feat: start with talos

2025-05-06 00:56:54 +02:00 · 2025-05-06 00:56:54 +02:00 · ace89ded66
commit ace89ded66
7 changed files with 175 additions and 0 deletions
--- a/README.md
+++ b/README.md
--- a/talos/.sops.yaml
+++ b/talos/.sops.yaml
@ -0,0 +1,4 @@
+---
+creation_rules:
+  - age: >-
+      age1yqc8cmp2x5w4n7w4y7375wt7j6cudm0czan6x3yt2l442hmufqzsrf20ud
--- a/talos/README.md
+++ b/talos/README.md
@ -0,0 +1,60 @@
+Change into the directory `$HOME/Documents/home-cluster/talos`
+
+# Required packages
+```bash
+brew install talosctl talhelper sops age
+```
+## Helpful vscode extension
+```bash
+vscode extension @signageos/vscode-sops
+```
+
+# Configure sops and age
+```bash
+# When decrypting a file with the corresponding identity, SOPS will look for a text 
+# file named keys.txt located in a sops subdirectory of your user configuration directory.
+mkdir -p $HOME/Library/Application\ Support/sops/age
+
+# Generate the key pair
+age-keygen -o  $HOME/Library/Application\ Support/sops/age/keys.txt
+```
+
+# talhelper
+## Encryption setup
+Create and copy the following content into your `.sops.yaml`. Replace `YOUR_PULBIC_AGE_KEY` with the public key that you can find in your previously genereted keys.txt.
+
+> [!NOTE]
+> Do not change the indentation!
+
+```yaml
+---
+creation_rules:
+  - age: >-
+      YOUR_PULBIC_AGE_KEY
+```
+
+## talos secret
+Generate and encrypt your new talos secret.
+```bash
+talhelper gensecret > talsecret.sops.yaml
+
+sops -e -i talsecret.sops.yaml
+```
+
+> [!CAUTION]
+> Do not update or change `talsecret.sops.yaml`.
+
+## talhelper environment vars
+Create and encrypt the talenv.yaml to store sensitive data used during `talhelper genconfig`
+```bash
+vi talenv.yaml
+
+sops -e -i talenv.yaml
+```
+
+## talhelper genconfig
+The command `talhelper genconfig` will create a `.gitignore`, `talosconfig` and `CLUSTERNAME_HOSTNAMEs.yaml` under clusterconfig. 
+
+> [!CAUTION]
+> The `.gitignore` contains all genereted files from `talhelper genconfig` because those files contain unencrypted secrets.
+
--- a/talos/clusterconfig/.gitignore
+++ b/talos/clusterconfig/.gitignore
@ -0,0 +1,2 @@
+home-cluster-talos-01.yaml
+talosconfig
--- a/talos/talconfig.yaml
+++ b/talos/talconfig.yaml
@ -0,0 +1,55 @@
+clusterName: home-cluster
+
+talosVersion: 1.10.0
+kubernetesVersion: 1.33.0
+
+endpoint: https://10.10.10.4:6443
+domain: ${myDomainName}
+
+additionalMachineCertSans:
+  - 10.10.10.3
+additionalApiServerCertSans:
+  - 10.10.10.3
+
+nodes:
+  # control plane nodes
+  - hostname: talos-01
+    controlPlane: true
+    ipAddress: 10.10.10.3
+    networkInterfaces:
+      - interface: eno1
+        addresses:
+          - 10.10.10.3/24
+        routes:
+          - network: 0.0.0.0/0
+            gateway: 10.10.10.1
+        dhcp: false
+    nameservers:
+      - 10.10.10.1
+    installDisk: /dev/nvme0n1
+    time:
+      servers:
+        - 10.10.10.1
+    userVolumes:
+      - name: local-storage
+        provisioning:
+          diskSelector:
+            match: disk.transport == "nvme"
+          maxSize: 500GiB
+        filesystem:
+          type: xfs
+    machineSpec:
+      mode: metal
+      arch: amd64
+    nodeAnnotations:
+      installerImage: '{{ .MachineConfig.MachineInstall.InstallImage }}'
+
+patches:
+  - |-
+    cluster:
+      network:
+        cni:
+          name: none
+      proxy:
+        disabled: true
+      allowSchedulingOnControlPlanes: true
--- a/talos/talenv.yaml
+++ b/talos/talenv.yaml
@ -0,0 +1,16 @@
+myDomainName: ENC[AES256_GCM,data:L0VE7SjZvwp/XjKnz2METyKvrw==,iv:VuyScOczqO9To6lb9+ses+twAs3kjbXOMt3o9taHJsU=,tag:w+Z2Sv4ePCaxFlDBn8cGSA==,type:str]
+sops:
+    age:
+        - recipient: age1yqc8cmp2x5w4n7w4y7375wt7j6cudm0czan6x3yt2l442hmufqzsrf20ud
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBOSTB6TjNNQ1BIQm1sZVNn
+            aXJCZ3hnSnF5ZE9pcWMyRG5EK3ZPZ1lUSDFZCllPWmNzUGZzRjkzRkQrckZrL0pG
+            WktrQWZlV1F4ejh5QmVIRjg4akNLR0UKLS0tIDA4Yi9rMFI5N3M1R1d1Ym1iQzli
+            WUdzaSttVUN0QmhmdGVxaDVSV1FBbmcKz6D+BNy9KidIDfe4lwC4INx++z96P1PV
+            TRidxe+Ug78lgzU5twdZTT5udXuvfZ8dJ0Z22NqzykUZbb/Nuj3SQA==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2025-05-05T22:27:33Z"
+    mac: ENC[AES256_GCM,data:KDcfQWYZ/RdUgTX2+30Ey+RQRbX+YG1btJR5jZgd7ueD8GtGtFNXK0GseCKMdbc96vhCqZ7+8UQWX/xymltEKcwZfuOWtoRCr45ZG15A99nazj065BTtOE8SDLd3naEHilgUU00pLKt9YjhOUx7w7lKvxmB+2Ov///iHJzTGMSI=,iv:GK1/DffoRua5DhzSwXrpZlLv3b0V/MY9XoVEHFvrWC0=,tag:qQrO88jeEkTHg36Okzd4zA==,type:str]
+    unencrypted_suffix: _unencrypted
+    version: 3.10.2
--- a/talos/talsecret.sops.yaml
+++ b/talos/talsecret.sops.yaml