-system/cilium/ks.yaml.j2
··· 1 + --- 2 + apiVersion: kustomize.toolkit.fluxcd.io/v1 3 + kind: Kustomization 4 + metadata: 5 + name: &app cilium 6 + namespace: flux-system 7 + spec: 8 + targetNamespace: kube-system 9 + commonMetadata: 10 + labels: 11 + app.kubernetes.io/name: *app 12 + path: ./kubernetes/apps/kube-system/cilium/app 13 + prune: false # never should be deleted 14 + sourceRef: 15 + kind: GitRepository 16 + name: home-kubernetes 17 + wait: true 18 + interval: 30m 19 + retryInterval: 1m 20 + timeout: 5m 21 + --- 22 + apiVersion: kustomize.toolkit.fluxcd.io/v1 23 + kind: Kustomization 24 + metadata: 25 + name: &app cilium-config 26 + namespace: flux-system 27 + spec: 28 + targetNamespace: kube-system 29 + commonMetadata: 30 + labels: 31 + app.kubernetes.io/name: *app 32 + dependsOn: 33 + - name: cilium 34 + path: ./kubernetes/apps/kube-system/cilium/config 35 + prune: false # never should be deleted 36 + sourceRef: 37 + kind: GitRepository 38 + name: home-kubernetes 39 + wait: false 40 + interval: 30m 41 + retryInterval: 1m 42 + timeout: 5m
+50
bootstrap/templates/kubernetes/apps/kube-system/coredns/app/helm-values.yaml.j2
··· 1 + --- 2 + fullnameOverride: coredns 3 + k8sAppLabelOverride: kube-dns 4 + serviceAccount: 5 + create: true 6 + service: 7 + name: kube-dns 8 + clusterIP: "#{ bootstrap_service_network | nthhost(10) }#" 9 + servers: 10 + - zones: 11 + - zone: . 12 + scheme: dns:// 13 + use_tcp: true 14 + port: 53 15 + plugins: 16 + - name: errors 17 + - name: health 18 + configBlock: |- 19 + lameduck 5s 20 + - name: ready 21 + - name: log 22 + configBlock: |- 23 + class error 24 + - name: prometheus 25 + parameters: 0.0.0.0:9153 26 + - name: kubernetes 27 + parameters: cluster.local in-addr.arpa ip6.arpa 28 + configBlock: |- 29 + pods insecure 30 + fallthrough in-addr.arpa ip6.arpa 31 + - name: forward 32 + parameters: . /etc/resolv.conf 33 + - name: cache 34 + parameters: 30 35 + - name: loop 36 + - name: reload 37 + - name: loadbalance 38 + affinity: 39 + nodeAffinity: 40 + requiredDuringSchedulingIgnoredDuringExecution: 41 + nodeSelectorTerms: 42 + - matchExpressions: 43 + - key: node-role.kubernetes.io/control-plane 44 + operator: Exists 45 + tolerations: 46 + - key: CriticalAddonsOnly 47 + operator: Exists 48 + - key: node-role.kubernetes.io/control-plane 49 + operator: Exists 50 + effect: NoSchedule
+26
bootstrap/templates/kubernetes/apps/kube-system/coredns/app/helmrelease.yaml.j2
··· 1 + --- 2 + apiVersion: helm.toolkit.fluxcd.io/v2 3 + kind: HelmRelease 4 + metadata: 5 + name: coredns 6 + spec: 7 + interval: 30m 8 + chart: 9 + spec: 10 + chart: coredns 11 + version: 1.31.0 12 + sourceRef: 13 + kind: HelmRepository 14 + name: coredns 15 + namespace: flux-system 16 + install: 17 + remediation: 18 + retries: 3 19 + upgrade: 20 + cleanupOnFail: true 21 + remediation: 22 + strategy: rollback 23 + retries: 3 24 + valuesFrom: 25 + - kind: ConfigMap 26 + name: coredns-helm-values
+11
bootstrap/templates/kubernetes/apps/kube-system/coredns/app/kustomization.yaml.j2
··· 1 + --- 2 + apiVersion: kustomize.config.k8s.io/v1beta1 3 + kind: Kustomization 4 + resources: 5 + - ./helmrelease.yaml 6 + configMapGenerator: 7 + - name: coredns-helm-values 8 + files: 9 + - values.yaml=./helm-values.yaml 10 + configurations: 11 + - kustomizeconfig.yaml
+7
bootstrap/templates/kubernetes/apps/kube-system/coredns/app/kustomizeconfig.yaml.j2
··· 1 + --- 2 + nameReference: 3 + - kind: ConfigMap 4 + version: v1 5 + fieldSpecs: 6 + - path: spec/valuesFrom/name 7 + kind: HelmRelease
+20
bootstrap/templates/kubernetes/apps/kube-system/coredns/ks.yaml.j2
··· 1 + --- 2 + apiVersion: kustomize.toolkit.fluxcd.io/v1 3 + kind: Kustomization 4 + metadata: 5 + name: &app coredns 6 + namespace: flux-system 7 + spec: 8 + targetNamespace: kube-system 9 + commonMetadata: 10 + labels: 11 + app.kubernetes.io/name: *app 12 + path: ./kubernetes/apps/kube-system/coredns/app 13 + prune: false # never should be deleted 14 + sourceRef: 15 + kind: GitRepository 16 + name: home-kubernetes 17 + wait: false 18 + interval: 30m 19 + retryInterval: 1m 20 + timeout: 5m
+3
bootstrap/templates/kubernetes/apps/kube-system/kubelet-csr-approver/app/helm-values.yaml.j2
··· 1 + --- 2 + providerRegex: ^(#{ (bootstrap_node_inventory | map(attribute='name') | join('|')) }#)$ 3 + bypassDnsResolution: true
+30
bootstrap/templates/kubernetes/apps/kube-system/kubelet-csr-approver/app/helmrelease.yaml.j2
··· 1 + --- 2 + apiVersion: helm.toolkit.fluxcd.io/v2 3 + kind: HelmRelease 4 + metadata: 5 + name: kubelet-csr-approver 6 + spec: 7 + interval: 30m 8 + chart: 9 + spec: 10 + chart: kubelet-csr-approver 11 + version: 1.2.2 12 + sourceRef: 13 + kind: HelmRepository 14 + name: postfinance 15 + namespace: flux-system 16 + install: 17 + remediation: 18 + retries: 3 19 + upgrade: 20 + cleanupOnFail: true 21 + remediation: 22 + retries: 3 23 + valuesFrom: 24 + - kind: ConfigMap 25 + name: kubelet-csr-approver-helm-values 26 + values: 27 + metrics: 28 + enable: true 29 + serviceMonitor: 30 + enabled: true
+11
bootstrap/templates/kubernetes/apps/kube-system/kubelet-csr-approver/app/kustomization.yaml.j2
··· 1 + --- 2 + apiVersion: kustomize.config.k8s.io/v1beta1 3 + kind: Kustomization 4 + resources: 5 + - ./helmrelease.yaml 6 + configMapGenerator: 7 + - name: kubelet-csr-approver-helm-values 8 + files: 9 + - values.yaml=./helm-values.yaml 10 + configurations: 11 + - kustomizeconfig.yaml
+7
bootstrap/templates/kubernetes/apps/kube-system/kubelet-csr-approver/app/kustomizeconfig.yaml.j2
··· 1 + --- 2 + nameReference: 3 + - kind: ConfigMap 4 + version: v1 5 + fieldSpecs: 6 + - path: spec/valuesFrom/name 7 + kind: HelmRelease
+20
bootstrap/templates/kubernetes/apps/kube-system/kubelet-csr-approver/ks.yaml.j2
··· 1 + --- 2 + apiVersion: kustomize.toolkit.fluxcd.io/v1 3 + kind: Kustomization 4 + metadata: 5 + name: &app kubelet-csr-approver 6 + namespace: flux-system 7 + spec: 8 + targetNamespace: kube-system 9 + commonMetadata: 10 + labels: 11 + app.kubernetes.io/name: *app 12 + path: ./kubernetes/apps/kube-system/kubelet-csr-approver/app 13 + prune: false # never should be deleted 14 + sourceRef: 15 + kind: GitRepository 16 + name: home-kubernetes 17 + wait: false 18 + interval: 30m 19 + retryInterval: 1m 20 + timeout: 5m
+11
bootstrap/templates/kubernetes/apps/kube-system/kustomization.yaml.j2
··· 1 + --- 2 + apiVersion: kustomize.config.k8s.io/v1beta1 3 + kind: Kustomization 4 + resources: 5 + - ./namespace.yaml 6 + - ./cilium/ks.yaml 7 + - ./coredns/ks.yaml 8 + - ./metrics-server/ks.yaml 9 + - ./reloader/ks.yaml 10 + - ./kubelet-csr-approver/ks.yaml 11 + - ./spegel/ks.yaml
+31
bootstrap/templates/kubernetes/apps/kube-system/metrics-server/app/helmrelease.yaml.j2
··· 1 + --- 2 + apiVersion: helm.toolkit.fluxcd.io/v2 3 + kind: HelmRelease 4 + metadata: 5 + name: metrics-server 6 + spec: 7 + interval: 30m 8 + chart: 9 + spec: 10 + chart: metrics-server 11 + version: 3.12.1 12 + sourceRef: 13 + kind: HelmRepository 14 + name: metrics-server 15 + namespace: flux-system 16 + install: 17 + remediation: 18 + retries: 3 19 + upgrade: 20 + cleanupOnFail: true 21 + remediation: 22 + retries: 3 23 + values: 24 + args: 25 + - --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname 26 + - --kubelet-use-node-status-port 27 + - --metric-resolution=15s 28 + metrics: 29 + enabled: true 30 + serviceMonitor: 31 + enabled: true
+5
bootstrap/templates/kubernetes/apps/kube-system/metrics-server/app/kustomization.yaml.j2
··· 1 + --- 2 + apiVersion: kustomize.config.k8s.io/v1beta1 3 + kind: Kustomization 4 + resources: 5 + - ./helmrelease.yaml
+20
bootstrap/templates/kubernetes/apps/kube-system/metrics-server/ks.yaml.j2
··· 1 + --- 2 + apiVersion: kustomize.toolkit.fluxcd.io/v1 3 + kind: Kustomization 4 + metadata: 5 + name: &app metrics-server 6 + namespace: flux-system 7 + spec: 8 + targetNamespace: kube-system 9 + commonMetadata: 10 + labels: 11 + app.kubernetes.io/name: *app 12 + path: ./kubernetes/apps/kube-system/metrics-server/app 13 + prune: true 14 + sourceRef: 15 + kind: GitRepository 16 + name: home-kubernetes 17 + wait: false 18 + interval: 30m 19 + retryInterval: 1m 20 + timeout: 5m
+7
bootstrap/templates/kubernetes/apps/kube-system/namespace.yaml.j2
··· 1 + --- 2 + apiVersion: v1 3 + kind: Namespace 4 + metadata: 5 + name: kube-system 6 + labels: 7 + kustomize.toolkit.fluxcd.io/prune: disabled
+29
bootstrap/templates/kubernetes/apps/kube-system/reloader/app/helmrelease.yaml.j2
··· 1 + --- 2 + apiVersion: helm.toolkit.fluxcd.io/v2 3 + kind: HelmRelease 4 + metadata: 5 + name: reloader 6 + spec: 7 + interval: 30m 8 + chart: 9 + spec: 10 + chart: reloader 11 + version: 1.0.115 12 + sourceRef: 13 + kind: HelmRepository 14 + name: stakater 15 + namespace: flux-system 16 + install: 17 + remediation: 18 + retries: 3 19 + upgrade: 20 + cleanupOnFail: true 21 + remediation: 22 + retries: 3 23 + values: 24 + fullnameOverride: reloader 25 + reloader: 26 + readOnlyRootFileSystem: true 27 + podMonitor: 28 + enabled: true 29 + namespace: "{{ .Release.Namespace }}"
+5
bootstrap/templates/kubernetes/apps/kube-system/reloader/app/kustomization.yaml.j2
··· 1 + --- 2 + apiVersion: kustomize.config.k8s.io/v1beta1 3 + kind: Kustomization 4 + resources: 5 + - ./helmrelease.yaml
+20
bootstrap/templates/kubernetes/apps/kube-system/reloader/ks.yaml.j2
··· 1 + --- 2 + apiVersion: kustomize.toolkit.fluxcd.io/v1 3 + kind: Kustomization 4 + metadata: 5 + name: &app reloader 6 + namespace: flux-system 7 + spec: 8 + targetNamespace: kube-system 9 + commonMetadata: 10 + labels: 11 + app.kubernetes.io/name: *app 12 + path: ./kubernetes/apps/kube-system/reloader/app 13 + prune: true 14 + sourceRef: 15 + kind: GitRepository 16 + name: home-kubernetes 17 + wait: false 18 + interval: 30m 19 + retryInterval: 1m 20 + timeout: 5m
+7
bootstrap/templates/kubernetes/apps/kube-system/spegel/app/helm-values.yaml.j2
··· 1 + --- 2 + spegel: 3 + containerdSock: /run/containerd/containerd.sock 4 + containerdRegistryConfigPath: /etc/cri/conf.d/hosts 5 + service: 6 + registry: 7 + hostPort: 29999
+30
bootstrap/templates/kubernetes/apps/kube-system/spegel/app/helmrelease.yaml.j2
··· 1 + --- 2 + apiVersion: helm.toolkit.fluxcd.io/v2 3 + kind: HelmRelease 4 + metadata: 5 + name: spegel 6 + spec: 7 + interval: 30m 8 + chart: 9 + spec: 10 + chart: spegel 11 + version: v0.0.23 12 + sourceRef: 13 + kind: HelmRepository 14 + name: spegel 15 + namespace: flux-system 16 + install: 17 + remediation: 18 + retries: 3 19 + upgrade: 20 + cleanupOnFail: true 21 + remediation: 22 + retries: 3 23 + valuesFrom: 24 + - kind: ConfigMap 25 + name: spegel-helm-values 26 + values: 27 + grafanaDashboard: 28 + enabled: true 29 + serviceMonitor: 30 + enabled: true
+11
bootstrap/templates/kubernetes/apps/kube-system/spegel/app/kustomization.yaml.j2
··· 1 + --- 2 + apiVersion: kustomize.config.k8s.io/v1beta1 3 + kind: Kustomization 4 + resources: 5 + - ./helmrelease.yaml 6 + configMapGenerator: 7 + - name: spegel-helm-values 8 + files: 9 + - values.yaml=./helm-values.yaml 10 + configurations: 11 + - kustomizeconfig.yaml
+7
bootstrap/templates/kubernetes/apps/kube-system/spegel/app/kustomizeconfig.yaml.j2
··· 1 + --- 2 + nameReference: 3 + - kind: ConfigMap 4 + version: v1 5 + fieldSpecs: 6 + - path: spec/valuesFrom/name 7 + kind: HelmRelease
+20
bootstrap/templates/kubernetes/apps/kube-system/spegel/ks.yaml.j2
··· 1 + --- 2 + apiVersion: kustomize.toolkit.fluxcd.io/v1 3 + kind: Kustomization 4 + metadata: 5 + name: &app spegel 6 + namespace: flux-system 7 + spec: 8 + targetNamespace: kube-system 9 + commonMetadata: 10 + labels: 11 + app.kubernetes.io/name: *app 12 + path: ./kubernetes/apps/kube-system/spegel/app 13 + prune: true 14 + sourceRef: 15 + kind: GitRepository 16 + name: home-kubernetes 17 + wait: false 18 + interval: 30m 19 + retryInterval: 1m 20 + timeout: 5m
+1
bootstrap/templates/kubernetes/apps/network/.mjfilter.py
··· 1 + main = lambda data: data.get("bootstrap_cloudflare", {}).get("enabled", False) == True
+10
bootstrap/templates/kubernetes/apps/network/cloudflared/app/configs/config.yaml.j2
··· 1 + --- 2 + originRequest: 3 + originServerName: "external.${SECRET_DOMAIN}" 4 + 5 + ingress: 6 + - hostname: "${SECRET_DOMAIN}" 7 + service: https://ingress-nginx-external-controller.network.svc.cluster.local:443 8 + - hostname: "*.${SECRET_DOMAIN}" 9 + service: https://ingress-nginx-external-controller.network.svc.cluster.local:443 10 + - service: http_status:404
+10
bootstrap/templates/kubernetes/apps/network/cloudflared/app/dnsendpoint.yaml.j2
··· 1 + --- 2 + apiVersion: externaldns.k8s.io/v1alpha1 3 + kind: DNSEndpoint 4 + metadata: 5 + name: cloudflared 6 + spec: 7 + endpoints: 8 + - dnsName: "external.${SECRET_DOMAIN}" 9 + recordType: CNAME 10 + targets: ["${SECRET_CLOUDFLARE_TUNNEL_ID}.cfargotunnel.com"]
+109
bootstrap/templates/kubernetes/apps/network/cloudflared/app/helmrelease.yaml.j2
··· 1 + --- 2 + apiVersion: helm.toolkit.fluxcd.io/v2 3 + kind: HelmRelease 4 + metadata: 5 + name: cloudflared 6 + spec: 7 + interval: 30m 8 + chart: 9 + spec: 10 + chart: app-template 11 + version: 3.2.1 12 + sourceRef: 13 + kind: HelmRepository 14 + name: bjw-s 15 + namespace: flux-system 16 + install: 17 + remediation: 18 + retries: 3 19 + upgrade: 20 + cleanupOnFail: true 21 + remediation: 22 + retries: 3 23 + values: 24 + controllers: 25 + cloudflared: 26 + strategy: RollingUpdate 27 + annotations: 28 + reloader.stakater.com/auto: "true" 29 + containers: 30 + app: 31 + image: 32 + repository: docker.io/cloudflare/cloudflared 33 + tag: 2024.6.1 34 + env: 35 + NO_AUTOUPDATE: true 36 + TUNNEL_CRED_FILE: /etc/cloudflared/creds/credentials.json 37 + TUNNEL_METRICS: 0.0.0.0:8080 38 + TUNNEL_ORIGIN_ENABLE_HTTP2: true 39 + TUNNEL_TRANSPORT_PROTOCOL: quic 40 + TUNNEL_POST_QUANTUM: true 41 + TUNNEL_ID: 42 + valueFrom: 43 + secretKeyRef: 44 + name: cloudflared-secret 45 + key: TUNNEL_ID 46 + args: 47 + - tunnel 48 + - --config 49 + - /etc/cloudflared/config/config.yaml 50 + - run 51 + - "$(TUNNEL_ID)" 52 + probes: 53 + liveness: &probes 54 + enabled: true 55 + custom: true 56 + spec: 57 + httpGet: 58 + path: /ready 59 + port: &port 8080 60 + initialDelaySeconds: 0 61 + periodSeconds: 10 62 + timeoutSeconds: 1 63 + failureThreshold: 3 64 + readiness: *probes 65 + securityContext: 66 + allowPrivilegeEscalation: false 67 + readOnlyRootFilesystem: true 68 + capabilities: { drop: ["ALL"] } 69 + resources: 70 + requests: 71 + cpu: 10m 72 + limits: 73 + memory: 256Mi 74 + defaultPodOptions: 75 + securityContext: 76 + runAsNonRoot: true 77 + runAsUser: 65534 78 + runAsGroup: 65534 79 + seccompProfile: { type: RuntimeDefault } 80 + service: 81 + app: 82 + controller: cloudflared 83 + ports: 84 + http: 85 + port: *port 86 + serviceMonitor: 87 + app: 88 + serviceName: cloudflared 89 + endpoints: 90 + - port: http 91 + scheme: http 92 + path: /metrics 93 + interval: 1m 94 + scrapeTimeout: 10s 95 + persistence: 96 + config: 97 + type: configMap 98 + name: cloudflared-configmap 99 + globalMounts: 100 + - path: /etc/cloudflared/config/config.yaml 101 + subPath: config.yaml 102 + readOnly: true 103 + creds: 104 + type: secret 105 + name: cloudflared-secret 106 + globalMounts: 107 + - path: /etc/cloudflared/creds/credentials.json 108 + subPath: credentials.json 109 + readOnly: true
+13
bootstrap/templates/kubernetes/apps/network/cloudflared/app/kustomization.yaml.j2
··· 1 + --- 2 + apiVersion: kustomize.config.k8s.io/v1beta1 3 + kind: Kustomization 4 + resources: 5 + - ./dnsendpoint.yaml 6 + - ./secret.sops.yaml 7 + - ./helmrelease.yaml 8 + configMapGenerator: 9 + - name: cloudflared-configmap 10 + files: 11 + - ./configs/config.yaml 12 + generatorOptions: 13 + disableNameSuffixHash: true
+13
bootstrap/templates/kubernetes/apps/network/cloudflared/app/secret.sops.yaml.j2
··· 1 + --- 2 + apiVersion: v1 3 + kind: Secret 4 + metadata: 5 + name: cloudflared-secret 6 + stringData: 7 + TUNNEL_ID: "#{ bootstrap_cloudflare.tunnel.id }#" 8 + credentials.json: | 9 + { 10 + "AccountTag": "#{ bootstrap_cloudflare.tunnel.account_id }#", 11 + "TunnelSecret": "#{ bootstrap_cloudflare.tunnel.secret }#", 12 + "TunnelID": "#{ bootstrap_cloudflare.tunnel.id }#" 13 + }
+22
bootstrap/templates/kubernetes/apps/network/cloudflared/ks.yaml.j2
··· 1 + --- 2 + apiVersion: kustomize.toolkit.fluxcd.io/v1 3 + kind: Kustomization 4 + metadata: 5 + name: &app cloudflared 6 + namespace: flux-system 7 + spec: 8 + targetNamespace: network 9 + commonMetadata: 10 + labels: 11 + app.kubernetes.io/name: *app 12 + dependsOn: 13 + - name: external-dns 14 + path: ./kubernetes/apps/network/cloudflared/app 15 + prune: true 16 + sourceRef: 17 + kind: GitRepository 18 + name: home-kubernetes 19 + wait: false 20 + interval: 30m 21 + retryInterval: 1m 22 + timeout: 5m
+91
bootstrap/templates/kubernetes/apps/network/echo-server/app/helmrelease.yaml.j2
··· 1 + --- 2 + apiVersion: helm.toolkit.fluxcd.io/v2 3 + kind: HelmRelease 4 + metadata: 5 + name: echo-server 6 + spec: 7 + interval: 30m 8 + chart: 9 + spec: 10 + chart: app-template 11 + version: 3.2.1 12 + sourceRef: 13 + kind: HelmRepository 14 + name: bjw-s 15 + namespace: flux-system 16 + install: 17 + remediation: 18 + retries: 3 19 + upgrade: 20 + cleanupOnFail: true 21 + remediation: 22 + retries: 3 23 + values: 24 + controllers: 25 + echo-server: 26 + strategy: RollingUpdate 27 + containers: 28 + app: 29 + image: 30 + repository: ghcr.io/mendhak/http-https-echo 31 + tag: 33 32 + env: 33 + HTTP_PORT: &port 8080 34 + LOG_WITHOUT_NEWLINE: true 35 + LOG_IGNORE_PATH: /healthz 36 + PROMETHEUS_ENABLED: true 37 + probes: 38 + liveness: &probes 39 + enabled: true 40 + custom: true 41 + spec: 42 + httpGet: 43 + path: /healthz 44 + port: *port 45 + initialDelaySeconds: 0 46 + periodSeconds: 10 47 + timeoutSeconds: 1 48 + failureThreshold: 3 49 + readiness: *probes 50 + securityContext: 51 + allowPrivilegeEscalation: false 52 + readOnlyRootFilesystem: true 53 + capabilities: { drop: ["ALL"] } 54 + resources: 55 + requests: 56 + cpu: 10m 57 + limits: 58 + memory: 64Mi 59 + defaultPodOptions: 60 + securityContext: 61 + runAsNonRoot: true 62 + runAsUser: 65534 63 + runAsGroup: 65534 64 + seccompProfile: { type: RuntimeDefault } 65 + service: 66 + app: 67 + controller: echo-server 68 + ports: 69 + http: 70 + port: *port 71 + serviceMonitor: 72 + app: 73 + serviceName: echo-server 74 + endpoints: 75 + - port: http 76 + scheme: http 77 + path: /metrics 78 + interval: 1m 79 + scrapeTimeout: 10s 80 + ingress: 81 + app: 82 + className: external 83 + annotations: 84 + external-dns.alpha.kubernetes.io/target: "external.${SECRET_DOMAIN}" 85 + hosts: 86 + - host: "{{ .Release.Name }}.${SECRET_DOMAIN}" 87 + paths: 88 + - path: / 89 + service: 90 + identifier: app 91 + port: http
+5
bootstrap/templates/kubernetes/apps/network/echo-server/app/kustomization.yaml.j2
··· 1 + --- 2 + apiVersion: kustomize.config.k8s.io/v1beta1 3 + kind: Kustomization 4 + resources: 5 + - ./helmrelease.yaml
+20
bootstrap/templates/kubernetes/apps/network/echo-server/ks.yaml.j2
··· 1 + --- 2 + apiVersion: kustomize.toolkit.fluxcd.io/v1 3 + kind: Kustomization 4 + metadata: 5 + name: &app echo-server 6 + namespace: flux-system 7 + spec: 8 + targetNamespace: network 9 + commonMetadata: 10 + labels: 11 + app.kubernetes.io/name: *app 12 + path: ./kubernetes/apps/network/echo-server/app 13 + prune: true 14 + sourceRef: 15 + kind: GitRepository 16 + name: home-kubernetes 17 + wait: false 18 + interval: 30m 19 + retryInterval: 1m 20 + timeout: 5m
+48
bootstrap/templates/kubernetes/apps/network/external-dns/app/helmrelease.yaml.j2
··· 1 + --- 2 + apiVersion: helm.toolkit.fluxcd.io/v2 3 + kind: HelmRelease 4 + metadata: 5 + name: &app external-dns 6 + spec: 7 + interval: 30m 8 + chart: 9 + spec: 10 + chart: external-dns 11 + version: 1.14.5 12 + sourceRef: 13 + kind: HelmRepository 14 + name: external-dns 15 + namespace: flux-system 16 + install: 17 + crds: CreateReplace 18 + remediation: 19 + retries: 3 20 + upgrade: 21 + cleanupOnFail: true 22 + crds: CreateReplace 23 + remediation: 24 + strategy: rollback 25 + retries: 3 26 + values: 27 + fullnameOverride: *app 28 + provider: cloudflare 29 + env: 30 + - name: CF_API_TOKEN 31 + valueFrom: 32 + secretKeyRef: 33 + name: external-dns-secret 34 + key: api-token 35 + extraArgs: 36 + - --ingress-class=external 37 + - --cloudflare-proxied 38 + - --crd-source-apiversion=externaldns.k8s.io/v1alpha1 39 + - --crd-source-kind=DNSEndpoint 40 + policy: sync 41 + sources: ["crd", "ingress"] 42 + txtPrefix: k8s. 43 + txtOwnerId: default 44 + domainFilters: ["${SECRET_DOMAIN}"] 45 + serviceMonitor: 46 + enabled: true 47 + podAnnotations: 48 + secret.reloader.stakater.com/reload: external-dns-secret
+6
bootstrap/templates/kubernetes/apps/network/external-dns/app/kustomization.yaml.j2
··· 1 + --- 2 + apiVersion: kustomize.config.k8s.io/v1beta1 3 + kind: Kustomization 4 + resources: 5 + - ./secret.sops.yaml 6 + - ./helmrelease.yaml
+7
bootstrap/templates/kubernetes/apps/network/external-dns/app/secret.sops.yaml.j2
··· 1 + --- 2 + apiVersion: v1 3 + kind: Secret 4 + metadata: 5 + name: external-dns-secret 6 + stringData: 7 + api-token: "#{ bootstrap_cloudflare.token }#"
+20
bootstrap/templates/kubernetes/apps/network/external-dns/ks.yaml.j2
··· 1 + --- 2 + apiVersion: kustomize.toolkit.fluxcd.io/v1 3 + kind: Kustomization 4 + metadata: 5 + name: &app external-dns 6 + namespace: flux-system 7 + spec: 8 + targetNamespace: network 9 + commonMetadata: 10 + labels: 11 + app.kubernetes.io/name: *app 12 + path: ./kubernetes/apps/network/external-dns/app 13 + prune: true 14 + sourceRef: 15 + kind: GitRepository 16 + name: home-kubernetes 17 + wait: true 18 + interval: 30m 19 + retryInterval: 1m 20 + timeout: 5m
+8
bootstrap/templates/kubernetes/apps/network/ingress-nginx/certificates/kustomization.yaml.j2
··· 1 + --- 2 + apiVersion: kustomize.config.k8s.io/v1beta1 3 + kind: Kustomization 4 + resources: 5 + - ./staging.yaml 6 + #% if bootstrap_cloudflare.acme.production %# 7 + - ./production.yaml 8 + #% endif %#
+14
bootstrap/templates/kubernetes/apps/network/ingress-nginx/certificates/production.yaml.j2
··· 1 + --- 2 + apiVersion: cert-manager.io/v1 3 + kind: Certificate 4 + metadata: 5 + name: "${SECRET_DOMAIN/./-}-production" 6 + spec: 7 + secretName: "${SECRET_DOMAIN/./-}-production-tls" 8 + issuerRef: 9 + name: letsencrypt-production 10 + kind: ClusterIssuer 11 + commonName: "${SECRET_DOMAIN}" 12 + dnsNames: 13 + - "${SECRET_DOMAIN}" 14 + - "*.${SECRET_DOMAIN}"
+14
bootstrap/templates/kubernetes/apps/network/ingress-nginx/certificates/staging.yaml.j2
··· 1 + --- 2 + apiVersion: cert-manager.io/v1 3 + kind: Certificate 4 + metadata: 5 + name: "${SECRET_DOMAIN/./-}-staging" 6 + spec: 7 + secretName: "${SECRET_DOMAIN/./-}-staging-tls" 8 + issuerRef: 9 + name: letsencrypt-staging 10 + kind: ClusterIssuer 11 + commonName: "${SECRET_DOMAIN}" 12 + dnsNames: 13 + - "${SECRET_DOMAIN}" 14 + - "*.${SECRET_DOMAIN}"
+79
bootstrap/templates/kubernetes/apps/network/ingress-nginx/external/helmrelease.yaml.j2
··· 1 + --- 2 + apiVersion: helm.toolkit.fluxcd.io/v2 3 + kind: HelmRelease 4 + metadata: 5 + name: ingress-nginx-external 6 + spec: 7 + interval: 30m 8 + chart: 9 + spec: 10 + chart: ingress-nginx 11 + version: 4.10.1 12 + sourceRef: 13 + kind: HelmRepository 14 + name: ingress-nginx 15 + namespace: flux-system 16 + install: 17 + remediation: 18 + retries: 3 19 + upgrade: 20 + cleanupOnFail: true 21 + remediation: 22 + retries: 3 23 + dependsOn: 24 + - name: cloudflared 25 + namespace: network 26 + values: 27 + fullnameOverride: ingress-nginx-external 28 + controller: 29 + service: 30 + annotations: 31 + external-dns.alpha.kubernetes.io/hostname: "external.${SECRET_DOMAIN}" 32 + io.cilium/lb-ipam-ips: "#{ bootstrap_cloudflare.tunnel.ingress_vip }#" 33 + externalTrafficPolicy: Cluster 34 + ingressClassResource: 35 + name: external 36 + default: false 37 + controllerValue: k8s.io/external 38 + admissionWebhooks: 39 + objectSelector: 40 + matchExpressions: 41 + - key: ingress-class 42 + operator: In 43 + values: ["external"] 44 + config: 45 + client-body-buffer-size: 100M 46 + client-body-timeout: 120 47 + client-header-timeout: 120 48 + enable-brotli: "true" 49 + enable-real-ip: "true" 50 + hsts-max-age: 31449600 51 + keep-alive-requests: 10000 52 + keep-alive: 120 53 + log-format-escape-json: "true" 54 + log-format-upstream: > 55 + {"time": "$time_iso8601", "remote_addr": "$proxy_protocol_addr", "x_forwarded_for": "$proxy_add_x_forwarded_for", 56 + "request_id": "$req_id", "remote_user": "$remote_user", "bytes_sent": $bytes_sent, "request_time": $request_time, 57 + "status": $status, "vhost": "$host", "request_proto": "$server_protocol", "path": "$uri", "request_query": "$args", 58 + "request_length": $request_length, "duration": $request_time, "method": "$request_method", "http_referrer": "$http_referer", 59 + "http_user_agent": "$http_user_agent"} 60 + proxy-body-size: 0 61 + proxy-buffer-size: 16k 62 + ssl-protocols: TLSv1.3 TLSv1.2 63 + metrics: 64 + enabled: true 65 + serviceMonitor: 66 + enabled: true 67 + namespaceSelector: 68 + any: true 69 + extraArgs: 70 + #% if bootstrap_cloudflare.acme.production %# 71 + default-ssl-certificate: "network/${SECRET_DOMAIN/./-}-production-tls" 72 + #% else %# 73 + default-ssl-certificate: "network/${SECRET_DOMAIN/./-}-staging-tls" 74 + #% endif %# 75 + resources: 76 + requests: 77 + cpu: 100m 78 + limits: 79 + memory: 500Mi
+5
bootstrap/templates/kubernetes/apps/network/ingress-nginx/external/kustomization.yaml.j2
··· 1 + --- 2 + apiVersion: kustomize.config.k8s.io/v1beta1 3 + kind: Kustomization 4 + resources: 5 + - ./helmrelease.yaml
+76
bootstrap/templates/kubernetes/apps/network/ingress-nginx/internal/helmrelease.yaml.j2
··· 1 + --- 2 + apiVersion: helm.toolkit.fluxcd.io/v2 3 + kind: HelmRelease 4 + metadata: 5 + name: ingress-nginx-internal 6 + namespace: network 7 + spec: 8 + interval: 30m 9 + chart: 10 + spec: 11 + chart: ingress-nginx 12 + version: 4.10.1 13 + sourceRef: 14 + kind: HelmRepository 15 + name: ingress-nginx 16 + namespace: flux-system 17 + install: 18 + remediation: 19 + retries: 3 20 + upgrade: 21 + cleanupOnFail: true 22 + remediation: 23 + retries: 3 24 + values: 25 + fullnameOverride: ingress-nginx-internal 26 + controller: 27 + service: 28 + annotations: 29 + io.cilium/lb-ipam-ips: "#{ bootstrap_cloudflare.ingress_vip }#" 30 + externalTrafficPolicy: Cluster 31 + ingressClassResource: 32 + name: internal 33 + default: true 34 + controllerValue: k8s.io/internal 35 + admissionWebhooks: 36 + objectSelector: 37 + matchExpressions: 38 + - key: ingress-class 39 + operator: In 40 + values: ["internal"] 41 + config: 42 + client-body-buffer-size: 100M 43 + client-body-timeout: 120 44 + client-header-timeout: 120 45 + enable-brotli: "true" 46 + enable-real-ip: "true" 47 + hsts-max-age: 31449600 48 + keep-alive-requests: 10000 49 + keep-alive: 120 50 + log-format-escape-json: "true" 51 + log-format-upstream: > 52 + {"time": "$time_iso8601", "remote_addr": "$proxy_protocol_addr", "x_forwarded_for": "$proxy_add_x_forwarded_for", 53 + "request_id": "$req_id", "remote_user": "$remote_user", "bytes_sent": $bytes_sent, "request_time": $request_time, 54 + "status": $status, "vhost": "$host", "request_proto": "$server_protocol", "path": "$uri", "request_query": "$args", 55 + "request_length": $request_length, "duration": $request_time, "method": "$request_method", "http_referrer": "$http_referer", 56 + "http_user_agent": "$http_user_agent"} 57 + proxy-body-size: 0 58 + proxy-buffer-size: 16k 59 + ssl-protocols: TLSv1.3 TLSv1.2 60 + metrics: 61 + enabled: true 62 + serviceMonitor: 63 + enabled: true 64 + namespaceSelector: 65 + any: true 66 + extraArgs: 67 + #% if bootstrap_cloudflare.acme.production %# 68 + default-ssl-certificate: "network/${SECRET_DOMAIN/./-}-production-tls" 69 + #% else %# 70 + default-ssl-certificate: "network/${SECRET_DOMAIN/./-}-staging-tls" 71 + #% endif %# 72 + resources: 73 + requests: 74 + cpu: 100m 75 + limits: 76 + memory: 500Mi
+5
bootstrap/templates/kubernetes/apps/network/ingress-nginx/internal/kustomization.yaml.j2
··· 1 + --- 2 + apiVersion: kustomize.config.k8s.io/v1beta1 3 + kind: Kustomization 4 + resources: 5 + - ./helmrelease.yaml
+66
bootstrap/templates/kubernetes/apps/network/ingress-nginx/ks.yaml.j2
··· 1 + --- 2 + apiVersion: kustomize.toolkit.fluxcd.io/v1 3 + kind: Kustomization 4 + metadata: 5 + name: &app ingress-nginx-certificates 6 + namespace: flux-system 7 + spec: 8 + targetNamespace: network 9 + commonMetadata: 10 + labels: 11 + app.kubernetes.io/name: *app 12 + dependsOn: 13 + - name: cert-manager-issuers 14 + path: ./kubernetes/apps/network/ingress-nginx/certificates 15 + prune: true 16 + sourceRef: 17 + kind: GitRepository 18 + name: home-kubernetes 19 + wait: true 20 + interval: 30m 21 + retryInterval: 1m 22 + timeout: 5m 23 + --- 24 + apiVersion: kustomize.toolkit.fluxcd.io/v1 25 + kind: Kustomization 26 + metadata: 27 + name: &app ingress-nginx-internal 28 + namespace: flux-system 29 + spec: 30 + targetNamespace: network 31 + commonMetadata: 32 + labels: 33 + app.kubernetes.io/name: *app 34 + dependsOn: 35 + - name: ingress-nginx-certificates 36 + path: ./kubernetes/apps/network/ingress-nginx/internal 37 + prune: true 38 + sourceRef: 39 + kind: GitRepository 40 + name: home-kubernetes 41 + wait: false 42 + interval: 30m 43 + retryInterval: 1m 44 + timeout: 5m 45 + --- 46 + apiVersion: kustomize.toolkit.fluxcd.io/v1 47 + kind: Kustomization 48 + metadata: 49 + name: &app ingress-nginx-external 50 + namespace: flux-system 51 + spec: 52 + targetNamespace: network 53 + commonMetadata: 54 + labels: 55 + app.kubernetes.io/name: *app 56 + dependsOn: 57 + - name: ingress-nginx-certificates 58 + path: ./kubernetes/apps/network/ingress-nginx/external 59 + prune: true 60 + sourceRef: 61 + kind: GitRepository 62 + name: home-kubernetes 63 + wait: false 64 + interval: 30m 65 + retryInterval: 1m 66 + timeout: 5m
+33
bootstrap/templates/kubernetes/apps/network/k8s-gateway/app/helmrelease.yaml.j2
··· 1 + --- 2 + apiVersion: helm.toolkit.fluxcd.io/v2 3 + kind: HelmRelease 4 + metadata: 5 + name: k8s-gateway 6 + spec: 7 + interval: 30m 8 + chart: 9 + spec: 10 + chart: k8s-gateway 11 + version: 2.4.0 12 + sourceRef: 13 + kind: HelmRepository 14 + name: k8s-gateway 15 + namespace: flux-system 16 + install: 17 + remediation: 18 + retries: 3 19 + upgrade: 20 + cleanupOnFail: true 21 + remediation: 22 + retries: 3 23 + values: 24 + fullnameOverride: k8s-gateway 25 + domain: "${SECRET_DOMAIN}" 26 + ttl: 1 27 + service: 28 + type: LoadBalancer 29 + port: 53 30 + annotations: 31 + io.cilium/lb-ipam-ips: "#{ bootstrap_cloudflare.gateway_vip }#" 32 + externalTrafficPolicy: Cluster 33 + watchedResources: ["Ingress", "Service"]
+5
bootstrap/templates/kubernetes/apps/network/k8s-gateway/app/kustomization.yaml.j2
··· 1 + --- 2 + apiVersion: kustomize.config.k8s.io/v1beta1 3 + kind: Kustomization 4 + resources: 5 + - ./helmrelease.yaml
+20
bootstrap/templates/kubernetes/apps/network/k8s-gateway/ks.yaml.j2
··· 1 + --- 2 + apiVersion: kustomize.toolkit.fluxcd.io/v1 3 + kind: Kustomization 4 + metadata: 5 + name: &app k8s-gateway 6 + namespace: flux-system 7 + spec: 8 + targetNamespace: network 9 + commonMetadata: 10 + labels: 11 + app.kubernetes.io/name: *app 12 + path: ./kubernetes/apps/network/k8s-gateway/app 13 + prune: true 14 + sourceRef: 15 + kind: GitRepository 16 + name: home-kubernetes 17 + wait: false 18 + interval: 30m 19 + retryInterval: 1m 20 + timeout: 5m
+10
bootstrap/templates/kubernetes/apps/network/kustomization.yaml.j2
··· 1 + --- 2 + apiVersion: kustomize.config.k8s.io/v1beta1 3 + kind: Kustomization 4 + resources: 5 + - ./namespace.yaml 6 + - ./cloudflared/ks.yaml 7 + - ./echo-server/ks.yaml 8 + - ./external-dns/ks.yaml 9 + - ./ingress-nginx/ks.yaml 10 + - ./k8s-gateway/ks.yaml
+7
bootstrap/templates/kubernetes/apps/network/namespace.yaml.j2
··· 1 + --- 2 + apiVersion: v1 3 + kind: Namespace 4 + metadata: 5 + name: network 6 + labels: 7 + kustomize.toolkit.fluxcd.io/prune: disabled
+6
bootstrap/templates/kubernetes/apps/observability/kustomization.yaml.j2
··· 1 + --- 2 + apiVersion: kustomize.config.k8s.io/v1beta1 3 + kind: Kustomization 4 + resources: 5 + - ./namespace.yaml 6 + - ./prometheus-operator-crds/ks.yaml
+7
bootstrap/templates/kubernetes/apps/observability/namespace.yaml.j2
··· 1 + --- 2 + apiVersion: v1 3 + kind: Namespace 4 + metadata: 5 + name: observability 6 + labels: 7 + kustomize.toolkit.fluxcd.io/prune: disabled
+22
bootstrap/templates/kubernetes/apps/observability/prometheus-operator-crds/app/helmrelease.yaml.j2
··· 1 + --- 2 + apiVersion: helm.toolkit.fluxcd.io/v2 3 + kind: HelmRelease 4 + metadata: 5 + name: prometheus-operator-crds 6 + spec: 7 + interval: 30m 8 + chart: 9 + spec: 10 + chart: prometheus-operator-crds 11 + version: 13.0.1 12 + sourceRef: 13 + kind: HelmRepository 14 + name: prometheus-community 15 + namespace: flux-system 16 + install: 17 + remediation: 18 + retries: 3 19 + upgrade: 20 + cleanupOnFail: true 21 + remediation: 22 + retries: 3
+5
bootstrap/templates/kubernetes/apps/observability/prometheus-operator-crds/app/kustomization.yaml.j2
··· 1 + --- 2 + apiVersion: kustomize.config.k8s.io/v1beta1 3 + kind: Kustomization 4 + resources: 5 + - ./helmrelease.yaml
+20
bootstrap/templates/kubernetes/apps/observability/prometheus-operator-crds/ks.yaml.j2
··· 1 + --- 2 + apiVersion: kustomize.toolkit.fluxcd.io/v1 3 + kind: Kustomization 4 + metadata: 5 + name: &app prometheus-operator-crds 6 + namespace: flux-system 7 + spec: 8 + targetNamespace: observability 9 + commonMetadata: 10 + labels: 11 + app.kubernetes.io/name: *app 12 + path: ./kubernetes/apps/observability/prometheus-operator-crds/app 13 + prune: false # never should be deleted 14 + sourceRef: 15 + kind: GitRepository 16 + name: home-kubernetes 17 + wait: false 18 + interval: 30m 19 + retryInterval: 1m 20 + timeout: 5m
+6
bootstrap/templates/kubernetes/apps/openebs-system/kustomization.yaml.j2
··· 1 + --- 2 + apiVersion: kustomize.config.k8s.io/v1beta1 3 + kind: Kustomization 4 + resources: 5 + - ./namespace.yaml 6 + - ./openebs/ks.yaml
+7
bootstrap/templates/kubernetes/apps/openebs-system/namespace.yaml.j2
··· 1 + --- 2 + apiVersion: v1 3 + kind: Namespace 4 + metadata: 5 + name: openebs-system 6 + labels: 7 + kustomize.toolkit.fluxcd.io/prune: disabled
+45
bootstrap/templates/kubernetes/apps/openebs-system/openebs/app/helmrelease.yaml.j2
··· 1 + --- 2 + apiVersion: helm.toolkit.fluxcd.io/v2 3 + kind: HelmRelease 4 + metadata: 5 + name: openebs 6 + spec: 7 + interval: 30m 8 + chart: 9 + spec: 10 + chart: openebs 11 + version: 4.0.1 12 + sourceRef: 13 + kind: HelmRepository 14 + name: openebs 15 + namespace: flux-system 16 + install: 17 + remediation: 18 + retries: 3 19 + upgrade: 20 + cleanupOnFail: true 21 + remediation: 22 + retries: 3 23 + values: 24 + engines: 25 + local: 26 + lvm: 27 + enabled: false 28 + zfs: 29 + enabled: false 30 + replicated: 31 + mayastor: 32 + enabled: false 33 + openebs-crds: 34 + csi: 35 + volumeSnapshots: 36 + enabled: false 37 + localpv-provisioner: 38 + localpv: 39 + image: 40 + registry: quay.io/ 41 + hostpathClass: 42 + enabled: true 43 + name: openebs-hostpath 44 + isDefaultClass: false 45 + basePath: /var/openebs/local
+5
bootstrap/templates/kubernetes/apps/openebs-system/openebs/app/kustomization.yaml.j2
··· 1 + --- 2 + apiVersion: kustomize.config.k8s.io/v1beta1 3 + kind: Kustomization 4 + resources: 5 + - ./helmrelease.yaml
+20
bootstrap/templates/kubernetes/apps/openebs-system/openebs/ks.yaml.j2
··· 1 + --- 2 + apiVersion: kustomize.toolkit.fluxcd.io/v1 3 + kind: Kustomization 4 + metadata: 5 + name: &app openebs 6 + namespace: flux-system 7 + spec: 8 + targetNamespace: openebs-system 9 + commonMetadata: 10 + labels: 11 + app.kubernetes.io/name: *app 12 + path: ./kubernetes/apps/openebs-system/openebs/app 13 + prune: true 14 + sourceRef: 15 + kind: GitRepository 16 + name: home-kubernetes 17 + wait: false 18 + interval: 30m 19 + retryInterval: 1m 20 + timeout: 5m
+17
bootstrap/templates/kubernetes/bootstrap/flux/github-deploy-key.sops.yaml.j2
··· 1 + #% if bootstrap_github_private_key %# 2 + --- 3 + apiVersion: v1 4 + kind: Secret 5 + metadata: 6 + name: github-deploy-key 7 + namespace: flux-system 8 + stringData: 9 + identity: | 10 + #% filter indent(width=4, first=False) %# 11 + #{ bootstrap_github_private_key }# 12 + #%- endfilter %# 13 + known_hosts: | 14 + github.com ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOMqqnkVzrm0SdG6UOoqKLsabgH5C9okWi0dh2l9GKJl 15 + github.com ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBEmKSENjQEezOmxkZMy7opKgwFB9nkt5YRrYMjNuG5N87uRgg6CLrbo5wAdT/y6v0mKV0U2w0WZ2YB/++Tpockg= 16 + github.com ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCj7ndNxQowgcQnjshcLrqPEiiphnt+VTTvDP6mHBL9j1aNUkY4Ue1gvwnGLVlOhGeYrnZaMgRK6+PKCUXaDbC7qtbW8gIkhL7aGCsOr/C56SJMy/BCZfxd1nWzAOxSDPgVsmerOBYfNqltV9/hWCqBywINIR+5dIg6JTJ72pcEpEjcYgXkE2YEFXV1JHnsKgbLWNlhScqb2UmyRkQyytRLtL+38TGxkxCflmO+5Z8CSSNY7GidjMIZ7Q4zMjA2n1nGrlTDkzwDCsw+wqFPGQA179cnfGWOWRVruj16z6XyvxvjJwbz0wQZ75XK5tKSb7FNyeIEs4TT4jk+S4dhPeAUC5y+bDYirYgM4GC7uEnztnZyaVWQ7B381AK4Qdrwt51ZqExKbQpTUNn+EjqoTwvqNj4kqx5QUCI0ThS/YkOxJCXmPUWZbhjpCg56i+2aB6CmK2JGhn57K5mj0MNdBXA4/WnwH6XoPWJzK5Nyu2zB3nAZp+S5hpQs+p1vN1/wsjk= 17 + #% endif %#
+61
bootstrap/templates/kubernetes/bootstrap/flux/kustomization.yaml.j2
··· 1 + # IMPORTANT: This file is not tracked by flux and should never be. Its 2 + # purpose is to only install the Flux components and CRDs into your cluster. 3 + --- 4 + apiVersion: kustomize.config.k8s.io/v1beta1 5 + kind: Kustomization 6 + resources: 7 + - github.com/fluxcd/flux2/manifests/install?ref=v2.3.0 8 + patches: 9 + # Remove the default network policies 10 + - patch: |- 11 + $patch: delete 12 + apiVersion: networking.k8s.io/v1 13 + kind: NetworkPolicy 14 + metadata: 15 + name: not-used 16 + target: 17 + group: networking.k8s.io 18 + kind: NetworkPolicy 19 + # Resources renamed to match those installed by oci://ghcr.io/fluxcd/flux-manifests 20 + - target: 21 + kind: ResourceQuota 22 + name: critical-pods 23 + patch: | 24 + - op: replace 25 + path: /metadata/name 26 + value: critical-pods-flux-system 27 + - target: 28 + kind: ClusterRoleBinding 29 + name: cluster-reconciler 30 + patch: | 31 + - op: replace 32 + path: /metadata/name 33 + value: cluster-reconciler-flux-system 34 + - target: 35 + kind: ClusterRoleBinding 36 + name: crd-controller 37 + patch: | 38 + - op: replace 39 + path: /metadata/name 40 + value: crd-controller-flux-system 41 + - target: 42 + kind: ClusterRole 43 + name: crd-controller 44 + patch: | 45 + - op: replace 46 + path: /metadata/name 47 + value: crd-controller-flux-system 48 + - target: 49 + kind: ClusterRole 50 + name: flux-edit 51 + patch: | 52 + - op: replace 53 + path: /metadata/name 54 + value: flux-edit-flux-system 55 + - target: 56 + kind: ClusterRole 57 + name: flux-view 58 + patch: | 59 + - op: replace 60 + path: /metadata/name 61 + value: flux-view-flux-system
+59
bootstrap/templates/kubernetes/bootstrap/helmfile.yaml.j2
··· 1 + --- 2 + helmDefaults: 3 + wait: true 4 + waitForJobs: true 5 + timeout: 600 6 + recreatePods: true 7 + force: true 8 + 9 + repositories: 10 + - name: cilium 11 + url: https://helm.cilium.io 12 + - name: coredns 13 + url: https://coredns.github.io/helm 14 + - name: postfinance 15 + url: https://postfinance.github.io/kubelet-csr-approver 16 + 17 + releases: 18 + - name: prometheus-operator-crds 19 + namespace: observability 20 + chart: oci://ghcr.io/prometheus-community/charts/prometheus-operator-crds 21 + version: 13.0.1 22 + - name: cilium 23 + namespace: kube-system 24 + chart: cilium/cilium 25 + version: 1.15.6 26 + values: 27 + - ../apps/kube-system/cilium/app/helm-values.yaml 28 + needs: 29 + - observability/prometheus-operator-crds 30 + - name: coredns 31 + namespace: kube-system 32 + chart: coredns/coredns 33 + version: 1.31.0 34 + values: 35 + - ../apps/kube-system/coredns/app/helm-values.yaml 36 + needs: 37 + - observability/prometheus-operator-crds 38 + - kube-system/cilium 39 + - name: kubelet-csr-approver 40 + namespace: kube-system 41 + chart: postfinance/kubelet-csr-approver 42 + version: 1.2.2 43 + values: 44 + - ../apps/kube-system/kubelet-csr-approver/app/helm-values.yaml 45 + needs: 46 + - observability/prometheus-operator-crds 47 + - kube-system/cilium 48 + - kube-system/coredns 49 + - name: spegel 50 + namespace: kube-system 51 + chart: oci://ghcr.io/spegel-org/helm-charts/spegel 52 + version: v0.0.23 53 + values: 54 + - ../apps/kube-system/spegel/app/helm-values.yaml 55 + needs: 56 + - observability/prometheus-operator-crds 57 + - kube-system/cilium 58 + - kube-system/coredns 59 + - kube-system/kubelet-csr-approver
+15
bootstrap/templates/kubernetes/bootstrap/talos/patches/README.md.j2
··· 1 + # Talos Patching 2 + 3 + This directory contains Kustomization patches that are added to the talhelper configuration file. 4 + 5 + <https://www.talos.dev/v1.7/talos-guides/configuration/patching/> 6 + 7 + ## Patch Directories 8 + 9 + Under this `patches` directory, there are several sub-directories that can contain patches that are added to the talhelper configuration file. 10 + Each directory is optional and therefore might not created by default. 11 + 12 + - `global/`: patches that are applied to both the controller and worker configurations 13 + - `controller/`: patches that are applied to the controller configurations 14 + - `worker/`: patches that are applied to the worker configurations 15 + - `${node-hostname}/`: patches that are applied to the node with the specified name
+8
bootstrap/templates/kubernetes/bootstrap/talos/patches/controller/api-access.yaml.j2
··· 1 + machine: 2 + features: 3 + kubernetesTalosAPIAccess: 4 + enabled: true 5 + allowedRoles: 6 + - os:admin 7 + allowedKubernetesNamespaces: 8 + - system-upgrade
+12
bootstrap/templates/kubernetes/bootstrap/talos/patches/controller/cluster.yaml.j2
··· 1 + cluster: 2 + allowSchedulingOnControlPlanes: true 3 + controllerManager: 4 + extraArgs: 5 + bind-address: 0.0.0.0 6 + coreDNS: 7 + disabled: true 8 + proxy: 9 + disabled: true 10 + scheduler: 11 + extraArgs: 12 + bind-address: 0.0.0.0
+2
bootstrap/templates/kubernetes/bootstrap/talos/patches/controller/disable-admission-controller.yaml.j2
··· 1 + - op: remove 2 + path: /cluster/apiServer/admissionControl
+6
bootstrap/templates/kubernetes/bootstrap/talos/patches/controller/etcd.yaml.j2
··· 1 + cluster: 2 + etcd: 3 + extraArgs: 4 + listen-metrics-urls: http://0.0.0.0:2381 5 + advertisedSubnets: 6 + - #{ bootstrap_node_network }#
+7
bootstrap/templates/kubernetes/bootstrap/talos/patches/global/cluster-discovery.yaml.j2
··· 1 + cluster: 2 + discovery: 3 + registries: 4 + kubernetes: 5 + disabled: false 6 + service: 7 + disabled: false
+12
bootstrap/templates/kubernetes/bootstrap/talos/patches/global/containerd.yaml.j2
··· 1 + machine: 2 + files: 3 + - op: create 4 + path: /etc/cri/conf.d/20-customization.part 5 + content: |- 6 + [plugins."io.containerd.grpc.v1.cri"] 7 + enable_unprivileged_ports = true 8 + enable_unprivileged_icmp = true 9 + [plugins."io.containerd.grpc.v1.cri".containerd] 10 + discard_unpacked_layers = false 11 + [plugins."io.containerd.grpc.v1.cri".containerd.runtimes.runc] 12 + discard_unpacked_layers = false
+3
bootstrap/templates/kubernetes/bootstrap/talos/patches/global/disable-search-domain.yaml.j2
··· 1 + machine: 2 + network: 3 + disableSearchDomain: true
+6
bootstrap/templates/kubernetes/bootstrap/talos/patches/global/hostdns.yaml.j2
··· 1 + machine: 2 + features: 3 + hostDNS: 4 + enabled: true 5 + resolveMemberNames: true 6 + forwardKubeDNSToHost: true # Requires Cilium `bpf.masquerade: false`
+7
bootstrap/templates/kubernetes/bootstrap/talos/patches/global/kubelet.yaml.j2
··· 1 + machine: 2 + kubelet: 3 + extraArgs: 4 + rotate-server-certificates: true 5 + nodeIP: 6 + validSubnets: 7 + - #{ bootstrap_node_network }#
+10
bootstrap/templates/kubernetes/bootstrap/talos/patches/global/openebs-local.yaml.j2
··· 1 + machine: 2 + kubelet: 3 + extraMounts: 4 + - destination: /var/openebs/local 5 + type: bind 6 + source: /var/openebs/local 7 + options: 8 + - bind 9 + - rshared 10 + - rw
+7
bootstrap/templates/kubernetes/bootstrap/talos/patches/global/sysctl.yaml.j2
··· 1 + machine: 2 + sysctls: 3 + fs.inotify.max_queued_events: "65536" 4 + fs.inotify.max_user_watches: "524288" 5 + fs.inotify.max_user_instances: "8192" 6 + net.core.rmem_max: "2500000" 7 + net.core.wmem_max: "2500000"
+178
bootstrap/templates/kubernetes/bootstrap/talos/talconfig.yaml.j2
··· 1 + # yaml-language-server: $schema=https://raw.githubusercontent.com/budimanjojo/talhelper/master/pkg/config/schemas/talconfig.json 2 + --- 3 + # renovate: datasource=docker depName=ghcr.io/siderolabs/installer 4 + talosVersion: v1.7.5 5 + # renovate: datasource=docker depName=ghcr.io/siderolabs/kubelet 6 + kubernetesVersion: v1.30.2 7 + 8 + clusterName: "#{ bootstrap_cluster_name | default('home-kubernetes', true) }#" 9 + endpoint: https://#{ bootstrap_controller_vip }#:6443 10 + clusterPodNets: 11 + - "#{ bootstrap_pod_network.split(',')[0] }#" 12 + clusterSvcNets: 13 + - "#{ bootstrap_service_network.split(',')[0] }#" 14 + additionalApiServerCertSans: &sans 15 + - "#{ bootstrap_controller_vip }#" 16 + - 127.0.0.1 # KubePrism 17 + #% for item in bootstrap_tls_sans %# 18 + - "#{ item }#" 19 + #% endfor %# 20 + additionalMachineCertSans: *sans 21 + 22 + # Disable built-in Flannel to use Cilium 23 + cniConfig: 24 + name: none 25 + 26 + nodes: 27 + #% for item in bootstrap_node_inventory %# 28 + - hostname: "#{ item.name }#" 29 + ipAddress: "#{ item.address }#" 30 + #% if item.disk.startswith('/') %# 31 + installDisk: "#{ item.disk }#" 32 + #% else %# 33 + installDiskSelector: 34 + serial: "#{ item.disk }#" 35 + #% endif %# 36 + #% if bootstrap_secureboot.enabled %# 37 + machineSpec: 38 + secureboot: true 39 + talosImageURL: factory.talos.dev/installer-secureboot/#{ item.schematic_id | default(bootstrap_schematic_id) }# 40 + #% else %# 41 + talosImageURL: factory.talos.dev/installer/#{ item.schematic_id | default(bootstrap_schematic_id) }# 42 + #% endif %# 43 + controlPlane: #{ (item.controller) | string | lower }# 44 + networkInterfaces: 45 + - deviceSelector: 46 + hardwareAddr: "#{ item.mac_addr | lower }#" 47 + #% if bootstrap_vlan %# 48 + vlans: 49 + - vlanId: #{ bootstrap_vlan }# 50 + addresses: 51 + - "#{ item.address }#/#{ bootstrap_node_network.split('/') | last }#" 52 + mtu: #{ item.mtu | default(1500) }# 53 + routes: 54 + - network: 0.0.0.0/0 55 + #% if bootstrap_node_default_gateway %# 56 + gateway: "#{ bootstrap_node_default_gateway }#" 57 + #% else %# 58 + gateway: "#{ bootstrap_node_network | nthhost(1) }#" 59 + #% endif %# 60 + #% if item.controller %# 61 + vip: 62 + ip: "#{ bootstrap_controller_vip }#" 63 + #% endif %# 64 + #% else %# 65 + #% if item.address %# 66 + dhcp: false 67 + addresses: 68 + - "#{ item.address }#/#{ bootstrap_node_network.split('/') | last }#" 69 + routes: 70 + - network: 0.0.0.0/0 71 + #% if bootstrap_node_default_gateway %# 72 + gateway: "#{ bootstrap_node_default_gateway }#" 73 + #% else %# 74 + gateway: "#{ bootstrap_node_network | nthhost(1) }#" 75 + #% endif %# 76 + #% else %# 77 + dhcp: true 78 + #% endif %# 79 + mtu: #{ item.mtu | default(1500) }# 80 + #% if item.controller %# 81 + vip: 82 + ip: "#{ bootstrap_controller_vip }#" 83 + #% endif %# 84 + #% endif %# 85 + #% if item.manifests %# 86 + extraManifests: 87 + #% for manifest in item.manifests %# 88 + - #{ manifest }# 89 + #% endfor %# 90 + #% endif %# 91 + #% if item.extension_services %# 92 + extensionServices: 93 + #% for es in item.extension_services %# 94 + - name: #{ es.name }# 95 + configFiles: 96 + #% for cf in es.configFiles %# 97 + - content: |- 98 + #{ cf.content | indent(14, yes) }# 99 + mountPath: #{ cf.mountPath }# 100 + #% endfor %# 101 + #% if es.environment %# 102 + environment: 103 + #% for env in es.environment %# 104 + - #{ env }# 105 + #% endfor %# 106 + #% endif %# 107 + #% endfor %# 108 + #% endif %# 109 + #% for file in talos_patches('%s' % (item.name)) %# 110 + #% if loop.index == 1 %# 111 + patches: 112 + #% endif %# 113 + - "@./patches/#{ item.name }#/#{ file | basename }#" 114 + #% endfor %# 115 + #% endfor %# 116 + 117 + # Global patches 118 + patches: 119 + #% if bootstrap_dns_servers | length %# 120 + - # Force nameserver 121 + |- 122 + machine: 123 + network: 124 + nameservers: 125 + #% for item in bootstrap_dns_servers %# 126 + - #{ item }# 127 + #% endfor %# 128 + #% endif %# 129 + #% if bootstrap_ntp_servers | length %# 130 + - # Configure NTP 131 + |- 132 + machine: 133 + time: 134 + disabled: false 135 + servers: 136 + #% for item in bootstrap_ntp_servers %# 137 + - #{ item }# 138 + #% endfor %# 139 + #% endif %# 140 + #% if bootstrap_secureboot.enabled and bootstrap_secureboot.encrypt_disk_with_tpm %# 141 + - # Encrypt system disk with TPM 142 + |- 143 + machine: 144 + systemDiskEncryption: 145 + ephemeral: 146 + provider: luks2 147 + keys: 148 + - slot: 0 149 + tpm: {} 150 + state: 151 + provider: luks2 152 + keys: 153 + - slot: 0 154 + tpm: {} 155 + #% endif %# 156 + #% for file in talos_patches('global') %# 157 + - "@./patches/global/#{ file | basename }#" 158 + #% endfor %# 159 + 160 + #% for file in talos_patches('controller') %# 161 + #% if loop.index == 1 %# 162 + # Controller patches 163 + controlPlane: 164 + patches: 165 + #% endif %# 166 + - "@./patches/controller/#{ file | basename }#" 167 + #% endfor %# 168 + 169 + #% if (bootstrap_node_inventory | selectattr('controller', 'equalto', False) | list | length) and (talos_patches('worker') | length) %# 170 + #% for file in talos_patches('worker') %# 171 + #% if loop.index == 1 %# 172 + # Worker patches 173 + worker: 174 + patches: 175 + #% endif %# 176 + - "@./patches/worker/#{ file | basename }#" 177 + #% endfor %# 178 + #% endif %#
+56
bootstrap/templates/kubernetes/flux/apps.yaml.j2
··· 1 + --- 2 + apiVersion: kustomize.toolkit.fluxcd.io/v1 3 + kind: Kustomization 4 + metadata: 5 + name: cluster-apps 6 + namespace: flux-system 7 + spec: 8 + interval: 30m 9 + path: ./kubernetes/apps 10 + prune: true 11 + sourceRef: 12 + kind: GitRepository 13 + name: home-kubernetes 14 + decryption: 15 + provider: sops 16 + secretRef: 17 + name: sops-age 18 + postBuild: 19 + substituteFrom: 20 + - kind: ConfigMap 21 + name: cluster-settings 22 + - kind: Secret 23 + name: cluster-secrets 24 + - kind: ConfigMap 25 + name: cluster-user-settings 26 + optional: true 27 + - kind: Secret 28 + name: cluster-user-secrets 29 + optional: true 30 + patches: 31 + - patch: |- 32 + apiVersion: kustomize.toolkit.fluxcd.io/v1 33 + kind: Kustomization 34 + metadata: 35 + name: not-used 36 + spec: 37 + decryption: 38 + provider: sops 39 + secretRef: 40 + name: sops-age 41 + postBuild: 42 + substituteFrom: 43 + - kind: ConfigMap 44 + name: cluster-settings 45 + - kind: Secret 46 + name: cluster-secrets 47 + - kind: ConfigMap 48 + name: cluster-user-settings 49 + optional: true 50 + - kind: Secret 51 + name: cluster-user-secrets 52 + optional: true 53 + target: 54 + group: kustomize.toolkit.fluxcd.io 55 + kind: Kustomization 56 + labelSelector: substitution.flux.home.arpa/disabled notin (true)
+44
bootstrap/templates/kubernetes/flux/config/cluster.yaml.j2
··· 1 + --- 2 + apiVersion: source.toolkit.fluxcd.io/v1 3 + kind: GitRepository 4 + metadata: 5 + name: home-kubernetes 6 + namespace: flux-system 7 + spec: 8 + interval: 30m 9 + url: "#{ bootstrap_github_address }#" 10 + #% if bootstrap_github_private_key %# 11 + secretRef: 12 + name: github-deploy-key 13 + #% endif %# 14 + ref: 15 + branch: "#{ bootstrap_github_branch|default('main', true) }#" 16 + ignore: | 17 + # exclude all 18 + /* 19 + # include kubernetes directory 20 + !/kubernetes 21 + --- 22 + apiVersion: kustomize.toolkit.fluxcd.io/v1 23 + kind: Kustomization 24 + metadata: 25 + name: cluster 26 + namespace: flux-system 27 + spec: 28 + interval: 30m 29 + path: ./kubernetes/flux 30 + prune: true 31 + wait: false 32 + sourceRef: 33 + kind: GitRepository 34 + name: home-kubernetes 35 + decryption: 36 + provider: sops 37 + secretRef: 38 + name: sops-age 39 + postBuild: 40 + substituteFrom: 41 + - kind: ConfigMap 42 + name: cluster-settings 43 + - kind: Secret 44 + name: cluster-secrets
+86
bootstrap/templates/kubernetes/flux/config/flux.yaml.j2
··· 1 + --- 2 + apiVersion: source.toolkit.fluxcd.io/v1beta2 3 + kind: OCIRepository 4 + metadata: 5 + name: flux-manifests 6 + namespace: flux-system 7 + spec: 8 + interval: 10m 9 + url: oci://ghcr.io/fluxcd/flux-manifests 10 + ref: 11 + tag: v2.3.0 12 + --- 13 + apiVersion: kustomize.toolkit.fluxcd.io/v1 14 + kind: Kustomization 15 + metadata: 16 + name: flux 17 + namespace: flux-system 18 + spec: 19 + interval: 10m 20 + path: ./ 21 + prune: true 22 + wait: true 23 + sourceRef: 24 + kind: OCIRepository 25 + name: flux-manifests 26 + patches: 27 + # Remove the network policies 28 + - patch: | 29 + $patch: delete 30 + apiVersion: networking.k8s.io/v1 31 + kind: NetworkPolicy 32 + metadata: 33 + name: not-used 34 + target: 35 + group: networking.k8s.io 36 + kind: NetworkPolicy 37 + # Increase the number of reconciliations that can be performed in parallel and bump the resources limits 38 + # https://fluxcd.io/flux/cheatsheets/bootstrap/#increase-the-number-of-workers 39 + - patch: | 40 + - op: add 41 + path: /spec/template/spec/containers/0/args/- 42 + value: --concurrent=8 43 + - op: add 44 + path: /spec/template/spec/containers/0/args/- 45 + value: --kube-api-qps=500 46 + - op: add 47 + path: /spec/template/spec/containers/0/args/- 48 + value: --kube-api-burst=1000 49 + - op: add 50 + path: /spec/template/spec/containers/0/args/- 51 + value: --requeue-dependency=5s 52 + target: 53 + kind: Deployment 54 + name: (kustomize-controller|helm-controller|source-controller) 55 + - patch: | 56 + apiVersion: apps/v1 57 + kind: Deployment 58 + metadata: 59 + name: not-used 60 + spec: 61 + template: 62 + spec: 63 + containers: 64 + - name: manager 65 + resources: 66 + limits: 67 + cpu: 2000m 68 + memory: 2Gi 69 + target: 70 + kind: Deployment 71 + name: (kustomize-controller|helm-controller|source-controller) 72 + # Enable Helm near OOM detection 73 + # https://fluxcd.io/flux/cheatsheets/bootstrap/#enable-helm-near-oom-detection 74 + - patch: | 75 + - op: add 76 + path: /spec/template/spec/containers/0/args/- 77 + value: --feature-gates=OOMWatch=true 78 + - op: add 79 + path: /spec/template/spec/containers/0/args/- 80 + value: --oom-watch-memory-threshold=95 81 + - op: add 82 + path: /spec/template/spec/containers/0/args/- 83 + value: --oom-watch-interval=500ms 84 + target: 85 + kind: Deployment 86 + name: helm-controller
+6
bootstrap/templates/kubernetes/flux/config/kustomization.yaml.j2
··· 1 + --- 2 + apiVersion: kustomize.config.k8s.io/v1beta1 3 + kind: Kustomization 4 + resources: 5 + - ./flux.yaml 6 + - ./cluster.yaml
+4
bootstrap/templates/kubernetes/flux/repositories/git/kustomization.yaml.j2
··· 1 + --- 2 + apiVersion: kustomize.config.k8s.io/v1beta1 3 + kind: Kustomization 4 + resources: []
+10
bootstrap/templates/kubernetes/flux/repositories/helm/bjw-s.yaml.j2
··· 1 + --- 2 + apiVersion: source.toolkit.fluxcd.io/v1 3 + kind: HelmRepository 4 + metadata: 5 + name: bjw-s 6 + namespace: flux-system 7 + spec: 8 + type: oci 9 + interval: 5m 10 + url: oci://ghcr.io/bjw-s/helm
+9
bootstrap/templates/kubernetes/flux/repositories/helm/cilium.yaml.j2
··· 1 + --- 2 + apiVersion: source.toolkit.fluxcd.io/v1 3 + kind: HelmRepository 4 + metadata: 5 + name: cilium 6 + namespace: flux-system 7 + spec: 8 + interval: 1h 9 + url: https://helm.cilium.io
+9
bootstrap/templates/kubernetes/flux/repositories/helm/coredns.yaml.j2
··· 1 + --- 2 + apiVersion: source.toolkit.fluxcd.io/v1 3 + kind: HelmRepository 4 + metadata: 5 + name: coredns 6 + namespace: flux-system 7 + spec: 8 + interval: 1h 9 + url: https://coredns.github.io/helm
+11
bootstrap/templates/kubernetes/flux/repositories/helm/external-dns.yaml.j2
··· 1 + #% if bootstrap_cloudflare.enabled %# 2 + --- 3 + apiVersion: source.toolkit.fluxcd.io/v1 4 + kind: HelmRepository 5 + metadata: 6 + name: external-dns 7 + namespace: flux-system 8 + spec: 9 + interval: 1h 10 + url: https://kubernetes-sigs.github.io/external-dns 11 + #% endif %#
+11
bootstrap/templates/kubernetes/flux/repositories/helm/ingress-nginx.yaml.j2
··· 1 + #% if bootstrap_cloudflare.enabled %# 2 + --- 3 + apiVersion: source.toolkit.fluxcd.io/v1 4 + kind: HelmRepository 5 + metadata: 6 + name: ingress-nginx 7 + namespace: flux-system 8 + spec: 9 + interval: 1h 10 + url: https://kubernetes.github.io/ingress-nginx 11 + #% endif %#
+9
bootstrap/templates/kubernetes/flux/repositories/helm/jetstack.yaml.j2
··· 1 + --- 2 + apiVersion: source.toolkit.fluxcd.io/v1 3 + kind: HelmRepository 4 + metadata: 5 + name: jetstack 6 + namespace: flux-system 7 + spec: 8 + interval: 1h 9 + url: https://charts.jetstack.io
+11
bootstrap/templates/kubernetes/flux/repositories/helm/k8s-gateway.yaml.j2
··· 1 + #% if bootstrap_cloudflare.enabled %# 2 + --- 3 + apiVersion: source.toolkit.fluxcd.io/v1 4 + kind: HelmRepository 5 + metadata: 6 + name: k8s-gateway 7 + namespace: flux-system 8 + spec: 9 + interval: 1h 10 + url: https://ori-edge.github.io/k8s_gateway 11 + #% endif %#
+19
bootstrap/templates/kubernetes/flux/repositories/helm/kustomization.yaml.j2
··· 1 + --- 2 + apiVersion: kustomize.config.k8s.io/v1beta1 3 + kind: Kustomization 4 + resources: 5 + - ./bjw-s.yaml 6 + - ./cilium.yaml 7 + - ./coredns.yaml 8 + - ./jetstack.yaml 9 + - ./metrics-server.yaml 10 + - ./openebs.yaml 11 + - ./postfinance.yaml 12 + - ./prometheus-community.yaml 13 + - ./spegel.yaml 14 + - ./stakater.yaml 15 + #% if bootstrap_cloudflare.enabled %# 16 + - ./external-dns.yaml 17 + - ./ingress-nginx.yaml 18 + - ./k8s-gateway.yaml 19 + #% endif %#
+9
bootstrap/templates/kubernetes/flux/repositories/helm/metrics-server.yaml.j2
··· 1 + --- 2 + apiVersion: source.toolkit.fluxcd.io/v1 3 + kind: HelmRepository 4 + metadata: 5 + name: metrics-server 6 + namespace: flux-system 7 + spec: 8 + interval: 1h 9 + url: https://kubernetes-sigs.github.io/metrics-server
+9
bootstrap/templates/kubernetes/flux/repositories/helm/openebs.yaml.j2
··· 1 + --- 2 + apiVersion: source.toolkit.fluxcd.io/v1 3 + kind: HelmRepository 4 + metadata: 5 + name: openebs 6 + namespace: flux-system 7 + spec: 8 + interval: 1h 9 + url: https://openebs.github.io/openebs
+9
bootstrap/templates/kubernetes/flux/repositories/helm/postfinance.yaml.j2
··· 1 + --- 2 + apiVersion: source.toolkit.fluxcd.io/v1 3 + kind: HelmRepository 4 + metadata: 5 + name: postfinance 6 + namespace: flux-system 7 + spec: 8 + interval: 1h 9 + url: https://postfinance.github.io/kubelet-csr-approver
+10
bootstrap/templates/kubernetes/flux/repositories/helm/prometheus-community.yaml.j2
··· 1 + --- 2 + apiVersion: source.toolkit.fluxcd.io/v1 3 + kind: HelmRepository 4 + metadata: 5 + name: prometheus-community 6 + namespace: flux-system 7 + spec: 8 + type: oci 9 + interval: 5m 10 + url: oci://ghcr.io/prometheus-community/charts
+10
bootstrap/templates/kubernetes/flux/repositories/helm/spegel.yaml.j2
··· 1 + --- 2 + apiVersion: source.toolkit.fluxcd.io/v1 3 + kind: HelmRepository 4 + metadata: 5 + name: spegel 6 + namespace: flux-system 7 + spec: 8 + type: oci 9 + interval: 5m 10 + url: oci://ghcr.io/spegel-org/helm-charts
+10
bootstrap/templates/kubernetes/flux/repositories/helm/stakater.yaml.j2
··· 1 + --- 2 + apiVersion: source.toolkit.fluxcd.io/v1 3 + kind: HelmRepository 4 + metadata: 5 + name: stakater 6 + namespace: flux-system 7 + spec: 8 + type: oci 9 + interval: 5m 10 + url: oci://ghcr.io/stakater/charts
+7
bootstrap/templates/kubernetes/flux/repositories/kustomization.yaml.j2
··· 1 + --- 2 + apiVersion: kustomize.config.k8s.io/v1beta1 3 + kind: Kustomization 4 + resources: 5 + - ./git 6 + - ./helm 7 + - ./oci
+4
bootstrap/templates/kubernetes/flux/repositories/oci/kustomization.yaml.j2
··· 1 + --- 2 + apiVersion: kustomize.config.k8s.io/v1beta1 3 + kind: Kustomization 4 + resources: []
+14
bootstrap/templates/kubernetes/flux/vars/cluster-secrets.sops.yaml.j2
··· 1 + --- 2 + apiVersion: v1 3 + kind: Secret 4 + metadata: 5 + name: cluster-secrets 6 + namespace: flux-system 7 + stringData: 8 + #% if bootstrap_cloudflare.enabled %# 9 + SECRET_DOMAIN: "#{ bootstrap_cloudflare.domain }#" 10 + SECRET_ACME_EMAIL: "#{ bootstrap_cloudflare.acme.email }#" 11 + SECRET_CLOUDFLARE_TUNNEL_ID: "#{ bootstrap_cloudflare.tunnel.id }#" 12 + #% else %# 13 + SECRET_EXAMPLE: Global secrets for your cluster go in this file, this file is encrypted with sops 14 + #% endif %#
+8
bootstrap/templates/kubernetes/flux/vars/cluster-settings.yaml.j2
··· 1 + --- 2 + apiVersion: v1 3 + kind: ConfigMap 4 + metadata: 5 + name: cluster-settings 6 + namespace: flux-system 7 + data: 8 + SETTING_EXAMPLE: Global settings for your cluster go in this file, this file is NOT encrypted
+5
bootstrap/templates/kubernetes/flux/vars/kustomization.yaml.j2
··· 1 + apiVersion: kustomize.config.k8s.io/v1beta1 2 + kind: Kustomization 3 + resources: 4 + - ./cluster-settings.yaml 5 + - ./cluster-secrets.sops.yaml
+39
k8s/nebula/rook-wipe.yaml
··· 1 + --- 2 + apiVersion: v1 3 + kind: Pod 4 + metadata: 5 + name: disk-wipe-w-amd-1 6 + namespace: rook-ceph 7 + spec: 8 + restartPolicy: Never 9 + nodeName: w-amd-1 10 + containers: 11 + - name: disk-wipe 12 + image: alpine:3.20 13 + securityContext: 14 + privileged: true 15 + env: 16 + - name: CEPH_DISK 17 + value: /mnt/host_dev/disk/by-id/nvme-KINGSTON_SEDC1000BM8960G_50026B76860DDA63 18 + - name: ROOK_HOST_PATH 19 + value: /mnt/host_var/lib/rook 20 + command: ["/bin/sleep", "infinity"] 21 + #args: 22 + # - apk add --no-cache sgdisk util-linux parted; 23 + # sgdisk --zap-all $CEPH_DISK; 24 + # dd if=/dev/zero of=$CEPH_DISK bs=1M count=100 oflag=direct; 25 + # blkdiscard $CEPH_DISK; 26 + # partprobe $CEPH_DISK; 27 + # rm -rf $ROOK_HOST_PATH; 28 + volumeMounts: 29 + - name: host-var 30 + mountPath: /mnt/host_var 31 + - name: host-dev 32 + mountPath: /mnt/host_dev 33 + volumes: 34 + - name: host-var 35 + hostPath: 36 + path: /var 37 + - name: host-dev 38 + hostPath: 39 + path: /dev
+54
k8s/nebula/wipe-rook.yaml
··· 1 + --- 2 + apiVersion: v1 3 + kind: Pod 4 + metadata: 5 + name: disk-wipe-m1 6 + spec: 7 + restartPolicy: Never 8 + nodeName: m1 9 + containers: 10 + - name: disk-wipe 11 + image: ubuntu 12 + securityContext: 13 + privileged: true 14 + command: ['/bin/sh', '-c'] 15 + args: 16 + [ 17 + 'apt update; apt install fdisk gdisk parted udev -y; sgdisk --zap-all /dev/nvme0n1; dd if=/dev/zero bs=1M count=100 oflag=direct,dsync of=/dev/nvme0n1; wipefs -af /dev/nvme0n1; blkdiscard /dev/nvme0n1; partprobe /dev/nvme0n1', 18 + ] 19 + --- 20 + apiVersion: v1 21 + kind: Pod 22 + metadata: 23 + name: disk-wipe-w-amd-3 24 + spec: 25 + restartPolicy: Never 26 + nodeName: w-amd-3 27 + containers: 28 + - name: disk-wipe 29 + image: ubuntu 30 + securityContext: 31 + privileged: true 32 + command: ['/bin/sh', '-c'] 33 + args: 34 + [ 35 + 'apt update; apt install fdisk gdisk parted udev -y; sgdisk --zap-all /dev/nvme0n1; dd if=/dev/zero bs=1M count=100 oflag=direct,dsync of=/dev/nvme0n1; wipefs -af /dev/nvme0n1; blkdiscard /dev/nvme0n1; partprobe /dev/nvme0n1', 36 + ] 37 + --- 38 + apiVersion: v1 39 + kind: Pod 40 + metadata: 41 + name: disk-wipe-w-amd-1 42 + spec: 43 + restartPolicy: Never 44 + nodeName: w-amd-1 45 + containers: 46 + - name: disk-wipe 47 + image: ubuntu 48 + securityContext: 49 + privileged: true 50 + command: ['/bin/sh', '-c'] 51 + args: 52 + [ 53 + 'apt update; apt install fdisk gdisk parted udev -y; sgdisk --zap-all /dev/nvme0n1; dd if=/dev/zero bs=1M count=100 oflag=direct,dsync of=/dev/nvme0n1; wipefs -af /dev/nvme0n1; blkdiscard /dev/nvme0n1; partprobe /dev/nvme0n1', 54 + ]
+4
talos/.sops.yaml
··· 1 + --- 2 + creation_rules: 3 + - age: >- 4 + age13xy8slkuaz408wh5s0jgd40a8kqtj6gfnr657xxqku6vm0r0qpjqymtkmz
+6
talos/clusterconfig/.gitignore
··· 1 + nebula-m1.yaml 2 + nebula-w-amd-3.yaml 3 + talosconfig 4 + nebula-w-amd-1.yaml 5 + nebula-w-amd-2.yaml 6 + nebula-w7.yaml
+43
talos/talsecret.sops.yaml
··· 1 + cluster: 2 + id: ENC[AES256_GCM,data:4Wf/CYr9RCZPOePkcHsq5dCYhOGs1KJpQgJPYlCnnVB3wQubyrqVMt4YVoY=,iv:OYvsLmNO1aOVPc0u/Xjt8hRjri8peJtaknBNG1fBT8M=,tag:cfiBl2xst6lgLm2uT7NvJg==,type:str] 3 + secret: ENC[AES256_GCM,data:17e44RCUOowoSZUPfMmE9RkEdXapvcvNla6XJG5//EqIMKpqOIaTUoOxFMs=,iv:sFa87CbquwbevXdpJDSRdP24QU/V8xjgTSTrc/n2LRk=,tag:zgCs8D31W1JcVkalsgGPfA==,type:str] 4 + secrets: 5 + bootstraptoken: ENC[AES256_GCM,data:qPKnukLNKN/C0kWiE9BKx1nVwGz1pd8=,iv:CDo8Du9DmHS0cs+buCJ0x/DrEE8pzsFW3bmC5+snGR0=,tag:xiR3YeFlF13zV1HLkuRYKg==,type:str] 6 + secretboxencryptionsecret: ENC[AES256_GCM,data:K5UqbS2uUc0K3/fs/nqORrr50lHYxsAH/MdvxXwJ5XwFLgIUkXZWxtcJeJA=,iv:fZ977hiamySZilnC7BXd3zRg8aDw2AFaBBNqYIBsr28=,tag:CyJJtBlM+S2dYIJMt6rhIQ==,type:str] 7 + trustdinfo: 8 + token: ENC[AES256_GCM,data:imfQR9xKsiqr167/r3tygTt1vNsHHSQ=,iv:va3l/Qw6UuU9VRPDSbuSiH0AZn9Vzi/2oh5R8KyDfK0=,tag:CmSkzHTmpsseWeorLgTgRw==,type:str] 9 + certs: 10 + etcd: 11 + crt: ENC[AES256_GCM,data:YEcd4/yaBafau/TU6bs1cyYimKBKNn933HnFjtBkMLKMjuSGkIpU9ndVbNEEDYd0A1Xg8gljfnlO94fjg311oYUmrQMiET4whbVp+uSjgakT9iHSUNXIkhPkG159T02o2gKDah4pR+9VADkbSHHo82yEzjNSdYrgA9+54tyYIAUg+u8JEZbKTQMoWrKmOF6u517D2ZMmi0Tb2qq/OAfLCY3tFo+rVFU+w1z+6UbumXalvx/JTKM31yobhqwkY4vqg3V/F8V5wLv8nIn9Py4stXplIB62DkvNLnYJ+mdDDVcOauPbugTRwM9Th7/HhrN3VwVrPMXbdJUyz8wy71ClydT7Jliv36CxONwL3hoth/EBDXhCgaR2TWBR9o10CTg/Sb/7MEGpYX+nvPR4p2YSNRcFsUmefNw80nPY5ke9cT64Nmbtfr6FKADyaO+fbkCqkIl6f1UTZs8XX/XV9Pl3cn/f9CzNZjPzeMLVI6TUZ2krJ8h15EzaPuKUSKD0XEUoMgQYbrAMLhwrQpvV/JuxSMJiarVBInzglB5KwYsGvrKV4wDMa5UV+KgDwdUTJ7Qrfh5Q8Z6yoXywJyDw2BiND7OrrgeNxUdzHtt/tgUt/QUu6Rlb20WUBIgfVf+av9jyphiMs5jLq9Pti8swn5IhCPNR0FVWRdZ2IvRkXEan5APj89v9uIAJo68laoFF8u1fhlrQu48kA6/2xcFTLgUhZAS88vRSMJ+bFp+EYwcBRB2FIaB9VNiZlZf/63xfyneHdbvV85QfIsNqppO3FpuDwQ7ZZdxpaH83onrO+x5UOhV5fH5EfMHd1rLNX7jWvRCV//42uYjfsiNSpuRkqUjM9Pdp8zD/vSGRTNvVf7WMO79U0ocvsNTII8nEEu+5ur8ugLMLGpLeDtqlifb9q9oICPfa8WW2uujM2gToXyf2OHF+peUndRVPG26TPhMu2KyYTo/uSsd9MYONTg/Kg6BK9f9WHAMSqOYIzTqN12yVbEfej8cIKnUh7+wtjeq2xC7cuev/xA==,iv:WqbM5HOwUPPtiLh4eJNquszFy2Bb4s34K8ErUIu0p6g=,tag:eehU49aKLK9x0/ahFOmh6Q==,type:str] 12 + key: ENC[AES256_GCM,data:EU+UkvZgEDpjmCZwet3OfW1QkvzK6QU1pLR+IMly7+5fbFMwkfeUn+CTrO9kF2lttIEa4n1a7qclRCJR9bboDRhxPuJIoUo4SUBBd4dodYAfCEW8dEQtaTPWsaWD4XTWjS/Zks4gh017cxmHYJJnWyMlOsY/h50CKFHN/rHBQMghrQrELuzbjggTn3/ZC5+z8M9DrMgOeFZhIbXIZdyRke+zSZ/cBlimKlhmYGzGWJotUp0yb8L/hG3vd0dSndPY/vshtrYKWBZSnhTQeQB7h912LS505S/wVM071iRKOmHHfERlhsf+DcesSkiyHihc8jN+7HgFL2DTxyCxK46rnRxl1Dd/Wt5FTzpYpZI0WHl3+SQgYo5cRFUAkHGpCWClLb6MXooZqig6pEoRV2Vl7g==,iv:mwfcSatpvRGVKDTAjgw5zeQZ6McyDRxpnWVx5rPdKg8=,tag:0D/Hab/5Kn5QQmCQYZgoCw==,type:str] 13 + k8s: 14 + crt: ENC[AES256_GCM,data:+92aVH3oPG/UQzdPyf2GSQjL49LOtjyY+ixBAVBJaVu05wdl/6cOgKFu9RqB/GyfgA0Gym8Sn7cTa8IUBe7FH9MlNDTfTVI6gWKVl2CJFWl8aCzD+FDfDtysPAnuodbbDztzAPs6MLVxNQdyXOuKeZ24j+/fReJ4oLhtvBIsvLXRxnXS6YvdoAR2vgRCyFE161AMBGS59irQOzrDgBkj5/7ldShJMi50E2pA2QZF/7JwnaGz38qcTElBnBtYoOJvWRj+MupumLqzRa3OoNw1H7wpx/blX0iUH8mp+ZrUU54PBWkEi7iHpmyri0o+IgFU98JRFh1IuXgK6vcYX6KdKWWfffu+xAw0llT95OXMsu2fTuxIBeW69j9Wtk8ne6DYeHueyoeYkG/tnF1EdbN8A+GArbh/QFjUNFkjoVLfSmeb61A/xaSCouHHZrPaCGnT5gRRlVHuZwNhGq3iZiZaV7mXMziSyAJr4wY0RxScIrkCplGvDXDi4UDTk4bK51ic9MjKfsOBJ5opk5DosCbU4sSXoChqjLEP9UNJ6WfTuGpGmv9RKBRRGjLGAt3/iDdFLNe4eHjbIEjDxswD6uPpGdxZ0c1g5OaWU7XQan7Hkd7oLWN4W4Gt7Qsz7WQbAMvgyEhzmZssUSqmnaXb9UppcOa0CETtSTj+o5itW0YYglAGVuD6EQdYE91+fGC+asd0HX3/LyiMI9PTQqN8R5/+4XMVvA0EbMq5NKoZAy0nHDt2sJuPlMIqMjyaHfS9t4+GjfMMfw6b4tgfGlvq/yD0zsdyqHtSVnh141Iu68U1ZKXcYgTDZ5Vx4PqnJwMzFJ6sxq7uRakMPnniTULZn0VoVM6UeYoYgMdV/iBxDaq1kKU5j2OAUCO+pulPo6P0Hxr3iH7RFGri0w0Tw2MUUiEJg8SkbKsFnsQKGUBYMG4IiNgkKcIIpZOV6zEZwHbUk2zEZ98cHEzvoMjX3Nu05f3mv5DjmfLr6UufDGWfh1GoHYEJqDmC4YRczp0EFmxwyBkdr4VtrHz3QF4fr9NmMyRJxKyW5fSEVUCaIq1m/g==,iv:wI+qD/DWWpC+TnFPh7IJsQmHeWSyv9Ck1Zj0cQ9byJ4=,tag:+tDQjbpYHmTaHxZHtP/Q6g==,type:str] 15 + key: ENC[AES256_GCM,data:Vi6mqpwO8/H0ZFDrofqzDoXKBE283TzLzRAlMs9bT+68IpCl4a10fsWXUmCAcLAcqS/D0m7mHn3yzIF8p8evz7LvHIeo3tULed8TJ7PY80XpIXjhxGGv3P41cet6shKfiaGVAV72a5EcZ7fUVPX/XIxkMDJrkHXU3gj+/G1MbHs9KYHU0VAd0GzACNFygiJSVRJFOwdest9CGZM2NQ1dQBtbp/zJMQkUcwFVghdZtbsPWuvWN6z3n+nkJJAtTXNPbmmuJ9b4IMfpdWjSWL0m8cdassF6cb64kdsQ2sNI3wXch0Ij4xLGkw03kJjS4qvN2Xa8BXYAkRqrZI2bCFdPMrGlXGG5XTuDeA0gGRykXfF95+pMvbkagSTZzXmXq2eXRMDU00dRUZCfGnKKCUybSQ==,iv:+Pfe7gmEFHQPT58mA5l8Gg8c6QX76oEI7+lFesxwd5g=,tag:2JjH3djn67EAjwgZ4evNXQ==,type:str] 16 + k8saggregator: 17 + crt: ENC[AES256_GCM,data:aJDijaYofjgyZJ/RwN5GJPNeRfJcnvIsxW2wPLaugDktkwmfvNcucAb/Uq8szVad2BgJPZ0Veubw51PRcADqhL731boSYROaoDLGWQxBMcuXcW1TFgf0ZXUI/kSuT+G/5/afElK78uLSzX3qqM/tq5cHFocGC/NjAErbAkJKVp4LLzTVR7tZjwbjSYd/P5xBJ+xcpxwYkJjRN3zjiVZYkkllXsi8cnOuVsPTUo5cTQMY/Az/sAQMbVe5YSr5qRwXW8UZp6FgyKeA1iOSlZkpKx6eLL+9LMPRmvLsR0om5fBcGhX8nRZHVlCh/Az8Tr+dIYTN4slGN9oO7UKl87EkKs+aZ/8/J1WXLB8pDzuVgFq9cLY59uBRFBKxYjhWxQu9Bq4iSUCndEhRSVMs56FT8cqdNkH6oeT8TJl4QH/svtRuKweNFkslv8cGGrAbrXPjkvmS6v1kVNJVfTc/glcGQ4EXlmRsUtq8dtzuYKb1pcrXaiggxpMIUESBORFlJIv2W9r/Oi6gEZTOxtziMpkAZIxQtBVaXaSBhKyDr/gQ0BJSGlSyr2Zl0PBA+lTSKTAxY6UjlVLH/xdXU2j0MhL6a73XKZBNSkPWhd1jDAXnrkNvEpSQJaBy7+VDD9tT/wfMJDJhMgrwoHVx/Nqxx4AXhKkX5gSBcsSxdPPN/HEMPyhGw6bwhnw4mb7y7itBby02T9NfxO7SuFybVRY9CEBPTbGf+Xn1V7SFYV4YmCSxEkhW59n/k1MlW7RcUIB3wcoSIgXgpiPvMLluHzOVobV+7wG6Ml2nL9bSNKlvI+EL73GWcjMslLc7q8OPbP0aejHqOKKcuVtjR/7Q3tmnFfVSDI+PNXyeQtjrhZmRuj/4D+yinsgjo0S8lCdmh7n1fYjtWchCPQfn3Z+UXD1JYgVjd4hZF4nqZJt4RVIGQzk+TWyP07FyCDgmeQ==,iv:3X33KRX938TwXYBuAqeShjuTvennxadan+I+dP1mJnE=,tag:j/FQwx0bWIvKASCoHDvQqQ==,type:str] 18 + key: ENC[AES256_GCM,data:q9GSXSGCQmsgmyz5L3P0KqtMb/juev5ZDv0if9/8kHNNzpRRCmt8zJ3u/MmNzaNY1loyZyOzLW7Lp7x1FU3rqMfhpdFHlxDQwQUZLp/7kTHyx8T+kE+dDzUdCOmqKovWl8SLiTpp+3AL5Awgs4pFMKNXgyxdKKO/6mKzy07jHuC25VlezK6VoI//BpuTl0azb6aEPc6mZOR62s3lH9ktolvtSBd31SM8770Esf7n93JfssP4IZd0cmSYUqBFhFFF1MsgpUBh73Hk5DTH+JqnD8Iy4D7qSk1g/fTMKdjfuNiFpj7TtUneM1cst/qUZ+AP0CFpvua9k2Z4iOMZ5mxrkYtwSD8RHvDtsAUtFvpSWFd6FH5rqY5LtSPYxjaGlYPI2JTt918+KKNlrFrOcfwlkw==,iv:P9V4vyGs8dK2TiThvwlMnqcJMtIJlI7LwSvNpo+t/v4=,tag:ABB54Q7j6BtEV+4K0cm0DA==,type:str] 19 + k8sserviceaccount: 20 + key: ENC[AES256_GCM,data:g74IGyNZEiilRUwpfLTMMDExOcrhB8rnd+0zfsIp3YNtH8Ozv3Z/+N332O2ERwmQAbmzIoHiHCTkHf4p/PHz1G6tsNaNx0MH539OyRy/XE8/FqJ6JsTCx86WDol0vSNN/nGaHz+najuH/S95Sy0mMzFbZzSVOAp6sxyIOiBiF/NHFr/N2i8prG29StehpS7JwS1y+UO1h6Dljh/Dxohdlo9RdRSW/q2tSXMFizLBwgf4fduLR5GlrUkKO/JppEk++tHQ9R/9S6RHIpUq7bewEKDafbVeoIXTqcmMThB9YS7ow18M75ZlGk0eOaJu9UwhV+hsqvC9Fsy8OVEo7ZlKm0MU5nGalBthS1Rkj/R2N7lu6oH7AslIJkUxldd48NCmQ3DT1ye0txu8CASSDI/XvrLBrx7eZGgXkvDr6e56q2xOyq9gMpHPuFIKF1AIMn3VCCse8njkg3Zf86ohr2NqTxLRUKxbX6sa7lHNN97bso4CE4bFpkuYu6lNcI7TFes0pizGKObmNBI0NBkjOwNAb3j02QCCrR5BLfeBHLsPyqgBVoop2ZOY5gZc3hGlj1CibsC+yHjM7j/Dq0rLiBgVzdhiz75PxtgDRBFJAz9A9DqD2zrPzo/PaUFtVz7+e/iXkXJtiQSnvtPZjcziN5lyH+k63FZL15bPPRyf9sVppEA5U07UXk4WJvNxm+3ViH5skHhypO33oG7kYWn+3wCj52BE9Q4Fn1BZuXs68aY1GsSJfYPhWqdqaPUqMSZdxXP7gsFTv4Y4AxkC2ZZAKIG5Ccg7PkifKjpade4HzEEdAkE6PzYh6YHWNzhMRaaQJ4lVP21XZqGYxN52RCAjVxY3rMRZ2uivABc230+ldUdOdHNT35zmLarOatEDbLH5yoqVhrFVjlz17SoIIjGGkcwm7w4hBjo3IElPLarWyIzRyFbKWH1kqdfY44e4aYiVfsXjrKVWjk9mYMie6W4JrSkiC5fHEvpdpk7PvBj2aHC/Rje6N9gN/4fxhlFlU7iRBgL1V1dnh7nlaSzjLAQdf1wugoUasvnx3+iRhemF3wWddWlGh9m/+w5jhfqA2cBrlJZ6EEFRjOstRZKjddgmfNhLXHSPvTFgUeZzqg46uV6PzmdEYa6SHYmo+GzYuGZbTL9h/FOjddpX8Oy/9jXEbA3XI7Avw0g9oV5K1hr9elZ9D+//AvItwF1kIgeEJi8AluAkcfy6nQ/QtDrA29caXuEeQbsMVp/LNhBpwBWetByenoMNT5b3UdHFdIzsH8H6qJSOLdWoEvCmNnpHmB8ygwZXNcP75CDetGG/7xKNVLl+mF4w9PI8U+Gx3wzKvUgq97amOCOF56s15qcWozPEWz38bDR5Lh9td8oIynBZiJ/AMQo/ZZd6LB/l5Wtv9kDYNy2wI6FJ7s+T/dYuJYlvCYQrRcrgWVqJ9uK+pRGLjE2rQLZohe5bLYJVfxJaEKC2+7T6Xgiws738ZTb4Sm0N7if0tH/GtAsiPRg121luJ4WvVbLtdCE9gFWQJsd28EDGrhU9cv6lM3rZM+ml0BP2Gg0PGfNRDjpcwHpWXFTnbguhcam0WOK8E/z+RwwK9vY56A6ZBd3rLUgbICW/VvA61Ct/HrIf5hJaA6PnLgOYlO5R41RAJK3gBcXBcd+hFepUMuZAkPeUMZPCRpVOb4/K6rpQf+0zCIPaZ8OwkIXAyVzeRfWGAydEbwBEgMXU3qSx3noUYr4xMi6fy8JuNgUohHkQwzBf73Yj/pyzgnowjs0wr2qXPqLD5UeoJ1NeMb6pTXtey8I5tzevlvp1QldI+u/uqfvbLuERiosdQwwY9tB6cpPCWBk0KbnZ9wWGhIcO0k/I80C1Oma7d6GNlxN+qfS2MwAdbxTClgpeWkDBQvv3N36CEqkjh8wVo6gJRSZZhbXYMGBzeTE+id25dNKWxkxoLCbfLZuhFOKBSqYSvw16oe/5lT6Iw4F2D81LCPooCJchaOLr2vHPk/Oh7aG246WQosX8ldcE1ySzWapoqpUjBmYw1LJfYMgOE5jAzM6GGv3FRvqRzjW6p1I9zgS45lCAUSWOD2J41P0uoKA0RHvZfSALEoIGsbsoEtCUBaMgw4ZimkfZsLhBZd5IprMPo3y6RG8hiZFWgQ93EzJqZqkDzTRQe9JJo2gfGcLubEMvgLM8dWYtAXlbtUXQC0uaNz3tSVv6CMwBf4llT3NYxHaDaQnRlbW60ZMrC0ZDrUzpsdhfHcf4+/QszOq0Vna7ca7F7oGqJ8o2N95+TWnaEXos/LBofNimADQ9sqZtsaFGCgtEJHjIJ8fYzNL0NTnzXZQtoMAESNpO6BHuyOpcduupbHNAFSS/2jgktzGqJHYzxN7jWuOSy42/V10ug0PmLJUm0JIv7MkffrG9F+cOg70BlKiN0+bWU8UKFDWz6MoKCnF+jwKZ+8lQZzp/nu4pAfJJBf8HUC4EORTNla18Vdw4OWy+nYSUcjTakqGiyI55mcfIGEJlv5ZJT/S6FUlHgr51M7intS18cnSn9PMkJnydkeEPDqLiUPWF1DVePXlSDegesmQxJfrRVdmCEgGCPrkjT1Muv7CD0b30r6lpNr6M6wyb5fFflNQk333qFwpJnTl9tv9K1Lta49Y4rYmUOUR+mZ9nbVA97SlkgeZvmUyMyuC9G3W6Yi+6i6ek0pK2xggCdJeoGnPISQdlCFlVYq5QykfCd0V54Uzjf7Uhr2jMjfVPxvfgA63ORfE9QlL/Zs9CQfabKOAzSzRl/n2RwefiMAzZIZYntL2yQrRxICK4f8/HykBh+D1+eYMCcHrAgQD9J9pZvDZbNc5Sv3kQl+ZOOoekdSf8IuHDComRgaa/g+IaLJBjIlFoT9JImfkbvImSckwlUjYQ5aRR54ox5jR5QrMX+f7eRmRgUznACnCVEGe7zmBLyVp2RFSG1MmvNsKqQJnsxhepyqjHmSoJdOrZHlsLgfjrwG2Q14LT2x4iB0+7qNfX9bKK4g7z8WUEAQikX7DJ0GxuRDPR31CDcz41ZefPwKfmgV9gu95koVr1osqLRBX4vZFQXYhjvnkD5+vb7N0IfcnjQHFEoIipG+u/5WiGyWZE2EPty4qR/ztKzhKtAtW9STHY1AbPBF+m8OIkV4PRoeTh5/Rq+cJoeWsiBIwMib9Hv1wzAhhB5qeDmA7K5E6dsJCv51qkm7rRz7I1xoT+lQnxf8P3WplBNwb1NrCGGngJ44u7geh4FVkFTZyCyhClvZCjXDAw2DPRQ89LmNkDAjh2EHDuxcBZRJep/lxLzbu7g/Dnh/JORJUTzJ4fAWn5pX1RdyrYC2a1139KpZBSxa4XDJkly4HRrQ+AtSnJhkkB/epfVtbIMmhnB1I7aPtfMbQoo05SWiV2NSSkGIc2UagvLBEpV5uAfEMXYC7X0AwY1zoeihvsEnl5WQbgYgm9BHn5LRgMkRaFlQHK1TGr+A8TTaMAylX5UcbrfcNyNLZVceGFOpJKDDaR+GiYKE5ZuL4I2+QHdoh+CoYTRVlQqd9OqvroZjRZiqHlZdMdBqeHfELmPwMAPObbRr1ZaeSTPYdMbLi7QQKHe6Kx+EtpiVkI88vYeXvEW0FpTKB4oBDlsE0m1fUp6p9Tp9Zp5s3UrdkVdx97uP4AQ4YNXpn6bp9uD1vRnHBY1uHeygIuLHShWCMGNd9fRiG8Zu+o69ybVt6B+0omeMUGCfIltYmyjYphv6Ol6wkC01wmJA0J/5sgMoWIOfWyEZRgcCUmEmDebYB8J9/yw3C59Xa7v1pmj5Ge0KDhdnpY5foJRnmAbOYwvc1fJ1xZoWwgwSIzCZWLod/sPysQlJVcMhDa5zl7H0oIEbFalVdfUEG9IVeB/P8zkLiV5eUwrJk1dyLW8g7mz6HRf+Gw++OiHeszgpOQQ3bzaItof6+VbimeYD4+b3PRxYgBZ6N30AulYNiJDOmGN2ZCesjWXFSTwncNS8boEzyuhnsni96CWzURR75Q59b2mrjrUW83Bvh7MEBMEw4f3ATbtSGcB0KlSl84zPlytm+sQX8WFbBUOy4dLoeA+0vu8PsvuvHWuYvNyASk/PMI0IQSYmTNpFkFmg1UfFhFSjgkRznZ7OveuuircfVCoWpyq4gz+twLyFqt5nVnBV+N4EYvdmFfH4C/XPwzp4sLd9JTaazB2GU3FRd/eE0zJc5S/y4U1ZoO9MMeiiBUgnPgMbQUDnj8/aZIDmL9qLw+xgPoBkRzP4+9Ks/PeEPkmUJFB3m/kUu1tGjJbCC2JDhL4mhWhDg+rz4w4PNp/dOsLIG+iKNL7CwrSFtmwFUqfNl6odlfs/eQ2KfVCHOI64wUL1NS6TJTB19Id2kg2g00TYzQe6v6m40AlnfkbsJct/wrTiuCUgS22+IoG0R4I3hfZdIxrNgEQxgTRQshPVhQeuQzD4OjIH9bX1xgkkww3PkvtE1sKm2Q8tS41EpmaTEDlqR9MrHvX41V5841hpkXFA7GboySuZFZzvEcE6l2lcNa9CMDJET5b9XSSQ/0FfbJ9Bo80q3QpOxt2BUFByg7yu3LOhMdS3+SyzCIGkb3VbVk+lZmyDAIpq2O4w8+YkrNn6CVRXjoBsn9sG/d634c074QTjw4ty0IoX9A5LXCbqAsJtfxEWxloQnCUG4X19bmF3qM54oG5Sv84yfTNv/Jo5aIDnt/Ujv22h75kASXYRCnszGuqTpt7u6N8ePc/lf6oHNcpS0WZxmcEUNi1jsgBXXpQsHtH20SAAOUjzQPpXCFTy/Fa5YCZ4ihp5vSiNzuwrMM4/QcQ8RfspKIs8SlKmuS+tOK9gBn6hBatKfht5BElQFyq1xnMdIkLyrqMwvuMCOoyr8kJx/K6pOjn/O9ZFlKEM2AaZxg7FTMUl7OtyY9yKahzpsHk/9XQK3F2Ra8vy0L2wjWmIE94m5MKALmpgOEETAv5q0oATNs84I37OcMftgG8kIPMkgHdswfjLYq3h6VZWB4k7sOYcZpOC8UvrikZjboFNphNJaIRAnIB4/F5XCO+kZgtvXKsRrdt/VZR/bCQzXhogtCG5KRfR4v4G52bWQ7jZti0Pc29eA+u0YQzo+TezHjUniWYHRFmkdvG+A+qDEB5YfzN6U4ReG5SP/EkmX1NOF7XmT9+CMcKaPtPJU8WdelT5udzf/S3TUSj7AJgevMQi3IYxufkCkdnUaBXisW93klwlE5LgPl/lPIPX5bhzE2K6bCIX3c93vJQUWMYWhNWDAZ3BYMEPbwfRmbMh0Nq0o2IdJjXOUhpmLDD1T4QuUYGshSD6VB5stfeFd7/cjSQFWgpUxgwLCNG1v46s3Ou0nRhiDtpb8CNvrVOdFKhefuDijVXufKoipbPtZNuQPfCSK4q6s/AP4qO6lD4OzC8tkmbYz/mZlofHNTvVKhAwF2OcFAxGrM3ik8iXvtXdC+7pUkjQ8ZJuU+nsoOON7MxSXWb3oawgGy5EiDLdKd6Rxju5CiiMYoc9v0Ybx6aCo7LWLzHwoaoqnq0a43X1RPPRtuOyCfZbKh5O7QLvAAImlb9fUR976iFvow9T1LxoZJT7Ugc3cusSaO67+Bi+PpGNNY2obluIlnMHF/aS8J/wvUcxxstZ02ay+2fWHIDAyoO/aXhL57Q5MoaP14bBKEz6VaooUIBxs3SCJe7oNC7lsWlNNmMM+Bn1/6kgNh2TRR3uqEKS4G7awCbyM1TnosKbtZJ1sk1nUkPHuOrDJVbXqgXPRY76t7+me73Wuta6FegOZscq9P+BxeKFS3eQ7GJZuC,iv:jwxuHubgJElX8jAq3vz1J3qUyDFBeBq9y/FW4Q+HC5U=,tag:uTwTU7RVYy2pHMMNw80uzw==,type:str] 21 + os: 22 + crt: ENC[AES256_GCM,data:nJb/oB/yp6LNwkZ7rBbezwyU3TLvBDSvuTPpgPyZH8w06xJw7llz7yp0asX3QxRplxdNbr+jeZKYGCoXVNz2eUuqhTCpyX3GBsj8gUJP0AC+O0CBtO7be3tK7obZMHrTIONq1DSRVVPKm6FIZZWrmNDPE31sifb3U+y+NRyV1obUyCZBZ0lQ8i6wPHEqW+Z85iFBeUmfiLpX1GWNceaqnczLhcxjqd3AdKCW3ypfGnzM0WtotTx2oqwJVJQImwj60WaLg+MG4AzQw4J//Cm7uparZbd6eAY2P8Bv+haRIk950ocnzZ6V5oyFjLduSC1mnBxlJ7Mxiz7L/dMgokCEqaK5LPvuT5Qr6MosT+moIZV9qQoBiSK2gBWjSq/eMZq/JBlwUIvmt8hKbTr2iAOE6E3pinhTl/OCAzV/X/tXU3X6Tnm/KzqkdBonjWy4ngNDyQztOkqJ/44mwpEniUlJbvK7JzUiYA1Rg6HIh3P2TPOtrQal145kEMu7X/N5PMWpJNXJKJe9VTALx5AjkLmheQsSVk4i/13TK4fi0VHrLVkKhjVb+Asn42ie+cVdUTOO5y+ScjscPTrIeJfJ7bZ+HY+dKkrtgUSqEdBS8iqF9T0CjidSOcFedSLzqU9tGUlnlbOAn/LuvNZ/LJY5+fILKy06WByloda0ybUvqKwc5+XRbS1qBnwdJAerEsraNH1W55IQKpeiRkj13QSrrf7HHAr+cui7SsSi82U7d212ejtr0MXHuwbSR0AlOInPLooBgVQMWneVl4ptlu1ZtD3GrGyGITJnlgxDQupCQYSYM4hgCRkw5Hl7GoLyJhZTjLbo5zev+BztMenlMgwGV/LgARbU9voF2UDqZ8sqfvaXkkvJJ3Ra,iv:oPgPUgSuPwZE7u+1BxsiaQK/cdETy6kFSGejKdtjvls=,tag:6vr+qRIbHkCZnczIgLjUnQ==,type:str] 23 + key: ENC[AES256_GCM,data:BFndLOEMoO5p4K2rW5JERPQYTdkQjpH5FiFpRV5xwatqvICek08dUCeM0Xgew0hhr78Hn7SfEneiqnya2V8FzDkrQD+r0mxgvQXcMzX8flJAvn2Da1TocAKNWYzmp7sUQMI5MflS9Jmax1H6m/lRlkvoilaLt97cWYx5VyqEEXs6Ul15JSnhTwevq404rWCthHUqlBrGuPAz7/0tTPTpKqO6tKR9EcoiZSqsywCL9oT3P8J2,iv:BesIaGsYoQqEuwZJUHnYDH13dTwMGBD8nnKD3+E5eWE=,tag:IYmJ/ISr/8wLkmRElEucJw==,type:str] 24 + sops: 25 + kms: [] 26 + gcp_kms: [] 27 + azure_kv: [] 28 + hc_vault: [] 29 + age: 30 + - recipient: age13xy8slkuaz408wh5s0jgd40a8kqtj6gfnr657xxqku6vm0r0qpjqymtkmz 31 + enc: | 32 + -----BEGIN AGE ENCRYPTED FILE----- 33 + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAzMzZjay9Fa3QvUEhWTkJR 34 + U2tScThGNTNEZHhZK05kMkhRRThLVVNDcFZNCjFtbTRuSTJDUzdNSE91VlU1MXhG 35 + LzJkbWxvZWNFMm9WaWtUT1VTbWRvSTQKLS0tIERTN1krMk9LVlpTZGFPVm5PSkpk 36 + a3lNZ3FxQ3hBTWRZemNyNW5QMER0a28KA9eTZgqfYR+uf6yQoSSZ9xYgO06kvFUc 37 + NvUIMVbvufxQRxIDAVDOopqPvDfD8fD1Box9sddcpiWeEKrkLsqQug== 38 + -----END AGE ENCRYPTED FILE----- 39 + lastmodified: "2024-07-12T04:18:17Z" 40 + mac: ENC[AES256_GCM,data:0WYsE5B4lenYFD5v3tmXCfFnIjNuhaQ7ooqxg3UJg0hl8FrnOIJ2l8I7evVdO2k2uvd3uq7o20v5JZQPe+lf9ovEE5iE3RsK8FMBreq+Cd9DuDDo87Q1ODhlMXXZ83RuZux9lJaKHbmhD53dPCwbnBf2ATfzcwJXBkkNSWuoS7s=,iv:CDtnSScEZ1t8HJD8W9qxL8jY68giDKbktEv/VfOTnso=,tag:14uuvuG1UeIN8NgkFObSkw==,type:str] 41 + pgp: [] 42 + unencrypted_suffix: _unencrypted 43 + version: 3.9.0