feat: start with talos

2025-05-06 00:56:54 +02:00 · 2025-05-06 00:56:54 +02:00 · ace89ded66
commit ace89ded66
7 changed files with 175 additions and 0 deletions
--- a/README.md
+++ b/README.md
--- a/talos/.sops.yaml
+++ b/talos/.sops.yaml
@ -0,0 +1,4 @@
 ---
 creation_rules:
  - age: >-
      age1yqc8cmp2x5w4n7w4y7375wt7j6cudm0czan6x3yt2l442hmufqzsrf20ud
--- a/talos/README.md
+++ b/talos/README.md
@ -0,0 +1,60 @@
 Change into the directory `$HOME/Documents/home-cluster/talos`
 # Required packages
 ```bash
 brew install talosctl talhelper sops age
 ```
 ## Helpful vscode extension
 ```bash
 vscode extension @signageos/vscode-sops
 ```
 # Configure sops and age
 ```bash
 # When decrypting a file with the corresponding identity, SOPS will look for a text 
 # file named keys.txt located in a sops subdirectory of your user configuration directory.
 mkdir -p $HOME/Library/Application\ Support/sops/age
 # Generate the key pair
 age-keygen -o  $HOME/Library/Application\ Support/sops/age/keys.txt
 ```
 # talhelper
 ## Encryption setup
 Create and copy the following content into your `.sops.yaml`. Replace `YOUR_PULBIC_AGE_KEY` with the public key that you can find in your previously genereted keys.txt.
 > [!NOTE]
 > Do not change the indentation!
 ```yaml
 ---
 creation_rules:
  - age: >-
      YOUR_PULBIC_AGE_KEY
 ```
 ## talos secret
 Generate and encrypt your new talos secret.
 ```bash
 talhelper gensecret > talsecret.sops.yaml
 sops -e -i talsecret.sops.yaml
 ```
 > [!CAUTION]
 > Do not update or change `talsecret.sops.yaml`.
 ## talhelper environment vars
 Create and encrypt the talenv.yaml to store sensitive data used during `talhelper genconfig`
 ```bash
 vi talenv.yaml
 sops -e -i talenv.yaml
 ```
 ## talhelper genconfig
 The command `talhelper genconfig` will create a `.gitignore`, `talosconfig` and `CLUSTERNAME_HOSTNAMEs.yaml` under clusterconfig. 
 > [!CAUTION]
 > The `.gitignore` contains all genereted files from `talhelper genconfig` because those files contain unencrypted secrets.
--- a/talos/clusterconfig/.gitignore
+++ b/talos/clusterconfig/.gitignore
@ -0,0 +1,2 @@
 home-cluster-talos-01.yaml
 talosconfig
--- a/talos/talconfig.yaml
+++ b/talos/talconfig.yaml
@ -0,0 +1,55 @@
 clusterName: home-cluster
 talosVersion: 1.10.0
 kubernetesVersion: 1.33.0
 endpoint: https://10.10.10.4:6443
 domain: ${myDomainName}
 additionalMachineCertSans:
  - 10.10.10.3
 additionalApiServerCertSans:
  - 10.10.10.3
 nodes:
  # control plane nodes
  - hostname: talos-01
    controlPlane: true
    ipAddress: 10.10.10.3
    networkInterfaces:
      - interface: eno1
        addresses:
          - 10.10.10.3/24
        routes:
          - network: 0.0.0.0/0
            gateway: 10.10.10.1
        dhcp: false
    nameservers:
      - 10.10.10.1
    installDisk: /dev/nvme0n1
    time:
      servers:
        - 10.10.10.1
    userVolumes:
      - name: local-storage
        provisioning:
          diskSelector:
            match: disk.transport == "nvme"
          maxSize: 500GiB
        filesystem:
          type: xfs
    machineSpec:
      mode: metal
      arch: amd64
    nodeAnnotations:
      installerImage: '{{ .MachineConfig.MachineInstall.InstallImage }}'
 patches:
  - |-
    cluster:
      network:
        cni:
          name: none
      proxy:
        disabled: true
      allowSchedulingOnControlPlanes: true
--- a/talos/talenv.yaml
+++ b/talos/talenv.yaml
@ -0,0 +1,16 @@
 myDomainName: ENC[AES256_GCM,data:L0VE7SjZvwp/XjKnz2METyKvrw==,iv:VuyScOczqO9To6lb9+ses+twAs3kjbXOMt3o9taHJsU=,tag:w+Z2Sv4ePCaxFlDBn8cGSA==,type:str]
 sops:
    age:
        - recipient: age1yqc8cmp2x5w4n7w4y7375wt7j6cudm0czan6x3yt2l442hmufqzsrf20ud
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBOSTB6TjNNQ1BIQm1sZVNn
            aXJCZ3hnSnF5ZE9pcWMyRG5EK3ZPZ1lUSDFZCllPWmNzUGZzRjkzRkQrckZrL0pG
            WktrQWZlV1F4ejh5QmVIRjg4akNLR0UKLS0tIDA4Yi9rMFI5N3M1R1d1Ym1iQzli
            WUdzaSttVUN0QmhmdGVxaDVSV1FBbmcKz6D+BNy9KidIDfe4lwC4INx++z96P1PV
            TRidxe+Ug78lgzU5twdZTT5udXuvfZ8dJ0Z22NqzykUZbb/Nuj3SQA==
            -----END AGE ENCRYPTED FILE-----
    lastmodified: "2025-05-05T22:27:33Z"
    mac: ENC[AES256_GCM,data:KDcfQWYZ/RdUgTX2+30Ey+RQRbX+YG1btJR5jZgd7ueD8GtGtFNXK0GseCKMdbc96vhCqZ7+8UQWX/xymltEKcwZfuOWtoRCr45ZG15A99nazj065BTtOE8SDLd3naEHilgUU00pLKt9YjhOUx7w7lKvxmB+2Ov///iHJzTGMSI=,iv:GK1/DffoRua5DhzSwXrpZlLv3b0V/MY9XoVEHFvrWC0=,tag:qQrO88jeEkTHg36Okzd4zA==,type:str]
    unencrypted_suffix: _unencrypted
    version: 3.10.2
--- a/talos/talsecret.sops.yaml
+++ b/talos/talsecret.sops.yaml