chore: add media section with YouTube video link

Added a section for media with a YouTube video link.

.devcontainer/devcontainer.json

@@ -1,48 +0,0 @@
-{
-  "name": "Home Ops",
-  "image": "mcr.microsoft.com/devcontainers/base:bullseye",
-  "containerEnv": {
-    "KUBECONFIG": "${containerWorkspaceFolder}/kubeconfig",
-    "SOPS_AGE_KEY_FILE": "${containerWorkspaceFolder}/age.key"
-  },
-  "postCreateCommand": {
-    "deps": "task deps"
-  },
-  "features": {
-    "ghcr.io/devcontainers/features/common-utils:2": {
-      "configureZshAsDefaultShell": true
-    },
-    "ghcr.io/devcontainers/features/kubectl-helm-minikube:1": {
-      "minikube": "none"
-    },
-    "ghcr.io/devcontainers/features/python:1": {
-      "version": "3.10.13"
-    },
-    "ghcr.io/devcontainers-contrib/features/age:1": {},
-    "ghcr.io/devcontainers-contrib/features/cloudflared:1": {},
-    "ghcr.io/devcontainers-contrib/features/go-task:1": {},
-    "ghcr.io/devcontainers-contrib/features/direnv:1": {},
-    "ghcr.io/devcontainers-contrib/features/sops:1": {},
-    "ghcr.io/audacioustux/devcontainers/cilium:1": {},
-    "ghcr.io/dhoeric/features/stern:1": {},
-    "ghcr.io/eitsupi/devcontainer-features/jq-likes:2": {},
-    "ghcr.io/jsburckhardt/devcontainer-features/flux:1": {},
-    "ghcr.io/rio/features/kustomize:1": {}
-  },
-  "customizations": {
-    "vscode": {
-      "settings": {
-        "terminal.integrated.profiles.linux": {
-          "bash": {
-            "path": "/bin/zsh"
-          }
-        },
-        "terminal.integrated.defaultProfile.linux": "zsh"
-      },
-      "extensions": [
-        "redhat.ansible",
-        "redhat.vscode-yaml"
-      ]
-    }
-  }
-}

.editorconfig

@@ -1,4 +1,5 @@
-# editorconfig.org
+; https://editorconfig.org/
+
 root = true
 
 [*]
@@ -9,10 +10,13 @@ charset = utf-8
 trim_trailing_whitespace = true
 insert_final_newline = true
 
-[Makefile]
-indent_style = space
+[*.cue]
+indent_style = tab
 indent_size = 4
 
-[*.{bash,sh}]
-indent_style = space
+[*.md]
+indent_size = 4
+trim_trailing_whitespace = false
+
+[*.sh]
 indent_size = 4

.envrc

@@ -1,10 +0,0 @@
-#shellcheck disable=SC2148,SC2155
-export KUBECONFIG="$(expand_path ./kubeconfig)"
-export SOPS_AGE_KEY_FILE="$(expand_path ./age.key)"
-# ansible
-PATH_add "$(expand_path ./.venv/bin)"
-export VIRTUAL_ENV="$(expand_path ./.venv)"
-export ANSIBLE_COLLECTIONS_PATH=$(expand_path ./.venv/galaxy)
-export ANSIBLE_ROLES_PATH=$(expand_path ./.venv/galaxy/ansible_roles)
-export ANSIBLE_VARS_ENABLED="host_group_vars,community.sops.sops"
-export K8S_AUTH_KUBECONFIG="$(expand_path ./kubeconfig)"

.gitattributes

@@ -1,4 +1,10 @@
 * text=auto eol=lf
-*.yaml.j2 linguist-language=YAML
-*.sops.* diff=sopsdiffer
-*.sops.toml linguist-language=JSON
+*.env linguist-detectable linguist-language=SHELL
+*.json linguist-detectable linguist-language=JSON
+*.json5 linguist-detectable linguist-language=JSON5
+*.md linguist-detectable linguist-language=MARKDOWN
+*.sh linguist-detectable linguist-language=SHELL
+*.toml linguist-detectable linguist-language=TOML
+*.yml linguist-detectable linguist-language=YAML
+*.yaml linguist-detectable linguist-language=YAML
+*.yaml.j2 linguist-detectable linguist-language=YAML

.github/labeler.yaml

@@ -1,27 +1,43 @@
 ---
-area/addons:
-  - changed-files:
-      - any-glob-to-any-file: bootstrap/templates/addons/**/*
-      - any-glob-to-any-file: bootstrap/tasks/addons/**/*
-      - any-glob-to-any-file: bootstrap/vars/addons.sample.yaml
-area/ansible:
-  - changed-files:
-      - any-glob-to-any-file: ansible/**/*
-      - any-glob-to-any-file: bootstrap/templates/ansible/**/*
-      - any-glob-to-any-file: bootstrap/tasks/ansible/**/*
 area/bootstrap:
   - changed-files:
-      - any-glob-to-any-file: bootstrap/**/*
-      - any-glob-to-any-file: bootstrap/configure.yaml
+      - any-glob-to-any-file:
+          - bootstrap/**/*
+area/docs:
+  - changed-files:
+      - any-glob-to-any-file:
+          - README.md
 area/github:
   - changed-files:
-      - any-glob-to-any-file: .github/**/*
+      - any-glob-to-any-file:
+          - .github/**/*
 area/kubernetes:
   - changed-files:
-      - any-glob-to-any-file: kubernetes/**/*
-      - any-glob-to-any-file: bootstrap/templates/kubernetes/**/*
-      - any-glob-to-any-file: bootstrap/tasks/kubernetes/**/*
+      - any-glob-to-any-file:
+          - kubernetes/**/*
+area/mise:
+  - changed-files:
+      - any-glob-to-any-file:
+          - .mise.toml
+area/renovate:
+  - changed-files:
+      - any-glob-to-any-file:
+          - .renovate/**/*
+          - .renovaterc.json5
+area/scripts:
+  - changed-files:
+      - any-glob-to-any-file:
+          - scripts/**/*
+area/talos:
+  - changed-files:
+      - any-glob-to-any-file:
+          - talos/**/*
 area/taskfile:
   - changed-files:
-      - any-glob-to-any-file: .taskfiles/**/*
-      - any-glob-to-any-file: Taskfile*
+      - any-glob-to-any-file:
+          - .taskfiles/**/*
+          - Taskfile.yaml
+area/templates:
+  - changed-files:
+      - any-glob-to-any-file:
+          - templates/**/*

.github/labels.yaml

@@ -1,37 +1,47 @@
 ---
-# Area
-- name: area/addons
-  color: "0e8a16"
-- name: area/ansible
-  color: "0e8a16"
+# Areas
 - name: area/bootstrap
   color: "0e8a16"
+- name: area/docs
+  color: "0e8a16"
 - name: area/github
   color: "0e8a16"
 - name: area/kubernetes
   color: "0e8a16"
+- name: area/mise
+  color: "0e8a16"
+- name: area/renovate
+  color: "0e8a16"
+- name: area/scripts
+  color: "0e8a16"
+- name: area/talos
+  color: "0e8a16"
+- name: area/templates
+  color: "0e8a16"
 - name: area/taskfile
   color: "0e8a16"
-# Renovate
-- name: renovate/ansible
-  color: "027fa0"
+# Renovate Types
 - name: renovate/container
   color: "027fa0"
 - name: renovate/github-action
   color: "027fa0"
+- name: renovate/grafana-dashboard
+  color: "027fa0"
 - name: renovate/github-release
   color: "027fa0"
 - name: renovate/helm
   color: "027fa0"
-# Semantic Type
+# Semantic Types
+- name: type/digest
+  color: "ffeC19"
 - name: type/patch
-  color: "ffec19"
+  color: "ffeC19"
 - name: type/minor
   color: "ff9800"
 - name: type/major
   color: "f6412d"
-- name: type/break
-  color: "f6412d"
 # Uncategorized
-- name: hold/upstream
+- name: community
+  color: "370fb2"
+- name: hold
   color: "ee0701"

.github/release.yaml

@@ -1,4 +1,5 @@
 changelog:
   exclude:
     authors:
+      - github-actions
       - renovate

.github/renovate.json5

@@ -1,243 +0,0 @@
-{
-  "$schema": "https://docs.renovatebot.com/renovate-schema.json",
-  "extends": [
-    "config:base",
-    "docker:enableMajor",
-    ":disableRateLimiting",
-    ":dependencyDashboard",
-    ":semanticCommits",
-    ":automergeBranch"
-  ],
-  "dependencyDashboard": true,
-  "dependencyDashboardTitle": "Renovate Dashboard 🤖",
-  "suppressNotifications": ["prEditedNotification", "prIgnoreNotification"],
-  "rebaseWhen": "conflicted",
-  "schedule": ["on saturday"],
-  "flux": {
-    "fileMatch": [
-      "(^|/)addons/.+\\.ya?ml(\\.j2)?(\\.j2)?$",
-      "(^|/)ansible/.+\\.ya?ml(\\.j2)?(\\.j2)?$",
-      "(^|/)kubernetes/.+\\.ya?ml(\\.j2)?(\\.j2)?$"
-    ]
-  },
-  "helm-values": {
-    "fileMatch": [
-      "(^|/)addons/.+\\.ya?ml(\\.j2)?(\\.j2)?$",
-      "(^|/)ansible/.+\\.ya?ml(\\.j2)?(\\.j2)?$",
-      "(^|/)kubernetes/.+\\.ya?ml(\\.j2)?(\\.j2)?$"
-    ]
-  },
-  "kubernetes": {
-    "fileMatch": [
-      "(^|/)addons/.+\\.ya?ml(\\.j2)?(\\.j2)?$",
-      "(^|/)ansible/.+\\.ya?ml(\\.j2)?(\\.j2)?$",
-      "(^|/)kubernetes/.+\\.ya?ml(\\.j2)?(\\.j2)?$"
-    ]
-  },
-  "kustomize": {
-    "fileMatch": [
-      "(^|/)kustomization\\.ya?ml(\\.j2)?$"
-    ]
-  },
-  // commit message topics
-  "commitMessageTopic": "{{depName}}",
-  "commitMessageExtra": "to {{newVersion}}",
-  "commitMessageSuffix": "",
-  // package rules
-  "packageRules": [
-    // automerge
-    {
-      "description": "Auto merge Github Actions",
-      "matchManagers": ["github-actions"],
-      "automerge": true,
-      "automergeType": "branch",
-      "ignoreTests": true,
-      "matchUpdateTypes": ["minor", "patch"]
-    },
-    // groups
-    {
-      "description": "Flux Group",
-      "groupName": "Flux",
-      "matchPackagePatterns": ["flux"],
-      "matchDatasources": ["docker", "github-tags"],
-      "versioning": "semver",
-      "group": {
-        "commitMessageTopic": "{{{groupName}}} group"
-      },
-      "separateMinorPatch": true
-    },
-    {
-      "description": "System Upgrade Controller Group",
-      "groupName": "System Upgrade Controller",
-      "matchPackagePatterns": ["rancher/system-upgrade-controller"],
-      "matchDatasources": ["docker", "github-releases"],
-      "group": {
-        "commitMessageTopic": "{{{groupName}}} group"
-      },
-      "separateMinorPatch": true
-    },
-    // custom versioning
-    {
-      "description": "Use custom versioning for k3s",
-      "matchDatasources": ["github-releases"],
-      "versioning": "regex:^v(?<major>\\d+)\\.(?<minor>\\d+)\\.(?<patch>\\d+)(?<compatibility>\\+k3s)(?<build>\\d+)$",
-      "matchPackagePatterns": ["k3s"]
-    },
-    // commit message topics
-    {
-      "matchDatasources": ["helm"],
-      "commitMessageTopic": "chart {{depName}}"
-    },
-    {
-      "matchDatasources": ["docker"],
-      "commitMessageTopic": "image {{depName}}"
-    },
-    // commit messages
-    {
-      "matchDatasources": ["docker"],
-      "matchUpdateTypes": ["major"],
-      "commitMessagePrefix": "feat(container)!: "
-    },
-    {
-      "matchDatasources": ["docker"],
-      "matchUpdateTypes": ["minor"],
-      "semanticCommitType": "feat",
-      "semanticCommitScope": "container"
-    },
-    {
-      "matchDatasources": ["docker"],
-      "matchUpdateTypes": ["patch"],
-      "semanticCommitType": "fix",
-      "semanticCommitScope": "container"
-    },
-    {
-      "matchDatasources": ["docker"],
-      "matchUpdateTypes": ["digest"],
-      "semanticCommitType": "chore",
-      "semanticCommitScope": "container"
-    },
-    {
-      "matchDatasources": ["helm"],
-      "matchUpdateTypes": ["major"],
-      "commitMessagePrefix": "feat(helm)!: "
-    },
-    {
-      "matchDatasources": ["helm"],
-      "matchUpdateTypes": ["minor"],
-      "semanticCommitType": "feat",
-      "semanticCommitScope": "helm"
-    },
-    {
-      "matchDatasources": ["helm"],
-      "matchUpdateTypes": ["patch"],
-      "semanticCommitType": "fix",
-      "semanticCommitScope": "helm"
-    },
-    {
-      "matchDatasources": ["galaxy", "galaxy-collection"],
-      "matchUpdateTypes": ["major"],
-      "commitMessagePrefix": "feat(ansible)!: "
-    },
-    {
-      "matchDatasources": ["galaxy", "galaxy-collection"],
-      "matchUpdateTypes": ["minor"],
-      "semanticCommitType": "feat",
-      "semanticCommitScope": "ansible"
-    },
-    {
-      "matchDatasources": ["galaxy", "galaxy-collection"],
-      "matchUpdateTypes": ["patch"],
-      "semanticCommitType": "fix",
-      "semanticCommitScope": "ansible"
-    },
-    {
-      "matchDatasources": ["github-releases", "github-tags"],
-      "matchUpdateTypes": ["major"],
-      "commitMessagePrefix": "feat(github-release)!: "
-    },
-    {
-      "matchDatasources": ["github-releases", "github-tags"],
-      "matchUpdateTypes": ["minor"],
-      "semanticCommitType": "feat",
-      "semanticCommitScope": "github-release"
-    },
-    {
-      "matchDatasources": ["github-releases", "github-tags"],
-      "matchUpdateTypes": ["patch"],
-      "semanticCommitType": "fix",
-      "semanticCommitScope": "github-release"
-    },
-    {
-      "matchManagers": ["github-actions"],
-      "matchUpdateTypes": ["major"],
-      "commitMessagePrefix": "feat(github-action)!: "
-    },
-    {
-      "matchManagers": ["github-actions"],
-      "matchUpdateTypes": ["minor"],
-      "semanticCommitType": "feat",
-      "semanticCommitScope": "github-action"
-    },
-    {
-      "matchManagers": ["github-actions"],
-      "matchUpdateTypes": ["patch"],
-      "semanticCommitType": "fix",
-      "semanticCommitScope": "github-action"
-    },
-    // labels
-    {
-      "matchUpdateTypes": ["major"],
-      "labels": ["type/major"]
-    },
-    {
-      "matchUpdateTypes": ["minor"],
-      "labels": ["type/minor"]
-    },
-    {
-      "matchUpdateTypes": ["patch"],
-      "labels": ["type/patch"]
-    },
-    {
-      "matchDatasources": ["docker"],
-      "addLabels": ["renovate/container"]
-    },
-    {
-      "matchDatasources": ["helm"],
-      "addLabels": ["renovate/helm"]
-    },
-    {
-      "matchDatasources": ["galaxy", "galaxy-collection"],
-      "addLabels": ["renovate/ansible"]
-    },
-    {
-      "matchDatasources": ["github-releases", "github-tags"],
-      "addLabels": ["renovate/github-release"]
-    },
-    {
-      "matchManagers": ["github-actions"],
-      "addLabels": ["renovate/github-action"]
-    }
-  ],
-  // custom managers
-  "customManagers": [
-    {
-      "customType": "regex",
-      "description": "Process various other dependencies",
-      "fileMatch": [
-        "(^|/)addons/.+\\.ya?ml(\\.j2)?(\\.j2)?$",
-        "(^|/)ansible/.+\\.ya?ml(\\.j2)?(\\.j2)?$",
-        "(^|/)kubernetes/.+\\.ya?ml(\\.j2)?(\\.j2)?$"
-      ],
-      "matchStrings": [
-        // Example: `k3s_release_version: "v1.27.3+k3s1"`
-        "datasource=(?<datasource>\\S+) depName=(?<depName>\\S+)( versioning=(?<versioning>\\S+))?\n.*?\"(?<currentValue>.*)\"\n",
-        // Example: `- https://github.com/rancher/system-upgrade-controller/releases/download/v0.11.0/crd.yaml`
-        "datasource=(?<datasource>\\S+) depName=(?<depName>\\S+)( versioning=(?<versioning>\\S+))?\n.*?-\\s(.*?)\/(?<currentValue>[^/]+)\/[^/]+\n",
-        // Example: apiVersion=helm.cattle.io/v1 kind=HelmChart
-        "datasource=(?<datasource>\\S+)\n.*?repo: (?<registryUrl>\\S+)\n.*?chart: (?<depName>\\S+)\n.*?version: (?<currentValue>\\S+)\n"
-      ],
-      "datasourceTemplate": "{{#if datasource}}{{{datasource}}}{{else}}github-releases{{/if}}",
-      "versioningTemplate": "{{#if versioning}}{{{versioning}}}{{else}}semver{{/if}}"
-    }
-  ]
-}

.github/tests/nodes.yaml

@@ -0,0 +1,19 @@
+nodes:
+  - name: k8s-0
+    address: 10.10.10.100
+    controller: true
+    disk: /dev/sdfake
+    mac_addr: 00:00:00:00:00:00
+    schematic_id: "376567988ad370138ad8b2698212367b8edcb69b5fd68c80be1f2ec7d603b4ba"
+  - name: k8s-1
+    address: 10.10.10.101
+    controller: false
+    disk: /dev/sdfake
+    mac_addr: 00:00:00:00:00:01
+    schematic_id: "376567988ad370138ad8b2698212367b8edcb69b5fd68c80be1f2ec7d603b4ba"
+    mtu: 1500
+    secureboot: true
+    encrypt_disk: true
+    kernel_modules:
+      - nvidia
+      - nvidia_uvm

.github/tests/private.yaml

@@ -0,0 +1,22 @@
+---
+node_cidr: "10.10.10.0/24"
+# node_default_gateway: ""
+# node_vlan_tag:
+# cluster_pod_cidr: ""
+# cluster_svc_cidr: ""
+# node_dns_servers: []
+# node_ntp_servers: []
+cluster_api_addr: "10.10.10.254"
+# cluster_api_tls_sans: []
+cluster_gateway_addr: "10.10.10.252"
+cluster_dns_gateway_addr: "10.10.10.253"
+repository_name: "onedr0p/cluster-template"
+# repository_branch: ""
+repository_visibility: "private"
+cloudflare_domain: "example.com"
+cloudflare_token: "fake"
+cloudflare_gateway_addr: "10.10.10.251"
+# cilium_bgp_router_addr: ""
+# cilium_bgp_router_asn: ""
+# cilium_bgp_node_asn: ""
+# cilium_loadbalancer_mode: ""

.github/tests/public.yaml

@@ -0,0 +1,22 @@
+---
+node_cidr: "10.10.10.0/24"
+node_default_gateway: "10.10.10.1"
+node_vlan_tag: "100"
+cluster_pod_cidr: "10.42.0.0/16"
+cluster_svc_cidr: "10.43.0.0/16"
+node_dns_servers: ["1.1.1.1"]
+node_ntp_servers: ["162.159.200.123"]
+cluster_api_addr: "10.10.10.254"
+cluster_api_tls_sans: ["example.com"]
+cluster_gateway_addr: "10.10.10.252"
+cluster_dns_gateway_addr: "10.10.10.253"
+repository_name: "onedr0p/cluster-template"
+repository_branch: "main"
+repository_visibility: "public"
+cloudflare_domain: "example.com"
+cloudflare_token: "fake"
+cloudflare_gateway_addr: "10.10.10.251"
+cilium_loadbalancer_mode: "dsr"
+cilium_bgp_router_addr: "10.10.1.1"
+cilium_bgp_router_asn: "64513"
+cilium_bgp_node_asn: "64514"

.github/workflows/e2e.yaml

@@ -0,0 +1,71 @@
+---
+name: "e2e"
+
+on:
+  workflow_dispatch:
+  pull_request:
+    branches: ["main"]
+    paths-ignore:
+      - kubernetes/**
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.event.number || github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  configure:
+    if: ${{ github.repository == 'onedr0p/cluster-template' }}
+    name: configure
+    runs-on: ubuntu-latest
+    strategy:
+      fail-fast: false
+      matrix:
+        config-files:
+          - public
+          - private
+    steps:
+      - name: Checkout
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+
+      - name: Setup mise
+        uses: jdx/mise-action@6d1e696aa24c1aa1bcc1adea0212707c71ab78a8 # v3.6.1
+        env:
+          GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}"
+        with:
+          cache: false
+
+      - name: Run init task
+        run: task init
+
+      - name: Prepare files
+        run: |
+          cp ./.github/tests/${{ matrix.config-files }}.yaml cluster.yaml
+          cp ./.github/tests/nodes.yaml nodes.yaml
+          echo '{"AccountTag":"fake","TunnelSecret":"fake","TunnelID":"fake"}' > cloudflare-tunnel.json
+          touch kubeconfig
+
+      - name: Run configure task
+        run: task configure --yes
+
+      - name: Run generate talconfig task
+        run: |
+          FILENAME=talos/talsecret.sops.yaml
+          talhelper gensecret | sops --filename-override $FILENAME --encrypt /dev/stdin > $FILENAME
+          task talos:generate-config
+
+      - name: Run flux-local test
+        uses: docker://ghcr.io/allenporter/flux-local:v8.1.0@sha256:37c3c4309a351830b04f93c323adfcb0e28c368001818cd819cbce3e08828261
+        with:
+          args: test --enable-helm --all-namespaces --path /github/workspace/kubernetes/flux/cluster -v
+
+      - name: Dry run bootstrap talos task
+        run: task bootstrap:talos --dry
+
+      - name: Dry run bootstrap apps task
+        run: task bootstrap:apps --dry
+
+      - name: Run reset task
+        run: task template:reset --yes
+
+      - name: Run cleanup task
+        run: task template:tidy --yes

.github/workflows/flux-diff.yaml

@@ -1,67 +0,0 @@
----
-name: "Flux Diff"
-
-on:
-  pull_request:
-    branches: ["main"]
-    paths: ["kubernetes/**"]
-
-concurrency:
-  group: ${{ github.workflow }}-${{ github.event.number || github.ref }}
-  cancel-in-progress: true
-
-jobs:
-  flux-diff:
-    name: Flux Diff
-    runs-on: ubuntu-latest
-    permissions:
-      contents: read
-      pull-requests: write
-    strategy:
-      matrix:
-        paths: ["kubernetes"]
-        resources: ["helmrelease", "kustomization"]
-    steps:
-      - name: Checkout
-        uses: actions/checkout@v4
-        with:
-          path: pull
-
-      - name: Checkout Default Branch
-        uses: actions/checkout@v4
-        with:
-          ref: "${{ github.event.repository.default_branch }}"
-          path: default
-
-      - name: Diff Resources
-        uses: docker://ghcr.io/allenporter/flux-local:main
-        with:
-          args: >-
-            diff ${{ matrix.resources }}
-            --unified 6
-            --path /github/workspace/pull/${{ matrix.paths }}
-            --path-orig /github/workspace/default/${{ matrix.paths }}
-            --strip-attrs "helm.sh/chart,checksum/config,app.kubernetes.io/version,chart"
-            --limit-bytes 10000
-            --all-namespaces
-            --sources "home-kubernetes"
-            --output-file diff.patch
-
-      - name: Generate Diff
-        id: diff
-        run: |
-          cat diff.patch
-          echo "diff<<EOF" >> $GITHUB_OUTPUT
-          cat diff.patch >> $GITHUB_OUTPUT
-          echo "EOF" >> $GITHUB_OUTPUT
-
-      - if: ${{ steps.diff.outputs.diff != '' }}
-        name: Add comment
-        uses: mshick/add-pr-comment@v2
-        with:
-          message-id: "${{ github.event.pull_request.number }}/${{ matrix.paths }}/${{ matrix.resources }}"
-          message-failure: Diff was not successful
-          message: |
-            ```diff
-            ${{ steps.diff.outputs.diff }}
-            ```

.github/workflows/flux-local.yaml

@@ -0,0 +1,121 @@
+---
+name: "Flux Local"
+
+on:
+  pull_request:
+    branches: ["main"]
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.event.number || github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  pre-job:
+    name: Flux Local Pre-Job
+    runs-on: ubuntu-latest
+    outputs:
+      any_changed: ${{ steps.changed-files.outputs.any_changed }}
+    steps:
+      - name: Checkout
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+
+      - name: Get Changed Files
+        id: changed-files
+        uses: tj-actions/changed-files@7dee1b0c1557f278e5c7dc244927139d78c0e22a # v47.0.4
+        with:
+          files: kubernetes/**
+
+  test:
+    name: Flux Local Test
+    needs: pre-job
+    runs-on: ubuntu-latest
+    if: ${{ needs.pre-job.outputs.any_changed == 'true' }}
+    steps:
+      - name: Checkout
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+
+      - name: Run flux-local test
+        uses: docker://ghcr.io/allenporter/flux-local:v8.1.0
+        with:
+          args: test --enable-helm --all-namespaces --path /github/workspace/kubernetes/flux/cluster -v
+
+  diff:
+    name: Flux Local Diff
+    needs: pre-job
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      pull-requests: write
+    strategy:
+      matrix:
+        resources: ["helmrelease", "kustomization"]
+      max-parallel: 4
+      fail-fast: false
+    if: ${{ needs.pre-job.outputs.any_changed == 'true' }}
+    steps:
+      - name: Checkout Pull Request Branch
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          path: pull
+
+      - name: Checkout Default Branch
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          ref: "${{ github.event.repository.default_branch }}"
+          path: default
+
+      - name: Run flux-local diff
+        uses: docker://ghcr.io/allenporter/flux-local:v8.1.0
+        with:
+          args: >-
+            diff ${{ matrix.resources }}
+            --unified 6
+            --path /github/workspace/pull/kubernetes/flux/cluster
+            --path-orig /github/workspace/default/kubernetes/flux/cluster
+            --strip-attrs "helm.sh/chart,checksum/config,app.kubernetes.io/version,chart"
+            --limit-bytes 10000
+            --all-namespaces
+            --sources "flux-system"
+            --output-file diff.patch
+
+      - name: Generate Diff
+        id: diff
+        run: |
+          cat diff.patch;
+          {
+              echo 'diff<<EOF'
+              cat diff.patch
+              echo EOF
+          } >> "$GITHUB_OUTPUT";
+          {
+              echo "### Diff"
+              echo '```diff'
+              cat diff.patch
+              echo '```'
+          } >> "$GITHUB_STEP_SUMMARY"
+
+      - name: Add Comment
+        if: ${{ steps.diff.outputs.diff != '' }}
+        continue-on-error: true
+        uses: mshick/add-pr-comment@b8f338c590a895d50bcbfa6c5859251edc8952fc # v2.8.2
+        with:
+          message-id: "${{ github.event.pull_request.number }}/kubernetes/${{ matrix.resources }}"
+          message-failure: Diff was not successful
+          message: |
+            ```diff
+            ${{ steps.diff.outputs.diff }}
+            ```
+
+  flux-local-status:
+    name: Flux Local Success
+    needs: ["test", "diff"]
+    runs-on: ubuntu-latest
+    if: ${{ always() }}
+    steps:
+      - name: Any jobs failed?
+        if: ${{ contains(needs.*.result, 'failure') }}
+        run: exit 1
+
+      - name: All jobs passed or skipped?
+        if: ${{ !(contains(needs.*.result, 'failure')) }}
+        run: echo "All jobs passed or skipped" && echo "${{ toJSON(needs.*.result) }}"

.github/workflows/label-sync.yaml

@@ -11,12 +11,15 @@ jobs:
   label-sync:
     name: Label Sync
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      issues: write
     steps:
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
 
       - name: Sync Labels
-        uses: EndBug/label-sync@v2
+        uses: EndBug/label-sync@52074158190acb45f3077f9099fea818aa43f97a # v2.3.3
         with:
           config-file: .github/labels.yaml
           delete-other-labels: true

.github/workflows/labeler.yaml

@@ -13,8 +13,9 @@ jobs:
     permissions:
       contents: read
       pull-requests: write
+      issues: write
     steps:
       - name: Labeler
-        uses: actions/labeler@v5
+        uses: actions/labeler@634933edcd8ababfe52f92936142cc22ac488b1b # v6.0.1
         with:
           configuration-path: .github/labeler.yaml

.github/workflows/lychee.yaml

@@ -1,66 +0,0 @@
----
-name: "Lychee"
-
-on:
-  workflow_dispatch:
-  push:
-    branches: ["main"]
-    paths: [".github/workflows/lychee.yaml"]
-  schedule:
-    - cron: "0 0 * * *"
-
-env:
-  WORKFLOW_ISSUE_TITLE: "Link Checker Dashboard 🔗"
-
-jobs:
-  lychee:
-    name: Lychee
-    runs-on: ubuntu-latest
-    steps:
-      - name: Checkout
-        uses: actions/checkout@v4
-
-      - name: Setup Homebrew
-        uses: Homebrew/actions/setup-homebrew@master
-
-      - name: Setup Workflow Tools
-        shell: bash
-        run: brew install lychee
-
-      - name: Scan For Broken Links
-        shell: bash
-        env:
-          GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}"
-        run: |
-          lychee --verbose --no-progress \
-              --format markdown \
-              --output results.md \
-              --exclude-all-private \
-              --exclude-mail \
-              ./**/*.md || true
-
-      - name: Print Output
-        run: cat results.md
-
-      - name: Find Link Checker Issue
-        id: find-issue
-        shell: bash
-        env:
-          GH_TOKEN: "${{ secrets.GITHUB_TOKEN }}"
-        run: |
-          issue_number=$( \
-              gh issue list \
-                  --search "in:title ${{ env.WORKFLOW_ISSUE_TITLE }}" \
-                  --state open \
-                  --json number \
-                  | jq --raw-output '.[0].number' \
-          )
-          echo "issue-number=${issue_number}" >> $GITHUB_OUTPUT
-          echo "${issue_number}"
-
-      - name: Update Issue
-        uses: peter-evans/create-issue-from-file@v4
-        with:
-          title: "${{ env.WORKFLOW_ISSUE_TITLE }}"
-          issue-number: "${{ steps.find-issue.outputs.issue-number || '' }}"
-          content-filepath: results.md

.github/workflows/release.yaml

@@ -4,39 +4,53 @@ name: "Release"
 on:
   workflow_dispatch:
   schedule:
-    - cron: "0 0 1 * *"
+    - cron: "0 0 1 * *" # 1st of every month at midnight
 
 jobs:
   release:
     name: Release
     runs-on: ubuntu-latest
+    permissions:
+      contents: write
     steps:
-      - name: Checkout
-        uses: actions/checkout@v4
+      - name: Get Previous Release Tag and Determine Next Tag
+        id: determine-next-tag
+        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
+        with:
+          github-token: "${{ secrets.GITHUB_TOKEN }}"
+          result-encoding: string
+          script: |
+            const { data: releases } = await github.rest.repos.listReleases({
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              per_page: 1,
+            });
+
+            let previousTag = "0.0.0"; // Default if no previous release exists
+            if (releases.length > 0) {
+              previousTag = releases[0].tag_name;
+            }
+
+            const [previousMajor, previousMinor, previousPatch] = previousTag.split('.').map(Number);
+            const currentYear = new Date().getFullYear();
+            const currentMonth = new Date().getMonth() + 1; // Months are 0-indexed in JavaScript
+
+            const nextMajorMinor = `${currentYear}.${currentMonth}`;
+            let nextPatch;
+
+            if (`${previousMajor}.${previousMinor}` === nextMajorMinor) {
+              console.log("Month release already exists for the year. Incrementing patch number by 1.");
+              nextPatch = previousPatch + 1;
+            } else {
+              console.log("Month release does not exist for the year. Starting with patch number 0.");
+              nextPatch = 0;
+            }
+
+            return `${nextMajorMinor}.${nextPatch}`;
 
       - name: Create Release
-        shell: bash
-        env:
-          GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}"
-        run: |
-          # Retrieve previous release tag
-          previous_tag="$(gh release list --limit 1 | awk '{ print $1 }')"
-          previous_major="${previous_tag%%\.*}"
-          previous_minor="${previous_tag#*.}"
-          previous_minor="${previous_minor%.*}"
-          previous_patch="${previous_tag##*.}"
-          # Determine next release tag
-          next_major_minor="$(date +'%Y').$(date +'%-m')"
-          if [[ "${previous_major}.${previous_minor}" == "${next_major_minor}" ]]; then
-              echo "Month release already exists for year, incrementing patch number by 1"
-              next_patch="$((previous_patch + 1))"
-          else
-              echo "Month release does not exist for year, setting patch number to 0"
-              next_patch="0"
-          fi
-          # Create release
-          release_tag="${next_major_minor}.${next_patch}"
-          gh release create "${release_tag}" \
-              --repo="${GITHUB_REPOSITORY}" \
-              --title="${release_tag}" \
-              --generate-notes
+        uses: ncipollo/release-action@b7eabc95ff50cbeeedec83973935c8f306dfcd0b # v1.20.0
+        with:
+          generateReleaseNotes: true
+          tag: "${{ steps.determine-next-tag.outputs.result }}"
+          token: "${{ secrets.GITHUB_TOKEN }}"

.gitignore

@@ -1,14 +1,21 @@
-# Trash
-.DS_Store
-Thumbs.db
-# k8s
-kubeconfig
-.decrypted~*.yaml
-.config.env
-*.agekey
+# Secrets
 *.pub
 *.key
-# Ansible
-.venv*
-# Taskfile
-.tasks
+*.decrypted~*.yaml
+/age.key
+/cloudflare-tunnel.json
+/github-deploy.key
+/github-deploy.key.pub
+/github-push-token.txt
+# Template config files
+/cluster.yaml
+/nodes.yaml
+# Kubernetes
+kubeconfig
+talosconfig
+# Misc.
+.private/
+.task/
+.venv/
+.DS_Store
+Thumbs.db

.lycheeignore

@@ -1,2 +0,0 @@
-https://dash.cloudflare.com/profile/api-tokens
-https://www.mend.io/free-developer-tools/renovate/

.mise.toml

@@ -0,0 +1,28 @@
+[env]
+_.python.venv = { path = "{{config_root}}/.venv", create = true } # required:template
+KUBECONFIG = "{{config_root}}/kubeconfig"
+SOPS_AGE_KEY_FILE = "{{config_root}}/age.key"
+TALOSCONFIG = "{{config_root}}/talos/clusterconfig/talosconfig"
+
+[tools]
+"python" = "3.14.3" # required:template
+"uv" = "0.10.7" # required:template
+"pipx" = "1.8.0" # required:template
+"pipx:makejinja" = "2.8.2" # required:template
+"aqua:budimanjojo/talhelper" = "3.1.5"
+"aqua:cilium/cilium-cli" = "0.19.2"
+"aqua:cli/cli" = "2.87.3"
+"aqua:cloudflare/cloudflared" = "2026.2.0"
+"aqua:cue-lang/cue" = "0.15.4" # required:template
+"aqua:FiloSottile/age" = "1.3.1"
+"aqua:fluxcd/flux2" = "2.8.1"
+"aqua:getsops/sops" = "3.12.1"
+"aqua:go-task/task" = "3.48.0"
+"aqua:helm/helm" = "4.1.1"
+"aqua:helmfile/helmfile" = "1.3.2"
+"aqua:jqlang/jq" = "1.8.1"
+"aqua:kubernetes-sigs/kustomize" = "5.7.1"
+"aqua:kubernetes/kubernetes/kubectl" = "1.35.2"
+"aqua:mikefarah/yq" = "4.52.4"
+"aqua:siderolabs/talos" = "1.12.4"
+"aqua:yannh/kubeconform" = "0.7.0"

.renovaterc.json5

@@ -0,0 +1,172 @@
+{
+  $schema: "https://docs.renovatebot.com/renovate-schema.json",
+  extends: [
+    "config:recommended",
+    "docker:enableMajor",
+    "helpers:pinGitHubActionDigests",
+    ":automergeBranch",
+    ":dependencyDashboard",
+    ":disableRateLimiting",
+    ":semanticCommits",
+  ],
+  dependencyDashboard: true,
+  dependencyDashboardTitle: "Renovate Dashboard :robot:",
+  schedule: ["every weekend"],
+  ignorePaths: ["**/*.sops.*"],
+  flux: {
+    managerFilePatterns: ["/(^|/)kubernetes/.+\\.ya?ml(?:\\.j2)?$/"],
+  },
+  helmfile: {
+    managerFilePatterns: [
+      "/(^|/)helmfile\\.ya?ml(?:\\.gotmpl)?(?:\\.j2)?$/",
+      "/(^|/)helmfile\\.d/.+\\.ya?ml(?:\\.gotmpl)?(?:\\.j2)?$/",
+    ],
+  },
+  kubernetes: {
+    managerFilePatterns: ["/(^|/)kubernetes/.+\\.ya?ml(?:\\.j2)?$/"],
+  },
+  kustomize: {
+    managerFilePatterns: ["/^kustomization\\.ya?ml(?:\\.j2)?$/"],
+  },
+  packageRules: [
+    {
+      description: "Override Helmfile Dependency Name",
+      matchDatasources: ["docker"],
+      matchManagers: ["helmfile"],
+      overrideDepName: "{{packageName}}",
+    },
+    {
+      description: "Flux Operator Group",
+      groupName: "flux-operator",
+      matchDatasources: ["docker"],
+      matchPackageNames: ["/flux-operator/", "/flux-instance/", "/flux-operator-manifests/"],
+      group: {
+        commitMessageTopic: "{{{groupName}}} group",
+      },
+      minimumGroupSize: 3,
+    },
+    {
+      description: "Auto-merge GitHub Actions",
+      matchManagers: ["github-actions"],
+      automerge: true,
+      automergeType: "branch",
+      matchUpdateTypes: ["minor", "patch", "digest"],
+      minimumReleaseAge: "3 days",
+      ignoreTests: true,
+    },
+    {
+      matchUpdateTypes: ["major"],
+      semanticCommitType: "feat",
+      commitMessagePrefix: "{{semanticCommitType}}({{semanticCommitScope}})!:",
+      commitMessageExtra: "( {{currentVersion}} ➔ {{newVersion}} )",
+    },
+    {
+      matchUpdateTypes: ["minor"],
+      semanticCommitType: "feat",
+      commitMessageExtra: "( {{currentVersion}} ➔ {{newVersion}} )",
+    },
+    {
+      matchUpdateTypes: ["patch"],
+      semanticCommitType: "fix",
+      commitMessageExtra: "( {{currentVersion}} ➔ {{newVersion}} )",
+    },
+    {
+      matchUpdateTypes: ["digest"],
+      semanticCommitType: "chore",
+      commitMessageExtra: "( {{currentDigestShort}} ➔ {{newDigestShort}} )",
+    },
+    {
+      matchDatasources: ["docker"],
+      semanticCommitScope: "container",
+      commitMessageTopic: "image {{depName}}",
+    },
+    {
+      matchDatasources: ["helm"],
+      semanticCommitScope: "helm",
+      commitMessageTopic: "chart {{depName}}",
+    },
+    {
+      matchManagers: ["github-actions"],
+      semanticCommitType: "ci",
+      semanticCommitScope: "github-action",
+      commitMessageTopic: "action {{depName}}",
+    },
+    {
+      matchDatasources: ["github-releases"],
+      semanticCommitScope: "github-release",
+      commitMessageTopic: "release {{depName}}",
+    },
+    {
+      matchManagers: ["mise"],
+      semanticCommitScope: "mise",
+      commitMessageTopic: "tool {{depName}}",
+    },
+    {
+      matchUpdateTypes: ["major"],
+      labels: ["type/major"],
+    },
+    {
+      matchUpdateTypes: ["minor"],
+      labels: ["type/minor"],
+    },
+    {
+      matchUpdateTypes: ["patch"],
+      labels: ["type/patch"],
+    },
+    {
+      matchUpdateTypes: ["digest"],
+      labels: ["type/digest"],
+    },
+    {
+      matchDatasources: ["docker"],
+      addLabels: ["renovate/container"],
+    },
+    {
+      matchDatasources: ["helm"],
+      addLabels: ["renovate/helm"],
+    },
+    {
+      matchManagers: ["github-actions"],
+      addLabels: ["renovate/github-action"],
+    },
+    {
+      matchDatasources: ["github-releases"],
+      addLabels: ["renovate/github-release"],
+    },
+  ],
+  customManagers: [
+    {
+      description: "Process annotated dependencies",
+      customType: "regex",
+      managerFilePatterns: [
+        "/(^|/).+\\.env(?:\\.j2)?$/",
+        "/(^|/).+\\.sh(?:\\.j2)?$/",
+        "/(^|/).+\\.ya?ml(?:\\.j2)?$/",
+      ],
+      matchStrings: [
+        // # renovate: datasource=github-releases depName=k3s-io/k3s
+        // k3s_release_version: &version v1.29.0+k3s1
+        // # renovate: datasource=helm depName=cilium repository=https://helm.cilium.io
+        // version: 1.15.1
+        // # renovate: datasource=docker depName=ghcr.io/siderolabs/kubelet
+        // KUBERNETES_VERSION=v1.31.1
+        "datasource=(?<datasource>\\S+) depName=(?<depName>\\S+)( repository=(?<registryUrl>\\S+))?\\n.+(:\\s|=)(&\\S+\\s)?(?<currentValue>\\S+)",
+        // # renovate: datasource=docker depName=ghcr.io/prometheus-operator/prometheus-operator
+        // https://raw.githubusercontent.com/prometheus-operator/prometheus-operator/v0.80.0/example/prometheus-operator-crd/monitoring.coreos.com_alertmanagerconfigs.yaml
+        "datasource=(?<datasource>\\S+) depName=(?<depName>\\S+)\\n.+/(?<currentValue>(v|\\d)[^/]+)",
+      ],
+      datasourceTemplate: "{{#if datasource}}{{{datasource}}}{{else}}github-releases{{/if}}",
+    },
+    {
+      customType: "regex",
+      description: "Process OCI dependencies",
+      managerFilePatterns: [
+        "/\\.yaml(?:\\.j2)?$/",
+      ],
+      matchStrings: [
+        "oci://(?<depName>[^:]+):(?<currentValue>\\S+)",
+      ],
+      datasourceTemplate: "docker",
+    },
+  ],
+}

.shellcheckrc

@@ -0,0 +1,2 @@
+disable=SC1091
+disable=SC2155

.taskfiles/AnsibleTasks.yaml

@@ -1,54 +0,0 @@
----
-version: "3"
-
-vars:
-  ANSIBLE_PLAYBOOK_DIR: "{{.ANSIBLE_DIR}}/playbooks"
-  ANSIBLE_INVENTORY_DIR: "{{.ANSIBLE_DIR}}/inventory"
-
-tasks:
-
-  prepare:
-    desc: Prepare all the k8s nodes for running k3s
-    dir: "{{.ANSIBLE_DIR}}"
-    cmd: ansible-playbook -i {{.ANSIBLE_INVENTORY_DIR}}/hosts.yaml {{.ANSIBLE_PLAYBOOK_DIR}}/cluster-prepare.yaml
-
-  install:
-    desc: Install Kubernetes on the nodes
-    dir: "{{.ANSIBLE_DIR}}"
-    cmd: ansible-playbook -i {{.ANSIBLE_INVENTORY_DIR}}/hosts.yaml {{.ANSIBLE_PLAYBOOK_DIR}}/cluster-installation.yaml
-
-  rollout-update:
-    desc: Preform operating system updates and rollout restart the cluster
-    dir: "{{.ANSIBLE_DIR}}"
-    cmd: ansible-playbook -i {{.ANSIBLE_INVENTORY_DIR}}/hosts.yaml {{.ANSIBLE_PLAYBOOK_DIR}}/cluster-rollout-update.yaml
-
-  nuke:
-    desc: Uninstall Kubernetes on the nodes
-    dir: "{{.ANSIBLE_DIR}}"
-    interactive: true
-    cmd: ansible-playbook -i {{.ANSIBLE_INVENTORY_DIR}}/hosts.yaml {{.ANSIBLE_PLAYBOOK_DIR}}/cluster-nuke.yaml
-
-  reboot:
-    desc: Reboot all the k8s nodes
-    dir: "{{.ANSIBLE_DIR}}"
-    cmd: ansible-playbook -i {{.ANSIBLE_INVENTORY_DIR}}/hosts.yaml {{.ANSIBLE_PLAYBOOK_DIR}}/cluster-reboot.yaml
-
-  poweroff:
-    desc: Shutdown all the k8s nodes
-    dir: "{{.ANSIBLE_DIR}}"
-    cmd: ansible kubernetes -i {{.ANSIBLE_INVENTORY_DIR}}/hosts.yaml -a '/usr/bin/systemctl poweroff' --become
-
-  list:
-    desc: List all the hosts
-    dir: "{{.ANSIBLE_DIR}}"
-    cmd: ansible all -i {{.ANSIBLE_INVENTORY_DIR}}/hosts.yaml --list-hosts
-
-  ping:
-    desc: Ping all the hosts
-    dir: "{{.ANSIBLE_DIR}}"
-    cmd: ansible all -i {{.ANSIBLE_INVENTORY_DIR}}/hosts.yaml --one-line -m 'ping'
-
-  uptime:
-    desc: Uptime of all the hosts
-    dir: "{{.ANSIBLE_DIR}}"
-    cmd: ansible all -i {{.ANSIBLE_INVENTORY_DIR}}/hosts.yaml --one-line -a 'uptime'

.taskfiles/BrewTasks.yaml

@@ -1,27 +0,0 @@
----
-version: "3"
-
-tasks:
-
-  deps:
-    desc: Install workstation dependencies with Brew
-    cmd: brew install {{.DEPS}} {{.CLI_ARGS}}
-    preconditions:
-      - sh: command -v brew
-        msg: |
-          Homebrew is not installed. Using MacOS, Linux or WSL?
-          Head over to https://brew.sh to get up and running.
-    vars:
-      DEPS: >-
-        age
-        cilium-cli
-        cloudflared
-        fluxcd/tap/flux
-        helm
-        jq
-        k9s
-        kubernetes-cli
-        kustomize
-        sops
-        stern
-        yq

.taskfiles/ClusterTasks.yaml

@@ -1,81 +0,0 @@
----
-version: "3"
-
-tasks:
-
-  verify:
-    desc: Verify flux meets the prerequisites
-    cmd: flux check --pre
-
-  install:
-    desc: Install Flux into your cluster
-    cmds:
-      - kubectl apply --kustomize {{.KUBERNETES_DIR}}/bootstrap
-      - cat {{.SOPS_AGE_KEY_FILE}} | kubectl -n flux-system create secret generic sops-age --from-file=age.agekey=/dev/stdin
-      - sops --decrypt {{.KUBERNETES_DIR}}/flux/vars/cluster-secrets.sops.yaml | kubectl apply -f -
-      - sops --decrypt {{.KUBERNETES_DIR}}/flux/vars/cluster-secrets-user.sops.yaml | kubectl apply -f -
-      - kubectl apply -f {{.KUBERNETES_DIR}}/flux/vars/cluster-settings.yaml
-      - kubectl apply -f {{.KUBERNETES_DIR}}/flux/vars/cluster-settings-user.yaml
-      - kubectl apply --kustomize {{.KUBERNETES_DIR}}/flux/config
-    preconditions:
-      - sh: test -f {{.SOPS_AGE_KEY_FILE}}
-        msg: |
-          Age key file is not found. Did you forget to create it?
-    vars:
-      SOPS_AGE_KEY_FILE: "{{.ROOT_DIR}}/age.key"
-
-  reconcile:
-    desc: Force update Flux to pull in changes from your Git repository
-    cmd: flux reconcile -n flux-system kustomization cluster --with-source
-
-  hr-restart:
-    desc: Restart all failed Helm Releases
-    cmds:
-      - kubectl get hr --all-namespaces | grep False | awk '{print $2, $1}' | xargs -L1 bash -c 'flux suspend hr $0 -n $1'
-      - kubectl get hr --all-namespaces | grep False | awk '{print $2, $1}' | xargs -L1 bash -c 'flux resume hr $0 -n $1'
-
-  nodes:
-    desc: List all the nodes in your cluster
-    cmd: kubectl get nodes {{.CLI_ARGS | default "-o wide"}}
-
-  pods:
-    desc: List all the pods in your cluster
-    cmd: kubectl get pods {{.CLI_ARGS | default "-A"}}
-
-  kustomizations:
-    desc: List all the kustomizations in your cluster
-    cmd: kubectl get kustomizations {{.CLI_ARGS | default "-A"}}
-
-  helmreleases:
-    desc: List all the helmreleases in your cluster
-    cmd: kubectl get helmreleases {{.CLI_ARGS | default "-A"}}
-
-  helmrepositories:
-    desc: List all the helmrepositories in your cluster
-    cmd: kubectl get helmrepositories {{.CLI_ARGS | default "-A"}}
-
-  gitrepositories:
-    desc: List all the gitrepositories in your cluster
-    cmd: kubectl get gitrepositories {{.CLI_ARGS | default "-A"}}
-
-  certificates:
-    desc: List all the certificates in your cluster
-    cmds:
-      - kubectl get certificates {{.CLI_ARGS | default "-A"}}
-      - kubectl get certificaterequests {{.CLI_ARGS | default "-A"}}
-
-  ingresses:
-    desc: List all the ingresses in your cluster
-    cmd: kubectl get ingress {{.CLI_ARGS | default "-A"}}
-
-  resources:
-    desc: Gather common resources in your cluster, useful when asking for support
-    cmds:
-      - task: nodes
-      - task: kustomizations
-      - task: helmreleases
-      - task: helmrepositories
-      - task: gitrepositories
-      - task: certificates
-      - task: ingresses
-      - task: pods

.taskfiles/bootstrap/Taskfile.yaml

@@ -0,0 +1,30 @@
+---
+version: '3'
+
+tasks:
+
+  talos:
+    desc: Bootstrap the Talos cluster
+    dir: '{{.TALOS_DIR}}'
+    cmds:
+      - '[ -f talsecret.sops.yaml ] || talhelper gensecret | sops --filename-override talos/talsecret.sops.yaml --encrypt /dev/stdin > talsecret.sops.yaml'
+      - talhelper genconfig
+      - talhelper gencommand apply --extra-flags="--insecure" | bash
+      - until talhelper gencommand bootstrap | bash; do sleep 10; done
+      - until talhelper gencommand kubeconfig --extra-flags="{{.ROOT_DIR}} --force" | bash; do sleep 10; done
+    preconditions:
+      - test -f {{.ROOT_DIR}}/.sops.yaml
+      - test -f {{.SOPS_AGE_KEY_FILE}}
+      - test -f {{.TALOS_DIR}}/talconfig.yaml
+      - which talhelper talosctl sops
+
+  apps:
+    desc: Bootstrap apps into the Talos cluster
+    cmd: bash {{.SCRIPTS_DIR}}/bootstrap-apps.sh
+    preconditions:
+      - msg: Unsupported bash version, run `brew install bash` to upgrade
+        sh: '{{if eq OS "darwin"}}test -f /opt/homebrew/bin/bash || test -f /usr/local/bin/bash{{end}}'
+      - test -f {{.KUBECONFIG}}
+      - test -f {{.ROOT_DIR}}/.sops.yaml
+      - test -f {{.SCRIPTS_DIR}}/bootstrap-apps.sh
+      - test -f {{.SOPS_AGE_KEY_FILE}}

.taskfiles/talos/Taskfile.yaml

@@ -0,0 +1,65 @@
+---
+version: '3'
+
+tasks:
+
+  generate-config:
+    desc: Generate Talos configuration
+    dir: '{{.TALOS_DIR}}'
+    cmd: talhelper genconfig
+    preconditions:
+      - test -f {{.TALOS_DIR}}/talconfig.yaml
+      - test -f {{.ROOT_DIR}}/.sops.yaml
+      - test -f {{.SOPS_AGE_KEY_FILE}}
+      - which talhelper
+
+  apply-node:
+    desc: Apply Talos config to a node [IP=required]
+    dir: '{{.TALOS_DIR}}'
+    cmd: talhelper gencommand apply --node {{.IP}} --extra-flags '--mode={{.MODE}}' | bash
+    vars:
+      MODE: '{{.MODE | default "auto"}}'
+    requires:
+      vars: [IP]
+    preconditions:
+      - talosctl --nodes {{.IP}} get machineconfig
+      - talosctl config info
+      - test -f {{.TALOSCONFIG}}
+      - which talhelper talosctl yq
+
+  upgrade-node:
+    desc: Upgrade Talos on a single node [IP=required]
+    dir: '{{.TALOS_DIR}}'
+    cmd: talhelper gencommand upgrade --node {{.IP}} --extra-flags "--image='{{.TALOS_IMAGE}}:{{.TALOS_VERSION}}' --timeout=10m" | bash
+    vars:
+      TALOS_IMAGE:
+        sh: yq '.nodes[] | select(.ipAddress == "{{.IP}}") | .talosImageURL' {{.TALOS_DIR}}/talconfig.yaml
+      TALOS_VERSION:
+        sh: yq '.talosVersion' {{.TALOS_DIR}}/talenv.yaml
+    requires:
+      vars: [IP]
+    preconditions:
+      - talosctl --nodes {{.IP}} get machineconfig
+      - talosctl config info
+      - test -f {{.TALOSCONFIG}}
+      - which kubectl talhelper talosctl yq
+
+  upgrade-k8s:
+    desc: Upgrade Kubernetes
+    dir: '{{.TALOS_DIR}}'
+    cmd: talhelper gencommand upgrade-k8s --extra-flags "--to '{{.KUBERNETES_VERSION}}'" | bash
+    vars:
+      KUBERNETES_VERSION:
+        sh: yq '.kubernetesVersion' {{.TALOS_DIR}}/talenv.yaml
+    preconditions:
+      - talosctl config info
+      - test -f {{.TALOSCONFIG}}
+      - which talhelper talosctl yq
+
+  reset:
+    desc: Resets nodes back to maintenance mode
+    dir: '{{.TALOS_DIR}}'
+    prompt: This will destroy your cluster and reset the nodes back to maintenance mode... continue?
+    cmd: talhelper gencommand reset --extra-flags="--reboot {{- if eq .CLI_FORCE false }} --system-labels-to-wipe STATE --system-labels-to-wipe EPHEMERAL{{ end }} --graceful=false --wait=false" | bash
+    preconditions:
+      - which talhelper

.taskfiles/template/Taskfile.yaml

@@ -0,0 +1,173 @@
+---
+version: '3'
+
+vars:
+  MAKEJINJA_CONFIG_FILE: '{{.ROOT_DIR}}/makejinja.toml'
+  TEMPLATE_DIR: '{{.ROOT_DIR}}/templates'
+  TEMPLATE_RESOURCES_DIR: '{{.ROOT_DIR}}/.taskfiles/template/resources'
+  TEMPLATE_CONFIG_FILE: '{{.ROOT_DIR}}/cluster.yaml'
+  TEMPLATE_NODE_CONFIG_FILE: '{{.ROOT_DIR}}/nodes.yaml'
+
+tasks:
+
+  :init:
+    desc: Initialize configuration files
+    cmds:
+      - task: generate-template-config
+      - task: generate-age-key
+      - task: generate-deploy-key
+      - task: generate-push-token
+
+  generate-template-config:
+    internal: true
+    cmds:
+      - mv {{.TEMPLATE_CONFIG_FILE | replace ".yaml" ".sample.yaml"}} {{.TEMPLATE_CONFIG_FILE}}
+      - mv {{.TEMPLATE_NODE_CONFIG_FILE | replace ".yaml" ".sample.yaml"}} {{.TEMPLATE_NODE_CONFIG_FILE}}
+    status:
+      - test -f {{.TEMPLATE_CONFIG_FILE}}
+      - test -f {{.TEMPLATE_NODE_CONFIG_FILE}}
+
+  generate-age-key:
+    internal: true
+    cmd: age-keygen --output {{.SOPS_AGE_KEY_FILE}}
+    status:
+      - test -f {{.SOPS_AGE_KEY_FILE}}
+    preconditions:
+      - which age-keygen
+
+  generate-deploy-key:
+    internal: true
+    cmd: ssh-keygen -t ed25519 -C "deploy-key" -f {{.ROOT_DIR}}/github-deploy.key -q -P ""
+    status:
+      - test -f {{.ROOT_DIR}}/github-deploy.key
+    preconditions:
+      - which ssh-keygen
+
+  generate-push-token:
+    internal: true
+    cmd: python -c "import secrets; print(secrets.token_hex(16))" > {{.ROOT_DIR}}/github-push-token.txt
+    status:
+      - test -f {{.ROOT_DIR}}/github-push-token.txt
+
+  :configure:
+    desc: Render and validate configuration files
+    prompt: Any conflicting files in the kubernetes directory will be overwritten... continue?
+    cmds:
+      - task: validate-schemas
+      - task: render-configs
+      - task: encrypt-secrets
+      - task: validate-kubernetes-config
+      - task: validate-talos-config
+    preconditions:
+      - msg: An existing Age key interferes with the age key in this repository, rename or delete ~/.config/sops/age/keys.txt
+        sh: '! test -f ~/.config/sops/age/keys.txt'
+      - msg: File cluster.yaml not found, did you run `task init`?
+        sh: test -f {{.TEMPLATE_CONFIG_FILE}}
+      - msg: File nodes.yaml not found, did you run `task init`?
+        sh: test -f {{.TEMPLATE_NODE_CONFIG_FILE}}
+      - msg: File cloudflare-tunnel.json not found, see the README for information on creating it.
+        sh: test -f {{.ROOT_DIR}}/cloudflare-tunnel.json
+
+  validate-schemas:
+    internal: true
+    cmds:
+      - cue vet {{.TEMPLATE_CONFIG_FILE}} {{.TEMPLATE_RESOURCES_DIR}}/cluster.schema.cue
+      - cue vet {{.TEMPLATE_NODE_CONFIG_FILE}} {{.TEMPLATE_RESOURCES_DIR}}/nodes.schema.cue
+    preconditions:
+      - test -f {{.TEMPLATE_RESOURCES_DIR}}/cluster.schema.cue
+      - test -f {{.TEMPLATE_RESOURCES_DIR}}/nodes.schema.cue
+      - which cue
+
+  render-configs:
+    internal: true
+    cmd: makejinja
+    env:
+      PYTHONDONTWRITEBYTECODE: '1'
+    preconditions:
+      - test -f {{.TEMPLATE_DIR}}/scripts/plugin.py
+      - test -f {{.MAKEJINJA_CONFIG_FILE}}
+      - which makejinja
+
+  encrypt-secrets:
+    internal: true
+    cmds:
+      - for: { var: SECRET_FILES }
+        cmd: |
+          if [ $(sops filestatus "{{.ITEM}}" | jq ".encrypted") == "false" ]; then
+              sops --encrypt --in-place "{{.ITEM}}"
+          fi
+    vars:
+      SECRET_FILES:
+        sh: find "{{.BOOTSTRAP_DIR}}" "{{.KUBERNETES_DIR}}" "{{.TALOS_DIR}}" -type f -name "*.sops.*" -print
+    preconditions:
+      - test -f {{.SOPS_AGE_KEY_FILE}}
+      - test -f {{.ROOT_DIR}}/.sops.yaml
+      - which jq sops
+
+  validate-kubernetes-config:
+    internal: true
+    cmd: bash {{.TEMPLATE_RESOURCES_DIR}}/kubeconform.sh {{.KUBERNETES_DIR}}
+    preconditions:
+      - test -f {{.TEMPLATE_RESOURCES_DIR}}/kubeconform.sh
+      - which kubeconform
+
+  validate-talos-config:
+    internal: true
+    dir: '{{.TALOS_DIR}}'
+    cmd: talhelper validate talconfig {{.TALOS_DIR}}/talconfig.yaml
+    preconditions:
+      - test -f {{.TALOS_DIR}}/talconfig.yaml
+      - which talhelper
+
+  debug:
+    desc: Gather common resources in your cluster
+    cmds:
+      - for:
+          matrix:
+            RESOURCE: [certificates, certificaterequests, gitrepositories, helmrepositories, helmreleases, httproutes, kustomizations, nodes, pods]
+        cmd: kubectl get --all-namespaces {{.ITEM.RESOURCE}}
+    preconditions:
+      - test -f {{.KUBECONFIG}}
+      - which kubectl
+
+  tidy:
+    desc: Archive or remove all template related config
+    prompt: All template related config will be archived or removed... continue?
+    cmds:
+      - mkdir -p {{.TIDY_FOLDER}}
+      - rm -rf {{.ROOT_DIR}}/.github/tests
+      - rm -rf {{.ROOT_DIR}}/.github/workflows/e2e.yaml
+      - rm -rf {{.ROOT_DIR}}/.github/workflows/mise.yaml
+      - rm -rf {{.ROOT_DIR}}/.github/workflows/release.yaml
+      - |
+        {{.SED}} -i 's/(..\.j2)\?//g' {{.ROOT_DIR}}/.renovaterc.json5
+      - mv {{.TEMPLATE_DIR}} {{.TIDY_FOLDER}}/templates
+      - mv {{.MAKEJINJA_CONFIG_FILE}} {{.TIDY_FOLDER}}/makejinja.toml
+      - mv {{.TEMPLATE_CONFIG_FILE}} {{.TIDY_FOLDER}}/cluster.yaml
+      - mv {{.TEMPLATE_NODE_CONFIG_FILE}} {{.TIDY_FOLDER}}/nodes.yaml
+      - |
+        {{.SED}} -i '/template:/d' {{.ROOT_DIR}}/Taskfile.yaml
+      - mv {{.ROOT_DIR}}/.taskfiles/template {{.TIDY_FOLDER}}/.taskfiles/
+      - |
+        {{.SED}} -i '/required:template/d' {{.ROOT_DIR}}/.mise.toml
+      - rm -rf {{.ROOT_DIR}}/.venv
+    vars:
+      TIDY_FOLDER: '{{.PRIVATE_DIR}}/{{now | unixEpoch}}'
+      SED:
+        sh: which gsed || which sed
+    preconditions:
+      - msg: Unsupported sed version, run `brew install gsed` to upgrade
+        sh: '{{if eq OS "darwin"}}test -f /opt/homebrew/bin/gsed || test -f /usr/local/bin/gsed{{end}}'
+      - test -d {{.ROOT_DIR}}/.taskfiles/template
+      - test -d {{.TEMPLATE_DIR}}
+      - test -f {{.MAKEJINJA_CONFIG_FILE}}
+      - test -f {{.ROOT_DIR}}/.renovaterc.json5
+
+  reset:
+    desc: Remove templated files and directories
+    prompt: Remove all templated files and directories... continue?
+    cmds:
+      - rm -rf {{.BOOTSTRAP_DIR}}
+      - rm -rf {{.KUBERNETES_DIR}}
+      - rm -rf {{.TALOS_DIR}}
+      - rm -rf {{.ROOT_DIR}}/.sops.yaml

.taskfiles/template/resources/cluster.schema.cue

@@ -0,0 +1,31 @@
+package config
+
+import (
+	"net"
+)
+
+#Config: {
+	node_cidr: net.IPCIDR & !=cluster_pod_cidr & !=cluster_svc_cidr
+	node_dns_servers?: [...net.IPv4]
+	node_ntp_servers?: [...net.IPv4]
+	node_default_gateway?: net.IPv4 & !=""
+	node_vlan_tag?: string & !=""
+	cluster_pod_cidr: *"10.42.0.0/16" | net.IPCIDR & !=node_cidr & !=cluster_svc_cidr
+	cluster_svc_cidr: *"10.43.0.0/16" | net.IPCIDR & !=node_cidr & !=cluster_pod_cidr
+	cluster_api_addr: net.IPv4
+	cluster_api_tls_sans?: [...net.FQDN]
+	cluster_gateway_addr: net.IPv4 & !=cluster_api_addr & !=cluster_dns_gateway_addr & !=cloudflare_gateway_addr
+	cluster_dns_gateway_addr: net.IPv4 & !=cluster_api_addr & !=cluster_gateway_addr & !=cloudflare_gateway_addr
+	repository_name: string
+	repository_branch?: string & !=""
+	repository_visibility?: *"public" | "private"
+	cloudflare_domain: net.FQDN
+	cloudflare_token: string
+	cloudflare_gateway_addr: net.IPv4 & !=cluster_api_addr & !=cluster_gateway_addr & !=cluster_dns_gateway_addr
+	cilium_bgp_router_addr?: net.IPv4 & !=""
+	cilium_bgp_router_asn?: string & !=""
+	cilium_bgp_node_asn?: string & !=""
+	cilium_loadbalancer_mode?: *"dsr" | "snat"
+}
+
+#Config

.taskfiles/template/resources/kubeconform.sh

@@ -0,0 +1,50 @@
+#!/usr/bin/env bash
+
+set -euo pipefail
+
+KUBERNETES_DIR=$1
+
+[[ -z "${KUBERNETES_DIR}" ]] && echo "Kubernetes location not specified" && exit 1
+
+kustomize_args=("--load-restrictor=LoadRestrictionsNone")
+kustomize_config="kustomization.yaml"
+kubeconform_args=(
+    "-strict"
+    "-ignore-missing-schemas"
+    "-skip"
+    "Gateway,HTTPRoute,Secret"
+    "-schema-location"
+    "default"
+    "-schema-location"
+    "https://kubernetes-schemas.pages.dev/{{.Group}}/{{.ResourceKind}}_{{.ResourceAPIVersion}}.json"
+    "-verbose"
+)
+
+echo "=== Validating standalone manifests in ${KUBERNETES_DIR}/flux ==="
+find "${KUBERNETES_DIR}/flux" -maxdepth 1 -type f -name '*.yaml' -print0 | while IFS= read -r -d $'\0' file;
+do
+    kubeconform "${kubeconform_args[@]}" "${file}"
+    if [[ ${PIPESTATUS[0]} != 0 ]]; then
+        exit 1
+    fi
+done
+
+echo "=== Validating kustomizations in ${KUBERNETES_DIR}/flux ==="
+find "${KUBERNETES_DIR}/flux" -type f -name $kustomize_config -print0 | while IFS= read -r -d $'\0' file;
+do
+    echo "=== Validating kustomizations in ${file/%$kustomize_config} ==="
+    kustomize build "${file/%$kustomize_config}" "${kustomize_args[@]}" | kubeconform "${kubeconform_args[@]}"
+    if [[ ${PIPESTATUS[0]} != 0 ]]; then
+        exit 1
+    fi
+done
+
+echo "=== Validating kustomizations in ${KUBERNETES_DIR}/apps ==="
+find "${KUBERNETES_DIR}/apps" -type f -name $kustomize_config -print0 | while IFS= read -r -d $'\0' file;
+do
+    echo "=== Validating kustomizations in ${file/%$kustomize_config} ==="
+    kustomize build "${file/%$kustomize_config}" "${kustomize_args[@]}" | kubeconform "${kubeconform_args[@]}"
+    if [[ ${PIPESTATUS[0]} != 0 ]]; then
+        exit 1
+    fi
+done

.taskfiles/template/resources/nodes.schema.cue

@@ -0,0 +1,30 @@
+package config
+
+import (
+	"net"
+	"list"
+)
+
+#Config: {
+	nodes: [...#Node]
+	_nodes_check: {
+		name: list.UniqueItems() & [for item in nodes {item.name}]
+		address: list.UniqueItems() & [for item in nodes {item.address}]
+		mac_addr: list.UniqueItems() & [for item in nodes {item.mac_addr}]
+	}
+}
+
+#Node: {
+	name:          =~"^[a-z0-9][a-z0-9\\-]{0,61}[a-z0-9]$|^[a-z0-9]$" & !="global" & !="controller" & !="worker"
+	address:       net.IPv4
+	controller:    bool
+	disk:          string
+	mac_addr:      =~"^([0-9a-f]{2}[:]){5}([0-9a-f]{2})$"
+	schematic_id:  =~"^[a-z0-9]{64}$"
+	mtu?:            >=1450 & <=9000
+	secureboot?:     bool
+	encrypt_disk?:   bool
+	kernel_modules?: [...string]
+}
+
+#Config

.vscode/extensions.json

@@ -1,14 +1,9 @@
 {
-    "recommendations": [
-        "albert.TabOut",
-        "britesnow.vscode-toggle-quotes",
-        "fcrespo82.markdown-table-formatter",
-        "mikestead.dotenv",
-        "mitchdenny.ecdc",
-        "redhat.ansible",
-        "signageos.signageos-vscode-sops",
-        "will-stone.in-any-case",
-        "EditorConfig.editorconfig",
-        "PKief.material-icon-theme",
-    ]
+  "recommendations": [
+    "blueglassblock.better-json5",
+    "irongeek.vscode-env",
+    "redhat.vscode-yaml",
+    "signageos.signageos-vscode-sops",
+    "hverlin.mise-vscode"
+  ]
 }

.vscode/settings.json

@@ -1,27 +1,18 @@
 {
-    "ansible.ansible.path": ".venv/bin/ansible",
-    "ansible.python.activationScript": ".venv/bin/activate",
-    "ansible.python.interpreterPath": ".venv/bin/python3",
-    "ansible.validation.enabled": true,
-    "ansible.validation.lint.arguments": "-c ansible/.ansible-lint",
-    "ansible.validation.lint.enabled": true,
-    "ansible.validation.lint.path": ".venv/bin/ansible-lint",
+    "editor.bracketPairColorization.enabled": true,
     "files.associations": {
-        "*.json5": "jsonc",
-        "./ansible/**/*.yaml": "ansible",
-        "./ansible/**/*.sops.yaml": "yaml",
-        "./ansible/**/inventory/**/*.yaml": "yaml",
-        "./kubernetes/**/*.sops.toml": "plaintext"
+        "**/*.json5": "json5"
     },
+    "files.trimTrailingWhitespace": true,
     "sops.defaults.ageKeyFile": "age.key",
-    "yaml.schemas": {
-        "ansible": "./ansible/*.yaml",
-        "Kubernetes": "./kubernetes/*.yaml"
-    },
     "vs-kubernetes": {
         "vs-kubernetes.kubeconfig": "./kubeconfig",
         "vs-kubernetes.knownKubeconfigs": [
           "./kubeconfig"
       ]
+    },
+    "yaml.schemaStore.enable": true,
+    "yaml.schemas": {
+        "kubernetes": "./kubernetes/**/*.yaml"
     }
 }

LICENSE

@@ -1,6 +1,6 @@
 MIT License
 
-Copyright (c) 2023 onedr0p
+Copyright (c) 2025 onedr0p
 
 Permission is hereby granted, free of charge, to any person obtaining a copy
 of this software and associated documentation files (the "Software"), to deal

README.md

@@ -1,602 +1,484 @@
-# Deploy a Kubernetes cluster backed by Flux
+# ⛵ Cluster Template
 
-Welcome to my highly opinionated template for deploying a single Kubernetes ([k3s](https://k3s.io)) cluster with [Ansible](https://www.ansible.com) and using [Flux](https://toolkit.fluxcd.io) to manage its state.
+Welcome to my template designed for deploying a single Kubernetes cluster. Whether you're setting up a cluster at home on bare-metal or virtual machines (VMs), this project aims to simplify the process and make Kubernetes more accessible. This template is inspired by my personal [home-ops](https://github.com/onedr0p/home-ops) repository, providing a practical starting point for anyone interested in managing their own Kubernetes environment.
 
-## 👋 Introduction
+At its core, this project leverages [makejinja](https://github.com/mirkolenz/makejinja), a powerful tool for rendering templates. By reading configuration files—such as [cluster.yaml](./cluster.sample.yaml) and [nodes.yaml](./nodes.sample.yaml)—Makejinja generates the necessary configurations to deploy a Kubernetes cluster with the following features:
 
-The goal of this project is to make it easy for people interested in learning Kubernetes to deploy a cluster at home and become familiar with the GitOps tool Flux.
+- Easy configuration through YAML files.
+- Compatibility with home setups, whether on physical hardware or VMs.
+- A modular and extensible approach to cluster deployment and management.
 
-This template implements Flux in a way that promotes legibility and ease of use for those who are new (or relatively new) to the technology and GitOps in general.
-
-If you are new to Flux and GitOps in general it is important to understand that **all changes** you want made to your Kubernetes cluster should be **commited to your Git repository** which Flux will pick up and attempt to apply. You're still free to make _dirty_ edits using `kubectl` but keep in mind that Flux might revert them once its reconcilation loop happens.
+With this approach, you'll gain a solid foundation to build and manage your Kubernetes cluster efficiently.
 
 ## ✨ Features
 
-- Automated, reproducible, customizable setup through Ansible templates and playbooks
-- Opinionated implementation of Flux with [strong community support](https://github.com/onedr0p/flux-cluster-template/tree/main#-help)
-- Encrypted secrets thanks to [SOPS](https://github.com/getsops/sops) and [Age](https://github.com/FiloSottile/age)
-- Web application firewall thanks to [Cloudflare Tunnels](https://developers.cloudflare.com/cloudflare-one/connections/connect-networks/)
-- SSL certificates thanks to [Cloudflare](https://cloudflare.com) and [cert-manager](https://cert-manager.io)
-- HA control plane capability thanks to [kube-vip](https://kube-vip.io)
-- Next-gen networking thanks to [Cilium](https://cilium.io/)
-- A [Renovate](https://www.mend.io/renovate)-ready repository with pull request diffs provided by [flux-local](https://github.com/allenporter/flux-local)
-- Integrated [GitHub Actions](https://github.com/features/actions)
-- ... and more!
+A Kubernetes cluster deployed with [Talos Linux](https://github.com/siderolabs/talos) and an opinionated implementation of [Flux](https://github.com/fluxcd/flux2) using [GitHub](https://github.com/) as the Git provider, [sops](https://github.com/getsops/sops) to manage secrets and [cloudflared](https://github.com/cloudflare/cloudflared) to access applications external to your local network.
 
-## 📝 Pre-start checklist
+- **Required:** Some knowledge of [Containers](https://opencontainers.org/), [YAML](https://noyaml.com/), [Git](https://git-scm.com/), and a **Cloudflare account** with a **domain**.
+- **Included components:** [flux](https://github.com/fluxcd/flux2), [cilium](https://github.com/cilium/cilium), [cert-manager](https://github.com/cert-manager/cert-manager), [spegel](https://github.com/spegel-org/spegel), [reloader](https://github.com/stakater/Reloader), [envoy-gateway](https://github.com/envoyproxy/gateway), [external-dns](https://github.com/kubernetes-sigs/external-dns) and [cloudflared](https://github.com/cloudflare/cloudflared).
+
+**Other features include:**
+
+- Dev env managed w/ [mise](https://mise.jdx.dev/)
+- Workflow automation w/ [GitHub Actions](https://github.com/features/actions)
+- Dependency automation w/ [Renovate](https://www.mend.io/renovate)
+- Flux `HelmRelease` and `Kustomization` diffs w/ [flux-local](https://github.com/allenporter/flux-local)
+
+Does this sound cool to you? If so, continue to read on! 👇
+
+## 🚀 Let's Go!
+
+There are **6 stages** outlined below for completing this project, make sure you follow the stages in order.
+
+### Stage 1: Hardware Configuration
+
+For a **stable** and **high-availability** production Kubernetes cluster, hardware selection is critical. NVMe/SSDs are strongly preferred over HDDs, and **Bare Metal is strongly recommended** over virtualized platforms like Proxmox.
+
+Using **enterprise NVMe or SATA SSDs on Bare Metal** (even used drives) provides the most reliable performance and rock-solid stability. Consumer **NVMe or SATA SSDs**, on the other hand, carry risks such as latency spikes, corruption, and fsync delays, particularly in multi-node setups.
+
+**Proxmox with enterprise drives can work** for testing or carefully tuned production clusters, but it introduces additional layers of potential I/O contention — especially if consumer drives are used. Any **replicated storage** (e.g., Rook-Ceph, Longhorn) should always use **dedicated disks separate from control plane and etcd nodes** to ensure reliability. Worker nodes are more flexible, but risky configurations should still be avoided for stateful workloads to maintain cluster stability.
+
+These guidelines provide a strong baseline, but there are always exceptions and nuances. The best way to ensure your hardware configuration works is to **test it thoroughly and benchmark performance** under realistic workloads.
+
+### Stage 2: Machine Preparation
 
 > [!IMPORTANT]
-> Before we get started everything below must be taken into consideration, you must...
+> If you have **3 or more nodes** it is recommended to make 3 of them controller nodes for a highly available control plane. This project configures **all nodes** to be able to run workloads. **Worker nodes** are therefore **optional**.
+>
+> **Minimum system requirements**
+> | Role    | Cores    | Memory        | System Disk               |
+> |---------|----------|---------------|---------------------------|
+> | Control/Worker | 4 | 16GB | 256GB SSD/NVMe |
 
-- [ ] have some experience with the following: Git/SCM, containers, networking and scripting.
-- [ ] bring a **positive attitude** and be ready to learn and fail a lot. _The more you fail, the more you can learn from._
-- [ ] run the cluster on bare metal machines or VMs within your home network — **this is NOT designed for cloud environments**.
-- [ ] have Debian 12 freshly installed on 1 or more AMD64/ARM64 bare metal machines or VMs. Each machine will be either a **control node** or a **worker node** in your cluster.
-- [ ] give your nodes unrestricted internet access — **air-gapped environments won't work**.
-- [ ] have a domain you can manage on Cloudflare.
-- [ ] be willing to commit encrypted secrets to a public GitHub repository.
-- [ ] have a DNS server that supports split DNS (e.g. Pi-Hole) deployed somewhere outside your cluster **ON** your home network.
+1. Head over to the [Talos Linux Image Factory](https://factory.talos.dev) and follow the instructions. Be sure to only choose the **bare-minimum system extensions** as some might require additional configuration and prevent Talos from booting without it. Depending on your CPU start with the Intel/AMD system extensions (`i915`, `intel-ucode` & `mei` **or** `amdgpu` & `amd-ucode`), you can always add system extensions after Talos is installed and working.
 
-## 💻 Machine Preparation
+2. This will eventually lead you to download a Talos Linux ISO (or for SBCs a RAW) image. Make sure to note the **schematic ID** you will need this later on.
 
-### System requirements
+3. Flash the Talos ISO or RAW image to a USB drive and boot from it on your nodes.
 
-> [!IMPORTANT]
-> 1. The default behaviour of k3s is that all nodes are able to run workloads, **including** control nodes. Worker nodes are therefore optional.
-> 2. Do you have 3 or more nodes? It is strongly recommended to make 3 of them control nodes for a highly available control plane.
-> 3. Running the cluster on Proxmox VE? My thoughts and recommendations about that are documented [here](https://onedr0p.github.io/home-ops/notes/proxmox-considerations.html).
-
-| Role    | Cores    | Memory        | System Disk               |
-|---------|----------|---------------|---------------------------|
-| Control | 4 _(6*)_ | 8GB _(24GB*)_ | 100GB _(500GB*)_ SSD/NVMe |
-| Worker  | 4 _(6*)_ | 8GB _(24GB*)_ | 100GB _(500GB*)_ SSD/NVMe |
-| _\* recommended_ |
-
-### Debian for AMD64
-
-1. Download the latest stable release of Debian from [here](https://cdimage.debian.org/debian-cd/current/amd64/iso-dvd), then follow [this guide](https://www.linuxtechi.com/how-to-install-debian-12-step-by-step) to get it installed. Deviations from the guide:
-
-    ```txt
-    Choose "Guided - use entire disk"
-    Choose "All files in one partition"
-    Delete Swap partition
-    Uncheck all Debian desktop environment options
-    ```
-
-2. [Post install] Remove CD/DVD as apt source
+4. Verify with `nmap` that your nodes are available on the network. (Replace `192.168.1.0/24` with the network your nodes are on.)
 
     ```sh
-    su -
-    sed -i '/deb cdrom/d' /etc/apt/sources.list
-    apt update
-    exit
+    nmap -Pn -n -p 50000 192.168.1.0/24 -vv | grep 'Discovered'
     ```
 
-3. [Post install] Enable sudo for your non-root user
+### Stage 3: Local Workstation
+
+> [!TIP]
+> It is recommended to set the visibility of your repository to `Public` so you can easily request help if you get stuck.
+
+1. Create a new repository by clicking the green `Use this template` button at the top of this page, then clone the new repo you just created and `cd` into it. Alternatively you can use the [GitHub CLI](https://cli.github.com/) ...
 
     ```sh
-    su -
-    apt update
-    apt install -y sudo
-    usermod -aG sudo ${username}
-    echo "${username} ALL=(ALL) NOPASSWD:ALL" | tee /etc/sudoers.d/${username}
-    exit
-    newgrp sudo
-    sudo apt update
+    export REPONAME="home-ops"
+    gh repo create $REPONAME --template onedr0p/cluster-template --public --clone
+    cd $REPONAME
     ```
 
-4. [Post install] Add SSH keys (or use `ssh-copy-id` on the client that is connecting)
+2. **Install** the [Mise CLI](https://mise.jdx.dev/getting-started.html#installing-mise-cli) on your local workstation.
 
-    📍 _First make sure your ssh keys are up-to-date and added to your github account as [instructed](https://docs.github.com/en/authentication/connecting-to-github-with-ssh/adding-a-new-ssh-key-to-your-github-account)._
+3. **Activate** Mise in your shell by following the [activation guide](https://mise.jdx.dev/getting-started.html#activate-mise).
+
+4. Use `mise` to install the **required** CLI tools:
 
     ```sh
-    mkdir -m 700 ~/.ssh
-    sudo apt install -y curl
-    curl https://github.com/${github_username}.keys > ~/.ssh/authorized_keys
-    chmod 600 ~/.ssh/authorized_keys
+    mise trust
+    pip install pipx
+    mise install
     ```
 
-### Debian for RasPi4
+   📍 _**Having trouble installing the tools?** Try unsetting the `GITHUB_TOKEN` env var and then run these commands again_
 
-> [!IMPORTANT]
-> 1. It is recommended to have an 8GB RasPi model. Most important is to **boot from an external SSD/NVMe** rather than an SD card. This is [supported natively](https://www.raspberrypi.com/documentation/computers/raspberry-pi.html), however if you have an early model you may need to [update the bootloader](https://www.tomshardware.com/how-to/boot-raspberry-pi-4-usb) first.
-> 2. Check the [power requirements](https://www.raspberrypi.com/documentation/computers/raspberry-pi.html#power-supply) if using a PoE Hat and a SSD/NVMe dongle.
+   📍 _**Having trouble compiling Python?** Try running `mise settings python.compile=0` and then run these commands again_
 
-1. Download the latest stable release of Debian from [here](https://raspi.debian.net/tested-images). _**Do not** use Raspbian or DietPi or any other flavor Linux OS._
-
-2. Flash the image onto an SSD/NVMe drive.
-
-3. Re-mount the drive to your workstation and then do the following (per the [official documentation](https://raspi.debian.net/defaults-and-settings)):
-
-    ```txt
-    Open 'sysconf.txt' in a text editor and save it upon updating the information below
-      - Change 'root_authorized_key' to your desired public SSH key
-      - Change 'root_pw' to your desired root password
-      - Change 'hostname' to your desired hostname
-    ```
-
-4. Connect SSD/NVMe drive to the Raspberry Pi 4 and power it on.
-
-5. [Post install] SSH into the device with the `root` user and then create a normal user account with `adduser ${username}`
-
-6. [Post install] Follow steps 3 and 4 from [Debian for AMD64](#debian-for-amd64).
-
-7. [Post install] Install `python3` which is needed by Ansible.
+5. Logout of the GitHub Container Registry as this may cause authorization problems in future steps when using the public registry:
 
     ```sh
-    sudo apt install -y python3
+    docker logout ghcr.io
+    helm registry logout ghcr.io
     ```
 
-## 🚀 Getting Started
+### Stage 4: Cloudflare configuration
 
-Once you have installed Debian on your nodes, there are six stages to getting a Flux-managed cluster up and runnning.
+> [!WARNING]
+> If any of the commands fail with `command not found` or `unknown command` it means `mise` is either not installed, activated or it could be configured incorrectly.
 
-> [!IMPORTANT]
-> For all stages below the commands **MUST** be ran on your personal workstation within your repository directory
+1. Create a Cloudflare API token for use with cloudflared and external-dns by reviewing the official [documentation](https://developers.cloudflare.com/fundamentals/api/get-started/create-token/) and following the instructions below.
 
-### 🎉 Stage 1: Create a Git repository
+   - Click the blue `Use template` button for the `Edit zone DNS` template.
+   - Name your token `kubernetes`
+   - Under `Permissions`, click `+ Add More` and add permissions `Zone - DNS - Edit` and `Account - Cloudflare Tunnel - Read`
+   - Limit the permissions to a specific account and/or zone resources and then click `Continue to Summary` and then `Create Token`.
+   - **Save this token somewhere safe**, you will need it later on.
 
-1. Create a new **public** repository by clicking the big green "Use this template" button at the top of this page.
-
-2. Clone **your new repo** to you local workstation and `cd` into it.
-
-### 🌱 Stage 2: Setup your local workstation environment
-
-1. Install the most recent version of [task](https://taskfile.dev/), see the task [installation docs](https://taskfile.dev/installation/) for other supported platforms.
+2. Create the Cloudflare Tunnel:
 
     ```sh
-    # Brew
-    brew install go-task
+    cloudflared tunnel login
+    cloudflared tunnel create --credentials-file cloudflare-tunnel.json kubernetes
     ```
 
-2. Install the most recent version of [direnv](https://direnv.net/), see the direnv [installation docs](https://direnv.net/docs/installation.html) for other supported platforms.
+### Stage 5: Cluster configuration
 
-    📍 _After installing `direnv` be sure to **[hook it into your shell](https://direnv.net/docs/hook.html)** and after that is done run `direnv allow` while in your repos' directory._
-
-    ```sh
-    # Brew
-    brew install direnv
-    ```
-
-3. Setup a Python virual env and install Ansible by running the following task command.
-
-    📍 _This commands requires Python 3.10+ to be installed_
-
-    ```sh
-    # Platform agnostic
-    task deps
-    ```
-
-4. Install the required tools: [age](https://github.com/FiloSottile/age), [flux](https://toolkit.fluxcd.io/), [cloudflared](https://github.com/cloudflare/cloudflared), [kubectl](https://kubernetes.io/docs/tasks/tools/), [sops](https://github.com/getsops/sops)
-
-   📍 _Not using brew? Make sure to look up how to install the latest version of each of these CLI tools yourself._
-
-    ```sh
-    # Brew
-    task brew:deps
-    ```
-
-### 🔧 Stage 3: Do bootstrap configuration
-
-📍 _Both `bootstrap/vars/config.yaml` and `bootstrap/vars/addons.yaml` files contain necessary information that is **vital** to the bootstrap process._
-
-1. Generate the `bootstrap/vars/config.yaml` and `bootstrap/vars/addons.yaml` configuration files.
+1. Generate the config files from the sample files:
 
     ```sh
     task init
     ```
 
-2. Setup Age private / public key
+2. Fill out `cluster.yaml` and `nodes.yaml` configuration files using the comments in those file as a guide.
 
-    📍 _Using [SOPS](https://github.com/getsops/sops) with [Age](https://github.com/FiloSottile/age) allows us to encrypt secrets and use them in Ansible and Flux._
-
-    2a. Create a Age private / public key (this file is gitignored)
-
-      ```sh
-      age-keygen -o age.key
-      ```
-
-    2b. Fill out the appropriate vars in `bootstrap/vars/config.yaml`
-
-3. Create Cloudflare API Token
-
-    📍 _To use `cert-manager` with the Cloudflare DNS challenge you will need to create a API Token._
-
-   3a. Head over to Cloudflare and create a API Token by going [here](https://dash.cloudflare.com/profile/api-tokens).
-
-   3b. Under the `API Tokens` section click the blue `Create Token` button.
-
-   3c. Click the blue `Use template` button for the `Edit zone DNS` template.
-
-   3d. Name your token something like `home-kubernetes`
-
-   3e. Under `Permissions`, click `+ Add More` and add each permission below:
-
-    ```text
-    Zone - DNS - Edit
-    Account - Cloudflare Tunnel - Read
-    ```
-
-   3f. Limit the permissions to a specific account and zone resources.
-
-   3g. Fill out the appropriate vars in `bootstrap/vars/config.yaml`
-
-4. Create Cloudflare Tunnel
-
-    📍 _To expose services to the internet you will need to create a [Cloudflare Tunnel](https://developers.cloudflare.com/cloudflare-one/connections/connect-apps/)._
-
-    4a. Authenticate cloudflared to your domain
-
-      ```sh
-      cloudflared tunnel login
-      ```
-
-    4b. Create the tunnel
-
-      ```sh
-      cloudflared tunnel create k8s
-      ```
-
-    4c. In the `~/.cloudflared` directory there will be a json file with details you need. Ignore the `cert.pem` file.
-
-    4d. Fill out the appropriate vars in `bootstrap/vars/config.yaml`
-
-5. Complete filling out the rest of the `bootstrap/vars/config.yaml` configuration file.
-
-    5a. Ensure `bootstrap_acme_production_enabled` is set to `false`.
-
-    5b. [Optional] Update `bootstrap/vars/addons.yaml` and enable applications you would like included.
-
-6. Once done run the following command which will verify and generate all the files needed to continue.
+3. Template out the kubernetes and talos configuration files, if any issues come up be sure to read the error and adjust your config files accordingly.
 
     ```sh
     task configure
     ```
 
-> [!IMPORTANT]
-> The configure task will create a `./ansible` directory and the following directories under `./kubernetes`.
-> ```sh
-> 📁 kubernetes      # Kubernetes cluster defined as code
-> ├─📁 bootstrap     # Flux installation (not tracked by Flux)
-> ├─📁 flux          # Main Flux configuration of repository
-> └─📁 apps          # Apps deployed into the cluster grouped by namespace
-> ```
+4. Push your changes to git:
 
-### ⚡ Stage 4: Prepare your nodes for k3s
-
-📍 _Here we will be running an Ansible playbook to prepare your nodes for running a Kubernetes cluster._
-
-1. Ensure you are able to SSH into your nodes from your workstation using a private SSH key **without a passphrase** (for example using a SSH agent). This lets Ansible interact with your nodes.
-
-2. Verify Ansible can view your config
-
-    ```sh
-    task ansible:list
-    ```
-
-3. Verify Ansible can ping your nodes
-
-    ```sh
-    task ansible:ping
-    ```
-
-4. Run the Ansible prepare playbook (nodes wil reboot when done)
-
-    ```sh
-    task ansible:prepare
-    ```
-
-### ⛵ Stage 5: Use Ansible to install k3s
-
-📍 _Here we will be running a Ansible Playbook to install [k3s](https://k3s.io/) with [this](https://galaxy.ansible.com/xanmanning/k3s) Ansible galaxy role. If you run into problems, you can run `task ansible:nuke` to destroy the k3s cluster and start over from this point._
-
-1. Verify Ansible can view your config
-
-    ```sh
-    task ansible:list
-    ```
-
-2. Verify Ansible can ping your nodes
-
-    ```sh
-    task ansible:ping
-    ```
-
-3. Install k3s with Ansible
-
-    ```sh
-    task ansible:install
-    ```
-
-4. Verify the nodes are online
-
-    📍 _If this command **fails** you likely haven't configured `direnv` as mentioned previously in the guide._
-
-    ```sh
-    kubectl get nodes -o wide
-    # NAME           STATUS   ROLES                       AGE     VERSION
-    # k8s-0          Ready    control-plane,etcd,master   1h      v1.27.3+k3s1
-    # k8s-1          Ready    worker                      1h      v1.27.3+k3s1
-    ```
-
-5. The `kubeconfig` for interacting with your cluster should have been created in the root of your repository.
-
-### 🔹 Stage 6: Install Flux in your cluster
-
-📍 _Here we will be installing [flux](https://fluxcd.io/flux/) after some quick bootstrap steps._
-
-1. Verify Flux can be installed
-
-    ```sh
-    flux check --pre
-    # ► checking prerequisites
-    # ✔ kubectl 1.27.3 >=1.18.0-0
-    # ✔ Kubernetes 1.27.3+k3s1 >=1.16.0-0
-    # ✔ prerequisites checks passed
-    ```
-
-2. Push you changes to git
-
-   📍 **Verify** all the `*.sops.yaml` and `*.sops.yaml` files under the `./ansible`, and `./kubernetes` directories are **encrypted** with SOPS
+   📍 _**Verify** all the `./kubernetes/**/*.sops.*` files are **encrypted** with SOPS_
 
     ```sh
     git add -A
-    git commit -m "Initial commit :rocket:"
+    git commit -m "chore: initial commit :rocket:"
     git push
     ```
 
-3. Install Flux and sync the cluster to the Git repository
+> [!TIP]
+> Using a **private repository**? Make sure to paste the public key from `github-deploy.key.pub` into the deploy keys section of your GitHub repository settings. This will make sure Flux has read/write access to your repository.
+
+### Stage 6: Bootstrap Talos, Kubernetes, and Flux
+
+> [!WARNING]
+> It might take a while for the cluster to be setup (10+ minutes is normal). During which time you will see a variety of error messages like: "couldn't get current server API group list," "error: no matching resources found", etc. 'Ready' will remain "False" as no CNI is deployed yet. **This is normal.** If this step gets interrupted, e.g. by pressing <kbd>Ctrl</kbd> + <kbd>C</kbd>, you likely will need to [reset the cluster](#-reset) before trying again
+
+1. Install Talos:
 
     ```sh
-    task cluster:install
-    # namespace/flux-system configured
-    # customresourcedefinition.apiextensions.k8s.io/alerts.notification.toolkit.fluxcd.io created
-    # ...
+    task bootstrap:talos
     ```
 
-4. Verify Flux components are running in the cluster
+2. Push your changes to git:
 
     ```sh
-    kubectl -n flux-system get pods -o wide
-    # NAME                                       READY   STATUS    RESTARTS   AGE
-    # helm-controller-5bbd94c75-89sb4            1/1     Running   0          1h
-    # kustomize-controller-7b67b6b77d-nqc67      1/1     Running   0          1h
-    # notification-controller-7c46575844-k4bvr   1/1     Running   0          1h
-    # source-controller-7d6875bcb4-zqw9f         1/1     Running   0          1h
+    git add -A
+    git commit -m "chore: add talhelper encrypted secret :lock:"
+    git push
     ```
 
-### 🎤 Verification Steps
-
-_Mic check, 1, 2_ - In a few moments applications should be lighting up like Christmas in July 🎄
-
-1. Output all the common resources in your cluster.
-
-    📍 _Feel free to use the provided [cluster tasks](.taskfiles/ClusterTasks.yaml) for validation of cluster resources or continue to get familiar with the `kubectl` and `flux` CLI tools._
-
+3. Install cilium, coredns, spegel, flux and sync the cluster to the repository state:
 
     ```sh
-    task cluster:resources
+    task bootstrap:apps
     ```
 
-2. ⚠️ It might take `cert-manager` awhile to generate certificates, this is normal so be patient.
+4. Watch the rollout of your cluster happen:
 
-3. 🏆 **Congratulations** if all goes smooth you will have a Kubernetes cluster managed by Flux and your Git repository is driving the state of your cluster.
-
-4. 🧠 Now it's time to pause and go get some motel motor oil ☕ and admire you made it this far!
+    ```sh
+    kubectl get pods --all-namespaces --watch
+    ```
 
 ## 📣 Post installation
 
-#### 🌐 Public DNS
+### ✅ Verifications
 
-The `external-dns` application created in the `networking` namespace will handle creating public DNS records. By default, `echo-server` and the `flux-webhook` are the only subdomains reachable from the public internet. In order to make additional applications public you must set set the correct ingress class name and ingress annotations like in the HelmRelease for `echo-server`.
-
-#### 🏠 Home DNS
-
-`k8s_gateway` will provide DNS resolution to external Kubernetes resources (i.e. points of entry to the cluster) from any device that uses your home DNS server. For this to work, your home DNS server must be configured to forward DNS queries for `${bootstrap_cloudflare_domain}` to `${bootstrap_k8s_gateway_addr}` instead of the upstream DNS server(s) it normally uses. This is a form of **split DNS** (aka split-horizon DNS / conditional forwarding).
-
-> [!TIP]
-> Below is how to configure a Pi-hole for split DNS. Other platforms should be similar.
-> 1. Apply this file on the Pihole server while substituting the variables
-> ```sh
-> # /etc/dnsmasq.d/99-k8s-gateway-forward.conf
-> server=/${bootstrap_cloudflare_domain}/${bootstrap_k8s_gateway_addr}
-> ```
-> 2. Restart dnsmasq on the server.
-> 3. Query an internal-only subdomain from your workstation (any `internal` class ingresses): `dig @${home-dns-server-ip} hubble.${bootstrap_cloudflare_domain}`. It should resolve to `${bootstrap_internal_ingress_addr}`.
-
-If you're having trouble with DNS be sure to check out these two GitHub discussions: [Internal DNS](https://github.com/onedr0p/flux-cluster-template/discussions/719) and [Pod DNS resolution broken](https://github.com/onedr0p/flux-cluster-template/discussions/635).
-
-... Nothing working? That is expected, this is DNS after all!
-
-#### 📜 Certificates
-
-By default this template will deploy a wildcard certificate using the Let's Encrypt **staging environment**, which prevents you from getting rate-limited by the Let's Encrypt production servers if your cluster doesn't deploy properly (for example due to a misconfiguration). Once you are sure you will keep the cluster up for more than a few hours be sure to switch to the production servers as outlined in `config.yaml`.
-
-📍 _You will need a production certificate to reach internet-exposed applications through `cloudflared`._
-
-#### 🪝 Github Webhook
-
-By default Flux will periodically check your git repository for changes. In order to have Flux reconcile on `git push` you must configure Github to send `push` events to Flux.
-
-> [!IMPORTANT]
-> This will only work after you have switched over certificates to the Let's Encrypt Production servers.
-
-1. Obtain the webhook path
-
-    📍 _Hook id and path should look like `/hook/12ebd1e363c641dc3c2e430ecf3cee2b3c7a5ac9e1234506f6f5f3ce1230e123`_
+1. Check the status of Cilium:
 
     ```sh
-    kubectl -n flux-system get receiver github-receiver -o jsonpath='{.status.webhookPath}'
+    cilium status
     ```
 
-2. Piece together the full URL with the webhook path appended
+2. Check the status of Flux and if the Flux resources are up-to-date and in a ready state:
 
-    ```text
-    https://flux-webhook.${bootstrap_cloudflare_domain}/hook/12ebd1e363c641dc3c2e430ecf3cee2b3c7a5ac9e1234506f6f5f3ce1230e123
-    ```
-
-3. Navigate to the settings of your repository on Github, under "Settings/Webhooks" press the "Add webhook" button. Fill in the webhook url and your `bootstrap_flux_github_webhook_token` secret and save.
-
-### 🤖 Renovate
-
-[Renovate](https://www.mend.io/renovate) is a tool that automates dependency management. It is designed to scan your repository around the clock and open PRs for out-of-date dependencies it finds. Common dependencies it can discover are Helm charts, container images, GitHub Actions, Ansible roles... even Flux itself! Merging a PR will cause Flux to apply the update to your cluster.
-
-To enable Renovate, click the 'Configure' button over at their [Github app page](https://github.com/apps/renovate) and select your repository. Renovate creates a "Dependency Dashboard" as an issue in your repository, giving an overview of the status of all updates. The dashboard has interactive checkboxes that let you do things like advance scheduling or reattempt update PRs you closed without merging.
-
-The base Renovate configuration in your repository can be viewed at [.github/renovate.json5](https://github.com/onedr0p/flux-cluster-template/blob/main/.github/renovate.json5). By default it is scheduled to be active with PRs every weekend, but you can [change the schedule to anything you want](https://docs.renovatebot.com/presets-schedule), or remove it if you want Renovate to open PRs right away.
-
-## 🐛 Debugging
-
-Below is a general guide on trying to debug an issue with an resource or application. For example, if a workload/resource is not showing up or a pod has started but in a `CrashLoopBackOff` or `Pending` state.
-
-1. Start by checking all Flux Kustomizations & Git Repository & OCI Repository and verify they are healthy.
+   📍 _Run `task reconcile` to force Flux to sync your Git repository state_
 
     ```sh
-    flux get sources oci -A
-    flux get sources git -A
+    flux check
+    flux get sources git flux-system
     flux get ks -A
-    ```
-
-2. Then check all the Flux Helm Releases and verify they are healthy.
-
-    ```sh
     flux get hr -A
     ```
 
-3. Then check the if the pod is present.
+3. Check TCP connectivity to both the internal and external gateways:
+
+   📍 _The variables are only placeholders, replace them with your actual values_
+
+    ```sh
+    nmap -Pn -n -p 443 ${cluster_gateway_addr} ${cloudflare_gateway_addr} -vv
+    ```
+
+4. Check you can resolve DNS for `echo`, this should resolve to `${cloudflare_gateway_addr}`:
+
+   📍 _The variables are only placeholders, replace them with your actual values_
+
+    ```sh
+    dig @${cluster_dns_gateway_addr} echo.${cloudflare_domain}
+    ```
+
+5. Check the status of your wildcard `Certificate`:
+
+    ```sh
+    kubectl -n network describe certificates
+    ```
+
+### 🌐 Public DNS
+
+> [!TIP]
+> Use the `envoy-external` gateway on `HTTPRoutes` to make applications public to the internet. These are also accessible on your private network once you set up split DNS.
+
+The `external-dns` application created in the `network` namespace will handle creating public DNS records. By default, `echo` and the `flux-webhook` are the only subdomains reachable from the public internet. In order to make additional applications public you must **set the correct gateway** like in the HelmRelease for `echo`.
+
+### 🏠 Home DNS
+
+> [!TIP]
+> Use the `envoy-internal` gateway on `HTTPRoutes` to make applications private to your network. If you're having trouble with internal DNS resolution check out [this](https://github.com/onedr0p/cluster-template/discussions/719) GitHub discussion.
+
+`k8s_gateway` will provide DNS resolution to external Kubernetes resources (i.e. points of entry to the cluster) from any device that uses your home DNS server. For this to work, your home DNS server must be configured to forward DNS queries for `${cloudflare_domain}` to `${cluster_dns_gateway_addr}` instead of the upstream DNS server(s) it normally uses. This is a form of **split DNS** (aka split-horizon DNS / conditional forwarding).
+
+_... Nothing working? That is expected, this is DNS after all!_
+
+### 🪝 GitHub Webhook
+
+By default Flux will periodically check your git repository for changes. In-order to have Flux reconcile on `git push` you must configure GitHub to send `push` events to Flux.
+
+1. Obtain the webhook path:
+
+   📍 _Hook id and path should look like `/hook/12ebd1e363c641dc3c2e430ecf3cee2b3c7a5ac9e1234506f6f5f3ce1230e123`_
+
+    ```sh
+    kubectl -n flux-system get receiver github-webhook --output=jsonpath='{.status.webhookPath}'
+    ```
+
+2. Piece together the full URL with the webhook path appended:
+
+    ```text
+    https://flux-webhook.${cloudflare_domain}/hook/12ebd1e363c641dc3c2e430ecf3cee2b3c7a5ac9e1234506f6f5f3ce1230e123
+    ```
+
+3. Navigate to the settings of your repository on GitHub, under "Settings/Webhooks" press the "Add webhook" button. Fill in the webhook URL and your token from `github-push-token.txt`, Content type: `application/json`, Events: Choose Just the push event, and save.
+
+## 💥 Reset
+
+> [!CAUTION]
+> **Resetting** the cluster **multiple times in a short period of time** could lead to being **rate limited by DockerHub or Let's Encrypt**.
+
+There might be a situation where you want to destroy your Kubernetes cluster. The following command will reset your nodes back to maintenance mode.
+
+```sh
+task talos:reset
+```
+
+## 🛠️ Talos and Kubernetes Maintenance
+
+### ⚙️ Updating Talos node configuration
+
+> [!TIP]
+> Ensure you have updated `talconfig.yaml` and any patches with your updated configuration. In some cases you **not only need to apply the configuration but also upgrade talos** to apply new configuration.
+
+```sh
+# (Re)generate the Talos config
+task talos:generate-config
+# Apply the config to the node
+task talos:apply-node IP=? MODE=?
+# e.g. task talos:apply-node IP=10.10.10.10 MODE=auto
+```
+
+### ⬆️ Updating Talos and Kubernetes versions
+
+> [!TIP]
+> Ensure the `talosVersion` and `kubernetesVersion` in `talenv.yaml` are up-to-date with the version you wish to upgrade to.
+
+```sh
+# Upgrade node to a newer Talos version
+task talos:upgrade-node IP=?
+# e.g. task talos:upgrade-node IP=10.10.10.10
+```
+
+```sh
+# Upgrade cluster to a newer Kubernetes version
+task talos:upgrade-k8s
+# e.g. task talos:upgrade-k8s
+```
+
+### ➕ Adding a node to your cluster
+
+At some point you might want to expand your cluster to run more workloads and/or improve the reliability of your cluster. Keep in mind it is recommended to have an **odd number** of control plane nodes for quorum reasons.
+
+You don't need to re-bootstrap the cluster to add new nodes. Follow these steps:
+
+1. **Prepare the new node**: Review the [Stage 2: Machine Preparation](#stage-2-machine-preparation) section and boot your new node into maintenance mode.
+
+2. **Get the node information**: While the node is in maintenance mode, retrieve the disk and MAC address information needed for configuration:
+
+   ```sh
+   talosctl get disks -n <ip> --insecure
+   talosctl get links -n <ip> --insecure
+   ```
+
+3. **Update the configuration**: Read the documentation for [talhelper](https://budimanjojo.github.io/talhelper/latest/) and extend the `talconfig.yaml` file manually with the new node information (including the disk and MAC address from step 2).
+
+4. **Generate and apply the configuration**:
+
+   ```sh
+   # Render your talosconfig based on the talconfig.yaml file
+   task talos:generate-config
+
+   # Apply the configuration to the node
+   task talos:apply-node IP=?
+   # e.g. task talos:apply-node IP=10.10.10.10
+   ```
+
+The node should join the cluster automatically and workloads will be scheduled once they report as ready.
+
+## 🤖 Renovate
+
+[Renovate](https://www.mend.io/renovate) is a tool that automates dependency management. It is designed to scan your repository around the clock and open PRs for out-of-date dependencies it finds. Common dependencies it can discover are Helm charts, container images, GitHub Actions and more! In most cases merging a PR will cause Flux to apply the update to your cluster.
+
+To enable Renovate, click the 'Configure' button over at their [Github app page](https://github.com/apps/renovate) and select your repository. Renovate creates a "Dependency Dashboard" as an issue in your repository, giving an overview of the status of all updates. The dashboard has interactive checkboxes that let you do things like advance scheduling or reattempt update PRs you closed without merging.
+
+The base Renovate configuration in your repository can be viewed at [.renovaterc.json5](.renovaterc.json5). By default it is scheduled to be active with PRs every weekend, but you can [change the schedule to anything you want](https://docs.renovatebot.com/presets-schedule), or remove it if you want Renovate to open PRs immediately.
+
+## 🐛 Debugging
+
+Below is a general guide on trying to debug an issue with an resource or application. For example, if a workload/resource is not showing up or a pod has started but in a `CrashLoopBackOff` or `Pending` state. These steps do not include a way to fix the problem as the problem could be one of many different things.
+
+1. Check if the Flux resources are up-to-date and in a ready state:
+
+   📍 _Run `task reconcile` to force Flux to sync your Git repository state_
+
+    ```sh
+    flux get sources git -A
+    flux get ks -A
+    flux get hr -A
+    ```
+
+2. Do you see the pod of the workload you are debugging:
 
     ```sh
     kubectl -n <namespace> get pods -o wide
     ```
 
-4. Then check the logs of the pod if its there.
+3. Check the logs of the pod if it's there:
 
     ```sh
     kubectl -n <namespace> logs <pod-name> -f
-    # or
-    stern -n <namespace> <fuzzy-name>
     ```
 
-5. If a resource exists try to describe it to see what problems it might have.
+4. If a resource exists, try to describe it to see what problems it might have:
 
     ```sh
     kubectl -n <namespace> describe <resource> <name>
     ```
 
-6. Check the namespace events
+5. Check the namespace events:
 
     ```sh
     kubectl -n <namespace> get events --sort-by='.metadata.creationTimestamp'
     ```
 
-Resolving problems that you have could take some tweaking of your YAML manifests in order to get things working, other times it could be a external factor like permissions on NFS. If you are unable to figure out your problem see the help section below.
+Resolving problems that you have could take some tweaking of your YAML manifests in order to get things working, other times it could be a external factor like permissions on a NFS server. If you are unable to figure out your problem see the support sections below.
 
-## 👉 Help
+## 🧹 Tidy up
 
-- Make a post in this repository's Github [Discussions](https://github.com/onedr0p/flux-cluster-template/discussions).
-- Start a thread in the `#support` or `#flux-cluster-template` channels in the [Home Operations](https://discord.gg/home-operations) Discord server.
+Once your cluster is fully configured and you no longer need to run `task configure`, it's a good idea to clean up the repository by removing the [templates](./templates) directory and any files related to the templating process. This will help eliminate unnecessary clutter from the upstream template repository and resolve any "duplicate registry" warnings from Renovate.
+
+1. Tidy up your repository:
+
+    ```sh
+    task template:tidy
+    ```
+
+2. Push your changes to git:
+
+    ```sh
+    git add -A
+    git commit -m "chore: tidy up :broom:"
+    git push
+    ```
 
 ## ❔ What's next
 
-The cluster is your oyster (or something like that). Below are some optional considerations you might want to review.
+There's a lot to absorb here, especially if you're new to these tools. Take some time to familiarize yourself with the tooling and understand how all the components interconnect. Dive into the documentation of the various tools included — they are a valuable resource. This shouldn't be a production environment yet, so embrace the freedom to experiment. Move fast, break things intentionally, and challenge yourself to fix them.
 
-#### Ship it
+Below are some optional considerations you may want to explore.
 
-To browse or get ideas on applications people are running, community member [@whazor](https://github.com/whazor) created [Kubesearch](https://kubesearch.dev) as a creative way to search Flux HelmReleases across Github and Gitlab.
+### DNS
 
-#### Storage
+The template uses [k8s_gateway](https://github.com/k8s-gateway/k8s_gateway) to provide DNS for your applications, consider exploring [external-dns](https://github.com/kubernetes-sigs/external-dns) as an alternative.
 
-The included CSI (democratic-csi in local-hostpath mode) is a great start for storage but soon you might find you need more features like replicated block storage, or to connect to a NFS/SMB/iSCSI server. If you need any of those features be sure to check out the projects like [rook-ceph](https://github.com/rook/rook), [longhorn](https://github.com/longhorn/longhorn), [openebs](https://github.com/openebs/openebs), [democratic-csi](https://github.com/democratic-csi/democratic-csi), [csi-driver-nfs](https://github.com/kubernetes-csi/csi-driver-nfs),
-and [synology-csi](https://github.com/SynologyOpenSource/synology-csi).
+External-DNS offers broad support for various DNS providers, including but not limited to:
 
-#### Authenticate Flux over SSH
+- [Pi-hole](https://github.com/kubernetes-sigs/external-dns/blob/master/docs/tutorials/pihole.md)
+- [UniFi](https://github.com/kashalls/external-dns-unifi-webhook)
+- [Adguard Home](https://github.com/muhlba91/external-dns-provider-adguard)
+- [Bind](https://github.com/kubernetes-sigs/external-dns/blob/master/docs/tutorials/rfc2136.md)
 
-Authenticating Flux to your git repository has a couple benefits like using a private git repository and/or using the Flux [Image Automation Controllers](https://fluxcd.io/docs/components/image/).
+This flexibility allows you to integrate seamlessly with a range of DNS solutions to suit your environment and offload DNS from your cluster to your router, or external device.
 
-By default this template only works on a public Github repository, it is advised to keep your repository public.
+### Secrets
 
-The benefits of a public repository include:
+SOPS is an excellent tool for managing secrets in a GitOps workflow. However, it can become cumbersome when rotating secrets or maintaining a single source of truth for secret items.
 
-- Debugging or asking for help, you can provide a link to a resource you are having issues with.
-- Adding a topic to your repository of `kubesearch` to be included in the [Kubesearch](https://kubesearch.dev) results. This search helps people discover different configurations of Helm charts across others Flux based repositories.
+For a more streamlined approach to those issues, consider [External Secrets](https://external-secrets.io/latest/). This tool allows you to move away from SOPs and leverage an external provider for managing your secrets. External Secrets supports a wide range of providers, from cloud-based solutions to self-hosted options.
 
-<details>
-  <summary>Expand to read guide on adding Flux SSH authentication</summary>
+### Storage
 
-1. Generate new SSH key:
+If your workloads require persistent storage with features like replication or connectivity to NFS, SMB, or iSCSI servers, there are several projects worth exploring:
 
-    ```sh
-    ssh-keygen -t ecdsa -b 521 -C "github-deploy-key" -f ./kubernetes/bootstrap/github-deploy.key -q -P ""
-    ```
+- [rook-ceph](https://github.com/rook/rook) / [longhorn](https://github.com/longhorn/longhorn) / [openebs](https://github.com/openebs/openebs)
+- [democratic-csi](https://github.com/democratic-csi/democratic-csi)
+- [csi-driver-nfs](https://github.com/kubernetes-csi/csi-driver-nfs) / [csi-driver-smb](https://github.com/kubernetes-csi/csi-driver-smb)
+- [synology-csi](https://github.com/SynologyOpenSource/synology-csi)
+- [truenas-csi](https://github.com/truenas/truenas-csi) / [tns-csi](https://github.com/fenio/tns-csi)
 
-2. Paste public key in the deploy keys section of your repository settings
-3. Create sops secret in `./kubernetes/bootstrap/github-deploy-key.sops.yaml` with the contents of:
+These tools offer a variety of solutions to meet your persistent storage needs, whether you’re using cloud-native or self-hosted infrastructures.
 
-   ```yaml
-   apiVersion: v1
-   kind: Secret
-   metadata:
-     name: github-deploy-key
-     namespace: flux-system
-   stringData:
-     # 3a. Contents of github-deploy-key
-     identity: |
-       -----BEGIN OPENSSH PRIVATE KEY-----
-           ...
-       -----END OPENSSH PRIVATE KEY-----
-     # 3b. Output of curl --silent https://api.github.com/meta | jq --raw-output '"github.com "+.ssh_keys[]'
-     known_hosts: |
-       github.com ssh-ed25519 ...
-       github.com ecdsa-sha2-nistp256 ...
-       github.com ssh-rsa ...
-   ```
+### Community Repositories
 
-4. Encrypt secret:
+Community member [@whazor](https://github.com/whazor) created [Kubesearch](https://kubesearch.dev) to allow searching Flux HelmReleases across Github and Gitlab repositories with the `kubesearch` topic.
 
-    ```sh
-    sops --encrypt --in-place ./kubernetes/bootstrap/github-deploy-key.sops.yaml
-    ```
+## 🙋 Support
 
-5. Apply secret to cluster:
+### Community
 
-    ```sh
-    sops --decrypt ./kubernetes/bootstrap/github-deploy-key.sops.yaml | kubectl apply -f -
-    ```
+- Make a post in this repository's GitHub [Discussions](https://github.com/onedr0p/cluster-template/discussions).
+- Start a thread in the `#support` or `#cluster-template` channels in the [Home Operations](https://discord.gg/home-operations) Discord server.
 
-6. Update `./kubernetes/flux/config/cluster.yaml`:
+## 📺 Media
 
-    ```yaml
-    apiVersion: source.toolkit.fluxcd.io/v1beta2
-    kind: GitRepository
-    metadata:
-      name: home-kubernetes
-      namespace: flux-system
-    spec:
-      interval: 10m
-      # 6a: Change this to your user and repo names
-      url: ssh://git@github.com/$user/$repo
-      ref:
-        branch: main
-      secretRef:
-        name: github-deploy-key
-    ```
+Check out these videos below. If you find them helpful, a like and subscribe goes a long way!
 
-7. Commit and push changes
-8. Force flux to reconcile your changes
+<a href="https://youtube.com/watch?v=aeUKOpeoiUs">
+  <img src="https://github.com/user-attachments/assets/2dab1c6f-7b27-4b94-a7ad-a6d9c5b17c78" alt="Youtube Video" width="300">
+</a>
+&nbsp;&nbsp;
+<a href="https://youtube.com/watch?v=hoi2GzvJUXM">
+  <img src="https://github.com/user-attachments/assets/5b939b90-0019-4515-b90c-321ffe7448cf" alt="Youtube Video" width="300">
+</a>
 
-    ```sh
-    flux reconcile -n flux-system kustomization cluster --with-source
-    ```
+## 🙌 Related Projects
 
-9. Verify git repository is now using SSH:
+If this repo is too hot to handle or too cold to hold check out these following projects.
 
-    ```sh
-    flux get sources git -A
-    ```
+- [ajaykumar4/cluster-template](https://github.com/ajaykumar4/cluster-template) - _A template for deploying a Talos Kubernetes cluster including Argo for GitOps_
+- [khuedoan/homelab](https://github.com/khuedoan/homelab) - _Fully automated homelab from empty disk to running services with a single command._
+- [mitchross/k3s-argocd-starter](https://github.com/mitchross/k3s-argocd-starter) - starter kit for k3s, argocd
+- [ricsanfre/pi-cluster](https://github.com/ricsanfre/pi-cluster) - _Pi Kubernetes Cluster. Homelab kubernetes cluster automated with Ansible and FluxCD_
+- [techno-tim/k3s-ansible](https://github.com/techno-tim/k3s-ansible) - _The easiest way to bootstrap a self-hosted High Availability Kubernetes cluster. A fully automated HA k3s etcd install with kube-vip, MetalLB, and more. Build. Destroy. Repeat._
 
-10. Optionally set your repository to Private in your repository settings.
+## ⭐ Stargazers
 
-</details>
+<div align="center">
+
+<a href="https://star-history.com/#onedr0p/cluster-template&Date">
+  <picture>
+    <source media="(prefers-color-scheme: dark)" srcset="https://api.star-history.com/svg?repos=onedr0p/cluster-template&type=Date&theme=dark" />
+    <source media="(prefers-color-scheme: light)" srcset="https://api.star-history.com/svg?repos=onedr0p/cluster-template&type=Date" />
+    <img alt="Star History Chart" src="https://api.star-history.com/svg?repos=onedr0p/cluster-template&type=Date" />
+  </picture>
+</a>
+
+</div>
 
 ## 🤝 Thanks
 

Taskfile.yaml

@@ -1,82 +1,34 @@
 ---
-version: "3"
+version: '3'
+
+set: [pipefail]
+shopt: [globstar]
 
 vars:
-  PYTHON_BIN: python3
-  BOOTSTRAP_DIR: "{{.ROOT_DIR}}/bootstrap"
-  ANSIBLE_DIR: "{{.ROOT_DIR}}/ansible"
-  KUBERNETES_DIR: "{{.ROOT_DIR}}/kubernetes"
+  BOOTSTRAP_DIR: '{{.ROOT_DIR}}/bootstrap'
+  KUBERNETES_DIR: '{{.ROOT_DIR}}/kubernetes'
+  SCRIPTS_DIR: '{{.ROOT_DIR}}/scripts'
+  TALOS_DIR: '{{.ROOT_DIR}}/talos'
+  PRIVATE_DIR: '{{.ROOT_DIR}}/.private'
+  TALOSCONFIG: '{{.ROOT_DIR}}/talos/clusterconfig/talosconfig'
 
 env:
-  KUBECONFIG: "{{.ROOT_DIR}}/kubeconfig"
-  SOPS_AGE_KEY_FILE: "{{.ROOT_DIR}}/age.key"
-  PATH: "{{.ROOT_DIR}}/.venv/bin:$PATH"
-  VIRTUAL_ENV: "{{.ROOT_DIR}}/.venv"
-  ANSIBLE_COLLECTIONS_PATH: "{{.ROOT_DIR}}/.venv/galaxy"
-  ANSIBLE_ROLES_PATH: "{{.ROOT_DIR}}/.venv/galaxy/ansible_roles"
-  ANSIBLE_VARS_ENABLED: "host_group_vars,community.sops.sops"
-  K8S_AUTH_KUBECONFIG: "{{.ROOT_DIR}}/kubeconfig"
+  KUBECONFIG: '{{.ROOT_DIR}}/kubeconfig'
+  SOPS_AGE_KEY_FILE: '{{.ROOT_DIR}}/age.key'
+  TALOSCONFIG: '{{.TALOSCONFIG}}'
 
 includes:
-  ansible: .taskfiles/AnsibleTasks.yaml
-  brew: .taskfiles/BrewTasks.yaml
-  cluster: .taskfiles/ClusterTasks.yaml
+  bootstrap: .taskfiles/bootstrap
+  talos: .taskfiles/talos
+  template: .taskfiles/template
 
 tasks:
 
-  default: task -l
+  default: task --list
 
-  deps:
-    desc: Create a Python virtual env and install required packages
-    summary: task {{.TASK}}
-    cmds:
-      - "{{.PYTHON_BIN}} -m venv {{.ROOT_DIR}}/.venv"
-      - .venv/bin/python3 -m pip install --upgrade pip setuptools wheel
-      - .venv/bin/python3 -m pip install --upgrade --requirement "{{.ROOT_DIR}}/requirements.txt"
-      - .venv/bin/ansible-galaxy install --role-file "{{.ROOT_DIR}}/requirements.yaml" --force
-
-  init:
-    desc: Initialize configuration files
-    summary: task {{.TASK}}
-    dir: "{{.BOOTSTRAP_DIR}}"
-    cmds:
-      - cp -n vars/addons.sample.yaml vars/addons.yaml
-      - cp -n vars/config.sample.yaml vars/config.yaml
-      - cmd: echo "=== Configuration files copied ==="
-        silent: true
-      - cmd: echo "Proceed with updating the configuration files..."
-        silent: true
-      - cmd: echo "{{.BOOTSTRAP_DIR}}/vars/config.yaml"
-        silent: true
-      - cmd: echo "{{.BOOTSTRAP_DIR}}/vars/addons.yaml"
-        silent: true
-    status:
-      - test -f "{{.BOOTSTRAP_DIR}}/vars/addons.yaml"
-      - test -f "{{.BOOTSTRAP_DIR}}/vars/config.yaml"
-
-  # TODO: Only prompt when generated directories exist
-  # https://github.com/go-task/task/issues/1330
-  configure:
-    desc: Configure repository from Ansible vars
-    summary: task {{.TASK}}
-    prompt: Any conflicting config in the root kubernetes and ansible directories will be overwritten... continue?
-    dir: "{{.BOOTSTRAP_DIR}}"
-    cmd: ansible-playbook configure.yaml
-    env:
-      ANSIBLE_DISPLAY_SKIPPED_HOSTS: "false"
-
-  update-template:
-    desc: Update from the upstream flux-cluster-template repository
-    summary: task {{.TASK}}
-    cmds:
-      - mkdir -p $(dirname {{.shafile}})
-      - touch {{.shafile}}
-      - git remote get-url template >/dev/null 2>&1 || git remote add template git@github.com:onedr0p/flux-cluster-template
-      - git fetch --all
-      - git cherry-pick --no-commit --allow-empty $(cat {{.shafile}})..template/main
-      - git ls-remote template HEAD | awk '{ print $1}' > {{.shafile}}
-    vars:
-      shafile: "{{.ROOT_DIR}}/.tasks/.latest-template.sha"
+  reconcile:
+    desc: Force Flux to pull in changes from your Git repository
+    cmd: flux --namespace flux-system reconcile kustomization flux-system --with-source
     preconditions:
-      - { msg: "Git repository not up-to-date", sh: "git diff --exit-code" }
-      - { msg: "Git repository not up-to-date", sh: "git diff --cached --exit-code" }
+      - test -f {{.KUBECONFIG}}
+      - which flux

bootstrap/configure.yaml

@@ -1,39 +0,0 @@
----
-- name: Cluster Installation
-  hosts: localhost
-  connection: local
-  vars_files:
-    - vars/config.yaml
-    - vars/addons.yaml
-  tasks:
-    - name: Get absolute path to this Git repository # noqa: command-instead-of-module
-      ansible.builtin.command: git rev-parse --show-toplevel
-      changed_when: false
-      check_mode: false
-      register: repository
-      failed_when: repository.rc != 0
-
-    - name: Set facts
-      ansible.builtin.set_fact:
-        repository_path: "{{ repository.stdout }}"
-
-    - name: Override kube-vip address when there is a single master node and no address is defined
-      when: bootstrap_nodes.master | length == 1 and not bootstrap_kube_vip_addr
-      ansible.builtin.set_fact:
-        bootstrap_kube_vip_enabled: false
-        bootstrap_kube_vip_addr: "{{ bootstrap_nodes.master[0].address }}"
-
-    - name: Verify configuration
-      ansible.builtin.include_tasks: tasks/validation/main.yaml
-
-    - name: Template Sops configuration
-      ansible.builtin.include_tasks: tasks/sops/main.yaml
-
-    - name: Template Ansible configuration
-      ansible.builtin.include_tasks: tasks/ansible/main.yaml
-
-    - name: Template Kubernetes configuration
-      ansible.builtin.include_tasks: tasks/kubernetes/main.yaml
-
-    - name: Template Kubernetes addon configuration
-      ansible.builtin.include_tasks: tasks/addons/main.yaml

bootstrap/tasks/addons/csi_driver_nfs.yaml

@@ -1,34 +0,0 @@
----
-- name: Set addon facts
-  ansible.builtin.set_fact:
-    addon_name: csi-driver-nfs
-    addon_namespace: kube-system
-
-- name: Ensure directories exist for {{ addon_namespace }}/{{ addon_name }}
-  when: item.state == 'directory'
-  ansible.builtin.file:
-    path: "{{ repository_path }}/kubernetes/apps/{{ addon_namespace }}/{{ addon_name }}/{{ item.path }}"
-    state: directory
-    mode: "0755"
-  with_community.general.filetree: ["../templates/addons/{{ addon_name }}/"]
-
-- name: Template unencrypted files for {{ addon_namespace }}/{{ addon_name }}
-  when: item.state == 'file' and 'sops' not in item.path
-  ansible.builtin.template:
-    src: "{{ item.src }}"
-    dest: "{{ repository_path }}/kubernetes/apps/{{ addon_namespace }}/{{ addon_name }}/{{ item.path | replace('.j2', '') }}"
-    mode: "0644"
-  with_community.general.filetree: ["../templates/addons/{{ addon_name }}/"]
-
-- name: Template encrypted files for {{ addon_namespace }}/{{ addon_name }}
-  block:
-    - name: Template encrypted files
-      when: item.state == 'file' and 'sops' in item.path
-      community.sops.sops_encrypt:
-        path: "{{ repository_path }}/kubernetes/apps/{{ addon_namespace }}/{{ addon_name }}/{{ item.path | replace('.j2', '') }}"
-        encrypted_regex: ^(data|stringData)$
-        age: ["{{ bootstrap_age_public_key }}"]
-        content_yaml: "{{ lookup('ansible.builtin.template', item.src) | from_yaml }}"
-        mode: "0644"
-        force: true
-      with_community.general.filetree: ["../templates/addons/{{ addon_name }}/"]

bootstrap/tasks/addons/discord_template_notifier.yaml

@@ -1,34 +0,0 @@
----
-- name: Set addon facts
-  ansible.builtin.set_fact:
-    addon_name: discord-template-notifier
-    addon_namespace: default
-
-- name: Ensure directories exist for {{ addon_namespace }}/{{ addon_name }}
-  when: item.state == 'directory'
-  ansible.builtin.file:
-    path: "{{ repository_path }}/kubernetes/apps/{{ addon_namespace }}/{{ addon_name }}/{{ item.path }}"
-    state: directory
-    mode: "0755"
-  with_community.general.filetree: ["../templates/addons/{{ addon_name }}/"]
-
-- name: Template unencrypted files for {{ addon_namespace }}/{{ addon_name }}
-  when: item.state == 'file' and 'sops' not in item.path
-  ansible.builtin.template:
-    src: "{{ item.src }}"
-    dest: "{{ repository_path }}/kubernetes/apps/{{ addon_namespace }}/{{ addon_name }}/{{ item.path | replace('.j2', '') }}"
-    mode: "0644"
-  with_community.general.filetree: ["../templates/addons/{{ addon_name }}/"]
-
-- name: Template encrypted files for {{ addon_namespace }}/{{ addon_name }}
-  block:
-    - name: Template encrypted files
-      when: item.state == 'file' and 'sops' in item.path
-      community.sops.sops_encrypt:
-        path: "{{ repository_path }}/kubernetes/apps/{{ addon_namespace }}/{{ addon_name }}/{{ item.path | replace('.j2', '') }}"
-        encrypted_regex: ^(data|stringData)$
-        age: ["{{ bootstrap_age_public_key }}"]
-        content_yaml: "{{ lookup('ansible.builtin.template', item.src) | from_yaml }}"
-        mode: "0644"
-        force: true
-      with_community.general.filetree: ["../templates/addons/{{ addon_name }}/"]

bootstrap/tasks/addons/grafana.yaml

@@ -1,34 +0,0 @@
----
-- name: Set addon facts
-  ansible.builtin.set_fact:
-    addon_name: grafana
-    addon_namespace: monitoring
-
-- name: Ensure directories exist for {{ addon_namespace }}/{{ addon_name }}
-  when: item.state == 'directory'
-  ansible.builtin.file:
-    path: "{{ repository_path }}/kubernetes/apps/{{ addon_namespace }}/{{ addon_name }}/{{ item.path }}"
-    state: directory
-    mode: "0755"
-  with_community.general.filetree: ["../templates/addons/{{ addon_name }}/"]
-
-- name: Template unencrypted files for {{ addon_namespace }}/{{ addon_name }}
-  when: item.state == 'file' and 'sops' not in item.path
-  ansible.builtin.template:
-    src: "{{ item.src }}"
-    dest: "{{ repository_path }}/kubernetes/apps/{{ addon_namespace }}/{{ addon_name }}/{{ item.path | replace('.j2', '') }}"
-    mode: "0644"
-  with_community.general.filetree: ["../templates/addons/{{ addon_name }}/"]
-
-- name: Template encrypted files for {{ addon_namespace }}/{{ addon_name }}
-  block:
-    - name: Template encrypted files
-      when: item.state == 'file' and 'sops' in item.path
-      community.sops.sops_encrypt:
-        path: "{{ repository_path }}/kubernetes/apps/{{ addon_namespace }}/{{ addon_name }}/{{ item.path | replace('.j2', '') }}"
-        encrypted_regex: ^(data|stringData)$
-        age: ["{{ bootstrap_age_public_key }}"]
-        content_yaml: "{{ lookup('ansible.builtin.template', item.src) | from_yaml }}"
-        mode: "0644"
-        force: true
-      with_community.general.filetree: ["../templates/addons/{{ addon_name }}/"]

bootstrap/tasks/addons/hajimari.yaml

@@ -1,35 +0,0 @@
----
-- name: Set addon facts
-  ansible.builtin.set_fact:
-    addon_name: hajimari
-    addon_namespace: default
-
-- name: Ensure directories exist for {{ addon_namespace }}/{{ addon_name }}
-  when: item.state == 'directory'
-  ansible.builtin.file:
-    path: "{{ repository_path }}/kubernetes/apps/{{ addon_namespace }}/{{ addon_name }}/{{ item.path }}"
-    state: directory
-    mode: "0755"
-  with_community.general.filetree: ["../templates/addons/{{ addon_name }}/"]
-
-- name: Template unencrypted files for {{ addon_namespace }}/{{ addon_name }}
-  when: item.state == 'file' and 'sops' not in item.path
-  ansible.builtin.template:
-    src: "{{ item.src }}"
-    dest: "{{ repository_path }}/kubernetes/apps/{{ addon_namespace }}/{{ addon_name }}/{{ item.path | replace('.j2', '') }}"
-    mode: "0644"
-  with_community.general.filetree: ["../templates/addons/{{ addon_name }}/"]
-
-# https://github.com/ansible-collections/community.sops/issues/153
-- name: Template encrypted files for {{ addon_namespace }}/{{ addon_name }}
-  block:
-    - name: Template encrypted files
-      when: item.state == 'file' and 'sops' in item.path
-      community.sops.sops_encrypt:
-        path: "{{ repository_path }}/kubernetes/apps/{{ addon_namespace }}/{{ addon_name }}/{{ item.path | replace('.j2', '') }}"
-        encrypted_regex: ^(data|stringData)$
-        age: ["{{ bootstrap_age_public_key }}"]
-        content_yaml: "{{ lookup('ansible.builtin.template', item.src) | from_yaml }}"
-        mode: "0644"
-        force: true
-      with_community.general.filetree: ["../templates/addons/{{ addon_name }}/"]

bootstrap/tasks/addons/kube_prometheus_stack.yaml

@@ -1,34 +0,0 @@
----
-- name: Set addon facts
-  ansible.builtin.set_fact:
-    addon_name: kube-prometheus-stack
-    addon_namespace: monitoring
-
-- name: Ensure directories exist for {{ addon_namespace }}/{{ addon_name }}
-  when: item.state == 'directory'
-  ansible.builtin.file:
-    path: "{{ repository_path }}/kubernetes/apps/{{ addon_namespace }}/{{ addon_name }}/{{ item.path }}"
-    state: directory
-    mode: "0755"
-  with_community.general.filetree: ["../templates/addons/{{ addon_name }}/"]
-
-- name: Template unencrypted files for {{ addon_namespace }}/{{ addon_name }}
-  when: item.state == 'file' and 'sops' not in item.path
-  ansible.builtin.template:
-    src: "{{ item.src }}"
-    dest: "{{ repository_path }}/kubernetes/apps/{{ addon_namespace }}/{{ addon_name }}/{{ item.path | replace('.j2', '') }}"
-    mode: "0644"
-  with_community.general.filetree: ["../templates/addons/{{ addon_name }}/"]
-
-- name: Template encrypted files for {{ addon_namespace }}/{{ addon_name }}
-  block:
-    - name: Template encrypted files
-      when: item.state == 'file' and 'sops' in item.path
-      community.sops.sops_encrypt:
-        path: "{{ repository_path }}/kubernetes/apps/{{ addon_namespace }}/{{ addon_name }}/{{ item.path | replace('.j2', '') }}"
-        encrypted_regex: ^(data|stringData)$
-        age: ["{{ bootstrap_age_public_key }}"]
-        content_yaml: "{{ lookup('ansible.builtin.template', item.src) | from_yaml }}"
-        mode: "0644"
-        force: true
-      with_community.general.filetree: ["../templates/addons/{{ addon_name }}/"]

bootstrap/tasks/addons/kubernetes_dashboard.yaml

@@ -1,34 +0,0 @@
----
-- name: Set addon facts
-  ansible.builtin.set_fact:
-    addon_name: kubernetes-dashboard
-    addon_namespace: monitoring
-
-- name: Ensure directories exist for {{ addon_namespace }}/{{ addon_name }}
-  when: item.state == 'directory'
-  ansible.builtin.file:
-    path: "{{ repository_path }}/kubernetes/apps/{{ addon_namespace }}/{{ addon_name }}/{{ item.path }}"
-    state: directory
-    mode: "0755"
-  with_community.general.filetree: ["../templates/addons/{{ addon_name }}/"]
-
-- name: Template unencrypted files for {{ addon_namespace }}/{{ addon_name }}
-  when: item.state == 'file' and 'sops' not in item.path
-  ansible.builtin.template:
-    src: "{{ item.src }}"
-    dest: "{{ repository_path }}/kubernetes/apps/{{ addon_namespace }}/{{ addon_name }}/{{ item.path | replace('.j2', '') }}"
-    mode: "0644"
-  with_community.general.filetree: ["../templates/addons/{{ addon_name }}/"]
-
-- name: Template encrypted files for {{ addon_namespace }}/{{ addon_name }}
-  block:
-    - name: Template encrypted files
-      when: item.state == 'file' and 'sops' in item.path
-      community.sops.sops_encrypt:
-        path: "{{ repository_path }}/kubernetes/apps/{{ addon_namespace }}/{{ addon_name }}/{{ item.path | replace('.j2', '') }}"
-        encrypted_regex: ^(data|stringData)$
-        age: ["{{ bootstrap_age_public_key }}"]
-        content_yaml: "{{ lookup('ansible.builtin.template', item.src) | from_yaml }}"
-        mode: "0644"
-        force: true
-      with_community.general.filetree: ["../templates/addons/{{ addon_name }}/"]

bootstrap/tasks/addons/main.yaml

@@ -1,33 +0,0 @@
----
-
-- name: Process addon csi-driver-nfs
-  when: csi_driver_nfs.enabled | default(false)
-  ansible.builtin.include_tasks: csi_driver_nfs.yaml
-
-- name: Process addon hajimari
-  when: hajimari.enabled | default(false)
-  ansible.builtin.include_tasks: hajimari.yaml
-
-- name: Process addon grafana
-  when: grafana.enabled | default(false)
-  ansible.builtin.include_tasks: grafana.yaml
-
-- name: Process addon kubernetes-dashboard
-  when: kubernetes_dashboard.enabled | default(false)
-  ansible.builtin.include_tasks: kubernetes_dashboard.yaml
-
-- name: Process addon kube-prometheus-stack
-  when: kube_prometheus_stack.enabled | default(false)
-  ansible.builtin.include_tasks: kube_prometheus_stack.yaml
-
-- name: Process addon system-upgrade-controller
-  when: system_upgrade_controller.enabled | default(false)
-  ansible.builtin.include_tasks: system_upgrade_controller.yaml
-
-- name: Process addon weave-gitops
-  when: weave_gitops.enabled | default(false)
-  ansible.builtin.include_tasks: weave_gitops.yaml
-
-- name: Process addon discord-template-notifier
-  when: discord_template_notifier.enabled | default(false)
-  ansible.builtin.include_tasks: discord_template_notifier.yaml

bootstrap/tasks/addons/system_upgrade_controller.yaml

@@ -1,34 +0,0 @@
----
-- name: Set addon facts
-  ansible.builtin.set_fact:
-    addon_name: system-upgrade-controller
-    addon_namespace: kube-system
-
-- name: Ensure directories exist for {{ addon_namespace }}/{{ addon_name }}
-  when: item.state == 'directory'
-  ansible.builtin.file:
-    path: "{{ repository_path }}/kubernetes/apps/{{ addon_namespace }}/{{ addon_name }}/{{ item.path }}"
-    state: directory
-    mode: "0755"
-  with_community.general.filetree: ["../templates/addons/{{ addon_name }}/"]
-
-- name: Template unencrypted files for {{ addon_namespace }}/{{ addon_name }}
-  when: item.state == 'file' and 'sops' not in item.path
-  ansible.builtin.template:
-    src: "{{ item.src }}"
-    dest: "{{ repository_path }}/kubernetes/apps/{{ addon_namespace }}/{{ addon_name }}/{{ item.path | replace('.j2', '') }}"
-    mode: "0644"
-  with_community.general.filetree: ["../templates/addons/{{ addon_name }}/"]
-
-- name: Template encrypted files for {{ addon_namespace }}/{{ addon_name }}
-  block:
-    - name: Template encrypted files
-      when: item.state == 'file' and 'sops' in item.path
-      community.sops.sops_encrypt:
-        path: "{{ repository_path }}/kubernetes/apps/{{ addon_namespace }}/{{ addon_name }}/{{ item.path | replace('.j2', '') }}"
-        encrypted_regex: ^(data|stringData)$
-        age: ["{{ bootstrap_age_public_key }}"]
-        content_yaml: "{{ lookup('ansible.builtin.template', item.src) | from_yaml }}"
-        mode: "0644"
-        force: true
-      with_community.general.filetree: ["../templates/addons/{{ addon_name }}/"]

bootstrap/tasks/addons/weave_gitops.yaml

@@ -1,34 +0,0 @@
----
-- name: Set addon facts
-  ansible.builtin.set_fact:
-    addon_name: weave-gitops
-    addon_namespace: flux-system
-
-- name: Ensure directories exist for {{ addon_namespace }}/{{ addon_name }}
-  when: item.state == 'directory'
-  ansible.builtin.file:
-    path: "{{ repository_path }}/kubernetes/apps/{{ addon_namespace }}/{{ addon_name }}/{{ item.path }}"
-    state: directory
-    mode: "0755"
-  with_community.general.filetree: ["../templates/addons/{{ addon_name }}/"]
-
-- name: Template unencrypted files for {{ addon_namespace }}/{{ addon_name }}
-  when: item.state == 'file' and 'sops' not in item.path
-  ansible.builtin.template:
-    src: "{{ item.src }}"
-    dest: "{{ repository_path }}/kubernetes/apps/{{ addon_namespace }}/{{ addon_name }}/{{ item.path | replace('.j2', '') }}"
-    mode: "0644"
-  with_community.general.filetree: ["../templates/addons/{{ addon_name }}/"]
-
-- name: Template encrypted files for {{ addon_namespace }}/{{ addon_name }}
-  block:
-    - name: Template encrypted files
-      when: item.state == 'file' and 'sops' in item.path
-      community.sops.sops_encrypt:
-        path: "{{ repository_path }}/kubernetes/apps/{{ addon_namespace }}/{{ addon_name }}/{{ item.path | replace('.j2', '') }}"
-        encrypted_regex: ^(data|stringData)$
-        age: ["{{ bootstrap_age_public_key }}"]
-        content_yaml: "{{ lookup('ansible.builtin.template', item.src) | from_yaml }}"
-        mode: "0644"
-        force: true
-      with_community.general.filetree: ["../templates/addons/{{ addon_name }}/"]

bootstrap/tasks/ansible/main.yaml

@@ -1,39 +0,0 @@
----
-- name: Ensure Kubernetes directories exist
-  when: item.state == 'directory'
-  ansible.builtin.file:
-    path: "{{ repository_path }}/ansible/{{ item.path }}"
-    state: directory
-    mode: "0755"
-  with_community.general.filetree: ["../templates/ansible/"]
-
-- name: Template Ansible unencrypted files
-  when: item.state == 'file' and 'sops' not in item.path and '.DS_Store' not in item.path
-  ansible.builtin.template:
-    src: "{{ item.src }}"
-    dest: "{{ repository_path }}/ansible/{{ item.path | regex_replace('.j2$', '') }}"
-    mode: "0644"
-  with_community.general.filetree: ["../templates/ansible/"]
-
-- name: Template Ansible encrypted files
-  block:
-    - name: Template Ansible encrypted files
-      when: item.state == 'file' and 'sops' in item.path
-      community.sops.sops_encrypt:
-        path: "{{ repository_path }}/ansible/{{ item.path | replace('.j2', '') }}"
-        encrypted_regex: ^(data|stringData)$
-        age: ["{{ bootstrap_age_public_key }}"]
-        content_yaml: "{{ lookup('ansible.builtin.template', item.src) | from_yaml }}"
-        mode: "0644"
-        force: true
-      with_community.general.filetree: ["../templates/ansible/"]
-    - name: Template encrypted node secrets
-      community.sops.sops_encrypt:
-        path: "{{ repository_path }}/ansible/inventory/host_vars/{{ item.name }}.sops.yaml"
-        age: ["{{ bootstrap_age_public_key }}"]
-        content_yaml: "{{ lookup('ansible.builtin.template', 'templates/node.sops.yaml.j2', template_vars=dict(password=item.password)) | from_yaml }}"
-        mode: "0644"
-        force: true
-      loop: "{{ bootstrap_nodes.master + bootstrap_nodes.worker | default([]) }}"
-      loop_control:
-        label: "{{ item.address }}"

bootstrap/tasks/kubernetes/main.yaml

@@ -1,66 +0,0 @@
----
-- name: Ensure Kubernetes directories exist
-  when: item.state == 'directory'
-  ansible.builtin.file:
-    path: "{{ repository_path }}/kubernetes/{{ item.path }}"
-    state: directory
-    mode: "0755"
-  with_community.general.filetree: ["../templates/kubernetes/"]
-
-- name: Template Kubernetes unencrypted files
-  when:
-    - item.state == 'file'
-    - "'.DS_Store' not in item.path"
-    - "'sops' not in item.path"
-    - "'cluster-settings-user.yaml.j2' not in item.path"
-    - "'cluster-secrets-user.yaml.j2' not in item.path"
-  ansible.builtin.template:
-    src: "{{ item.src }}"
-    dest: "{{ repository_path }}/kubernetes/{{ item.path | regex_replace('.j2$', '') }}"
-    mode: "0644"
-  with_community.general.filetree: ["../templates/kubernetes/"]
-
-- name: Check if the cluster user settings file already exists
-  stat:
-    path: "{{ repository_path }}/kubernetes/flux/vars/cluster-settings-user.yaml"
-  register: cluster_settings_user
-
-- name: Template Kubernetes user cluster settings
-  when:
-    - item.state == 'file'
-    - "'cluster-settings-user.yaml' in item.path"
-    - not cluster_settings_user.stat.exists
-  ansible.builtin.template:
-    src: "{{ item.src }}"
-    dest: "{{ repository_path }}/kubernetes/{{ item.path | regex_replace('.j2$', '') }}"
-    mode: "0644"
-  with_community.general.filetree: ["../templates/kubernetes/"]
-
-- name: Check if the cluster user secrets file already exists
-  stat:
-    path: "{{ repository_path }}/kubernetes/flux/vars/cluster-secrets-user.yaml"
-  register: cluster_secrets_user
-
-- name: Template Kubernetes user cluster secrets
-  when:
-    - item.state == 'file'
-    - "'cluster-secrets-user.yaml' in item.path"
-    - not cluster_secrets_user.stat.exists
-  ansible.builtin.template:
-    src: "{{ item.src }}"
-    dest: "{{ repository_path }}/kubernetes/{{ item.path | regex_replace('.j2$', '') }}"
-    mode: "0644"
-  with_community.general.filetree: ["../templates/kubernetes/"]
-
-- name: Template Kubernetes encrypted files
-  block:
-    - name: Template Kubernetes encrypted files
-      when: item.state == 'file' and 'sops' in item.path
-      community.sops.sops_encrypt:
-        path: "{{ repository_path }}/kubernetes/{{ item.path | replace('.j2', '') }}"
-        encrypted_regex: ^(data|stringData)$
-        age: ["{{ bootstrap_age_public_key }}"]
-        content_yaml: "{{ lookup('ansible.builtin.template', item.src) | from_yaml }}"
-        mode: "0644"
-        force: true
-      with_community.general.filetree: ["../templates/kubernetes/"]

bootstrap/tasks/sops/main.yaml

@@ -1,6 +0,0 @@
----
-- name: Template Sops configuration file
-  ansible.builtin.template:
-    src: "templates/.sops.yaml.j2"
-    dest: "{{ repository_path }}/.sops.yaml"
-    mode: "0644"

bootstrap/tasks/validation/age.yaml

@@ -1,21 +0,0 @@
----
-- name: Query age key file
-  ansible.builtin.stat:
-    path: "{{ repository_path }}/age.key"
-  register: result
-
-- name: Check if age key file exists
-  ansible.builtin.assert:
-    that: result.stat.exists
-    success_msg: Age file {{ repository_path }}/age.key exists
-    fail_msg: Age file {{ repository_path }}/age.key does not exist
-
-- name: Query age key file contents
-  ansible.builtin.set_fact:
-    age_contents: "{{ lookup('file', repository_path + '/age.key') }}"
-
-- name: Check if age public keys match
-  ansible.builtin.assert:
-    that: bootstrap_age_public_key in age_contents
-    success_msg: Age public key {{ bootstrap_age_public_key }} exists
-    fail_msg: Age public key {{ bootstrap_age_public_key }} does not exist

bootstrap/tasks/validation/cli.yaml

@@ -1,9 +0,0 @@
----
-- name: Check for required CLI tools
-  ansible.builtin.shell: |
-    command -v {{ item }} >/dev/null 2>&1
-  loop: [age, cloudflared, flux, sops]
-  changed_when: false
-  check_mode: false
-  register: result
-  failed_when: result.rc != 0 and result.rc != 127

bootstrap/tasks/validation/cloudflare.yaml

@@ -1,34 +0,0 @@
----
-- name: Query Cloudflare zone
-  ansible.builtin.uri:
-    url: https://api.cloudflare.com/client/v4/zones?name={{ bootstrap_cloudflare_domain }}&status=active
-    headers:
-      Authorization: Bearer {{ bootstrap_cloudflare_token }}
-      Content-Type: application/json
-    timeout: 5
-    return_content: true
-    body_format: json
-  register: result
-
-- name: Check if Cloudflare zone exists
-  ansible.builtin.assert:
-    that: result.json.success is true
-    success_msg: Cloudflare zone {{ bootstrap_cloudflare_domain }} exists
-    fail_msg: Cloudflare zone {{ bootstrap_cloudflare_domain }} does not exist
-
-- name: Query Cloudflared tunnel
-  ansible.builtin.uri:
-    url: https://api.cloudflare.com/client/v4/accounts/{{ bootstrap_cloudflare_account_tag }}/cfd_tunnel/{{ bootstrap_cloudflare_tunnel_id }}
-    headers:
-      Authorization: Bearer {{ bootstrap_cloudflare_token }}
-      Content-Type: application/json
-    timeout: 5
-    return_content: true
-    body_format: json
-  register: result
-
-- name: Check if Cloudflared tunnel exists
-  ansible.builtin.assert:
-    that: result.json.success is true
-    success_msg: Cloudflared tunnel {{ bootstrap_cloudflare_tunnel_id }} exists
-    fail_msg: Cloudflared tunnel {{ bootstrap_cloudflare_tunnel_id }} does not exist

bootstrap/tasks/validation/github.yaml

@@ -1,42 +0,0 @@
----
-- name: Query Github username
-  ansible.builtin.uri:
-    url: https://api.github.com/users/{{ bootstrap_github_username }}
-    timeout: 5
-    return_content: true
-    body_format: json
-  register: result
-
-- name: Check if username exists
-  ansible.builtin.assert:
-    that: result.json.login == bootstrap_github_username
-    success_msg: Github user {{ bootstrap_github_username }} exists
-    fail_msg: Github user {{ bootstrap_github_username }} does not exist
-
-- name: Query Github repo
-  ansible.builtin.uri:
-    url: https://api.github.com/repos/{{ bootstrap_github_username }}/{{ bootstrap_github_repository_name }}
-    timeout: 5
-    return_content: true
-    body_format: json
-  register: result
-
-- name: Check if repo exists
-  ansible.builtin.assert:
-    that: result.json.full_name == bootstrap_github_username + '/' + bootstrap_github_repository_name
-    success_msg: Github repo {{ bootstrap_github_username }}/{{ bootstrap_github_repository_name }} exists
-    fail_msg: Github repo {{ bootstrap_github_username }}/{{ bootstrap_github_repository_name }} does not exist
-
-- name: Query Github repo branch
-  ansible.builtin.uri:
-    url: https://api.github.com/repos/{{ bootstrap_github_username }}/{{ bootstrap_github_repository_name }}/branches/{{ bootstrap_github_repository_branch | default('main', true) }}
-    timeout: 5
-    return_content: true
-    body_format: json
-  register: result
-
-- name: Check if repo branch exists
-  ansible.builtin.assert:
-    that: result.json.name == bootstrap_github_repository_branch | default('main', true)
-    success_msg: Github repo branch {{ bootstrap_github_repository_branch | default('main', true) }} exists
-    fail_msg: Github repo branch {{ bootstrap_github_repository_branch | default('main', true) }} does not exist

bootstrap/tasks/validation/main.yaml

@@ -1,6 +0,0 @@
----
-- name: Verify configuration
-  ansible.builtin.include_tasks: "{{ task }}.yaml"
-  loop: [vars, age, cli, net, cloudflare, github]
-  loop_control:
-    loop_var: task

bootstrap/tasks/validation/net.yaml

@@ -1,205 +0,0 @@
----
-- name: Set reachable address
-  ansible.builtin.set_fact:
-    current_address: "{{ item.external_address | default(item.address) }}"
-  loop: "{{ bootstrap_nodes.master + bootstrap_nodes.worker | default([]) }}"
-  loop_control:
-    label: "{{ item.address }}"
-
-- name: Verify master node count
-  ansible.builtin.assert:
-    that:
-      - bootstrap_nodes.master | length > 0
-      - bootstrap_nodes.master | length is odd
-    success_msg: Master node count {{ bootstrap_nodes.master | length }} is correct.
-    fail_msg: Master node count {{ bootstrap_nodes.master | length }} is not greater than 0 or is not odd.
-
-- name: Verify node CIDR
-  ansible.builtin.assert:
-    that: bootstrap_node_cidr is ansible.utils.ipv4
-    success_msg: Node CIDR {{ bootstrap_node_cidr }} is valid.
-    fail_msg: Node CIDR {{ bootstrap_node_cidr }} is invalid.
-
-- name: Verify cluster CIDR is ipv4 OR ipv6
-  when: not bootstrap_ipv6_enabled | default(false)
-  ansible.builtin.assert:
-    that: bootstrap_cluster_cidr is ansible.utils.ipv4 or bootstrap_cluster_cidr is ansible.utils.ipv6
-    success_msg: Cluster CIDR {{ bootstrap_cluster_cidr }} is valid.
-    fail_msg: Cluster CIDR {{ bootstrap_cluster_cidr }} is invalid.
-
-- name: Verify service CIDR is ipv4 OR ipv6
-  when: not bootstrap_ipv6_enabled | default(false)
-  ansible.builtin.assert:
-    that: bootstrap_service_cidr is ansible.utils.ipv4 or bootstrap_service_cidr is ansible.utils.ipv6
-    success_msg: Service CIDR {{ bootstrap_service_cidr }} is valid.
-    fail_msg: Service CIDR {{ bootstrap_service_cidr }} is invalid.
-
-- name: Verify cluster CIDR is ipv4 AND ipv6
-  when: bootstrap_ipv6_enabled | default(false)
-  ansible.builtin.assert:
-    that: >
-      (
-        bootstrap_cluster_cidr.split(',')[0] is ansible.utils.ipv4 or
-          bootstrap_cluster_cidr.split(',')[1] is ansible.utils.ipv4
-      ) and (
-        bootstrap_cluster_cidr.split(',')[1] is ansible.utils.ipv6 or
-          bootstrap_cluster_cidr.split(',')[0] is ansible.utils.ipv6
-      )
-    success_msg: Cluster CIDR {{ bootstrap_cluster_cidr }} is valid.
-    fail_msg: Cluster CIDR {{ bootstrap_cluster_cidr }} is invalid.
-
-- name: Verify service CIDR is ipv4 AND ipv6
-  when: bootstrap_ipv6_enabled | default(false)
-  ansible.builtin.assert:
-    that: >
-      (
-        bootstrap_service_cidr.split(',')[0] is ansible.utils.ipv4 or
-          bootstrap_service_cidr.split(',')[1] is ansible.utils.ipv4
-      ) and (
-        bootstrap_service_cidr.split(',')[1] is ansible.utils.ipv6 or
-          bootstrap_service_cidr.split(',')[0] is ansible.utils.ipv6
-      )
-    success_msg: Service CIDR {{ bootstrap_service_cidr }} is valid.
-    fail_msg: Service CIDR {{ bootstrap_service_cidr }} is invalid.
-
-- name: Verify k8s_gateway
-  ansible.builtin.assert:
-    that: bootstrap_k8s_gateway_addr is ansible.utils.ipv4
-    success_msg: k8s_gateway address {{ bootstrap_k8s_gateway_addr }} is valid.
-    fail_msg: k8s_gateway address {{ bootstrap_k8s_gateway_addr }} is invalid.
-
-- name: Verify k8s_gateway in node CIDR
-  ansible.builtin.assert:
-    that: bootstrap_node_cidr | ansible.utils.network_in_usable(bootstrap_k8s_gateway_addr)
-    success_msg: k8s_gateway address {{ bootstrap_k8s_gateway_addr }} is within {{ bootstrap_node_cidr }}.
-    fail_msg: k8s_gateway address {{ bootstrap_k8s_gateway_addr }} is not within {{ bootstrap_node_cidr }}.
-
-- name: Verify internal ingress
-  ansible.builtin.assert:
-    that: bootstrap_internal_ingress_addr is ansible.utils.ipv4
-    success_msg: internal ingress address {{ bootstrap_internal_ingress_addr }} is valid.
-    fail_msg: internal ingress address {{ bootstrap_internal_ingress_addr }} is invalid.
-
-- name: Verify internal ingress in node CIDR
-  ansible.builtin.assert:
-    that: bootstrap_node_cidr | ansible.utils.network_in_usable(bootstrap_internal_ingress_addr)
-    success_msg: internal ingress address {{ bootstrap_internal_ingress_addr }} is within {{ bootstrap_node_cidr }}.
-    fail_msg: internal ingress address {{ bootstrap_internal_ingress_addr }} is not within {{ bootstrap_node_cidr }}.
-
-- name: Verify external ingress
-  ansible.builtin.assert:
-    that: bootstrap_external_ingress_addr is ansible.utils.ipv4
-    success_msg: external ingress address {{ bootstrap_external_ingress_addr }} is valid.
-    fail_msg: external ingress address {{ bootstrap_external_ingress_addr }} is invalid.
-
-- name: Verify external ingress in node CIDR
-  ansible.builtin.assert:
-    that: bootstrap_node_cidr | ansible.utils.network_in_usable(bootstrap_external_ingress_addr)
-    success_msg: external ingress address {{ bootstrap_external_ingress_addr }} is within {{ bootstrap_node_cidr }}.
-    fail_msg: external ingress address {{ bootstrap_external_ingress_addr }} is not within {{ bootstrap_node_cidr }}.
-
-- name: Verify kube-vip
-  ansible.builtin.assert:
-    that: bootstrap_kube_vip_addr is ansible.utils.ipv4
-    success_msg: kube-vip address {{ bootstrap_kube_vip_addr }} is valid.
-    fail_msg: kube-vip address {{ bootstrap_kube_vip_addr }} is invalid.
-
-- name: Verify kube-vip in node CIDR
-  ansible.builtin.assert:
-    that: bootstrap_node_cidr | ansible.utils.network_in_usable(bootstrap_kube_vip_addr)
-    success_msg: kube-vip address {{ bootstrap_kube_vip_addr }} is within {{ bootstrap_node_cidr }}.
-    fail_msg: kube-vip address {{ bootstrap_kube_vip_addr }} is not within {{ bootstrap_node_cidr }}.
-
-- name: Verify all IP addresses are unique
-  ansible.builtin.assert:
-    that: >
-      [
-        bootstrap_k8s_gateway_addr,
-        bootstrap_external_ingress_addr,
-        bootstrap_internal_ingress_addr,
-        bootstrap_kube_vip_addr
-      ] | unique | length == 4
-    success_msg: All IP addresses are unique.
-    fail_msg: All IP addresses are not unique.
-
-- name: Verify nodes are not the same IPs as k8s_gateway or ingress external/internal
-  when: not bootstrap_kube_vip_enabled | default(true)
-  ansible.builtin.assert:
-    that: item.address not in (bootstrap_k8s_gateway_addr, bootstrap_external_ingress_addr, bootstrap_internal_ingress_addr)
-    success_msg: Node address {{ item.address }} is different than k8s_gateway or ingress-nginx.
-    fail_msg: Node address {{ item.address }} is not different than k8s_gateway or ingress-nginx.
-    quiet: true
-  loop: "{{ bootstrap_nodes.master + bootstrap_nodes.worker | default([]) }}"
-  loop_control:
-    label: "{{ item.address }}"
-
-- name: Verify nodes are not the same IPs as k8s_gateway, ingress external/internal or kube-vip
-  when: bootstrap_kube_vip_enabled | default(true)
-  ansible.builtin.assert:
-    that: item.address not in (bootstrap_k8s_gateway_addr, bootstrap_external_ingress_addr, bootstrap_internal_ingress_addr, bootstrap_kube_vip_addr)
-    success_msg: Node address {{ item.address }} is different than k8s_gateway, ingress-nginx or kube-vip.
-    fail_msg: Node address {{ item.address }} is not different than k8s_gateway, ingress-nginx or kube-vip.
-    quiet: true
-  loop: "{{ bootstrap_nodes.master + bootstrap_nodes.worker | default([]) }}"
-  loop_control:
-    label: "{{ item.address }}"
-
-- name: Verify nodes are ipv4
-  ansible.builtin.assert:
-    that: item.address is ansible.utils.ipv4
-    success_msg: Node address {{ item.address }} is valid.
-    fail_msg: Node address {{ item.address }} is invalid.
-    quiet: true
-  loop: "{{ bootstrap_nodes.master + bootstrap_nodes.worker | default([]) }}"
-  loop_control:
-    label: "{{ item.address }}"
-
-- name: Verify nodes are in node CIDR
-  ansible.builtin.assert:
-    that: bootstrap_node_cidr | ansible.utils.network_in_usable(item.address)
-    success_msg: Node address {{ item.address }} is within {{ bootstrap_node_cidr }}.
-    fail_msg: Node address {{ item.address }} is not within {{ bootstrap_node_cidr }}.
-    quiet: true
-  loop: "{{ bootstrap_nodes.master + bootstrap_nodes.worker | default([]) }}"
-  when: item.external_address is not defined
-  loop_control:
-    label: "{{ item.address }}"
-
-- name: Verify node IP addresses are unique
-  ansible.builtin.assert:
-    that: >
-      (
-        (bootstrap_nodes.master + bootstrap_nodes.worker | default([])) | map(attribute='address') | list
-      ) | unique | length
-      ==
-      (
-        (bootstrap_nodes.master + bootstrap_nodes.worker | default([])) | map(attribute='address') | list
-      ) | length
-    success_msg: All node IP addresses are unique.
-    fail_msg: All node IP addresses are not unique.
-    quiet: true
-
-- name: Verify node names are unique
-  ansible.builtin.assert:
-    that: >
-      (
-        (bootstrap_nodes.master + bootstrap_nodes.worker | default([])) | map(attribute='name') | list
-      ) | unique | length
-      ==
-      (
-        (bootstrap_nodes.master + bootstrap_nodes.worker | default([])) | map(attribute='name') | list
-      ) | length
-    success_msg: All node names are unique.
-    fail_msg: All node names are not unique.
-    quiet: true
-
-- name: Verify SSH port is reachable
-  ansible.builtin.wait_for:
-    host: "{{ current_address }}"
-    port: 22
-    search_regex: OpenSSH
-    timeout: 10
-  connection: local
-  loop: "{{ bootstrap_nodes.master + bootstrap_nodes.worker | default([]) }}"
-  loop_control:
-    label: "{{ current_address }}"

bootstrap/tasks/validation/vars.yaml

@@ -1,40 +0,0 @@
----
-- name: Verify required bootstrap vars are set
-  ansible.builtin.assert:
-    that:
-      - item in vars
-      - vars[item] != None
-    success_msg: Required bootstrap var {{ item }} exists and is defined
-    fail_msg: Required bootstrap var {{ item }} does not exists or is not defined
-  loop:
-    - bootstrap_acme_email
-    - bootstrap_age_public_key
-    - bootstrap_cilium_loadbalancer_mode
-    - bootstrap_cloudflare_account_tag
-    - bootstrap_cloudflare_domain
-    - bootstrap_cloudflare_token
-    - bootstrap_cloudflare_tunnel_id
-    - bootstrap_cloudflare_tunnel_secret
-    - bootstrap_cluster_cidr
-    - bootstrap_flux_github_webhook_token
-    - bootstrap_github_repository_name
-    - bootstrap_github_repository_branch
-    - bootstrap_github_username
-    - bootstrap_external_ingress_addr
-    - bootstrap_internal_ingress_addr
-    - bootstrap_ipv6_enabled
-    - bootstrap_k8s_gateway_addr
-    - bootstrap_kube_vip_addr
-    - bootstrap_local_path_provisioner_path
-    - bootstrap_node_cidr
-    - bootstrap_service_cidr
-    - bootstrap_timezone
-
-- name: Verify bootstrap node names are valid
-  ansible.builtin.assert:
-    that: item.name is match('^[a-z0-9-]+$')
-    success_msg: Node name {{ item.name }} is valid
-    fail_msg: Node name {{ item.name }} is not valid
-  loop: "{{ bootstrap_nodes.master + bootstrap_nodes.worker | default([]) }}"
-  loop_control:
-    label: "{{ item.name }}"

bootstrap/templates/.sops.yaml.j2

@@ -1,16 +0,0 @@
----
-creation_rules:
-  - path_regex: kubernetes/.*\.sops\.ya?ml
-    encrypted_regex: "^(data|stringData)$"
-    key_groups:
-      - age:
-          - "{{ bootstrap_age_public_key }}"
-  - path_regex: ansible/.*\.sops\.ya?ml
-    key_groups:
-      - age:
-          - "{{ bootstrap_age_public_key }}"
-  # https://github.com/ansible-collections/community.sops/issues/153
-  - path_regex: /dev/stdin
-    key_groups:
-      - age:
-          - "{{ bootstrap_age_public_key }}"

bootstrap/templates/addons/csi-driver-nfs/app/helmrelease.yaml.j2

@@ -1,28 +0,0 @@
----
-apiVersion: helm.toolkit.fluxcd.io/v2beta2
-kind: HelmRelease
-metadata:
-  name: csi-driver-nfs
-spec:
-  interval: 30m
-  chart:
-    spec:
-      chart: csi-driver-nfs
-      version: v4.5.0
-      sourceRef:
-        kind: HelmRepository
-        name: csi-driver-nfs
-        namespace: flux-system
-  maxHistory: 2
-  install:
-    remediation:
-      retries: 3
-  upgrade:
-    cleanupOnFail: true
-    remediation:
-      retries: 3
-  uninstall:
-    keepHistory: false
-  values:
-    externalSnapshotter:
-      enabled: false

bootstrap/templates/addons/csi-driver-nfs/app/storageclass.yaml.j2

@@ -1,15 +0,0 @@
-#jinja2: trim_blocks: True, lstrip_blocks: True
-{% for item in csi_driver_nfs.storage_class %}
----
-apiVersion: storage.k8s.io/v1
-kind: StorageClass
-metadata:
-  name: {{ item.name }}
-provisioner: nfs.csi.k8s.io
-parameters:
-  server: {{ item.server }}
-  share: {{ item.share }}
-reclaimPolicy: Delete
-volumeBindingMode: Immediate
-mountOptions: ["hard", "noatime"]
-{% endfor %}

bootstrap/templates/addons/csi-driver-nfs/ks.yaml.j2

@@ -1,20 +0,0 @@
----
-apiVersion: kustomize.toolkit.fluxcd.io/v1
-kind: Kustomization
-metadata:
-  name: &app csi-driver-nfs
-  namespace: flux-system
-spec:
-  targetNamespace: kube-system
-  commonMetadata:
-    labels:
-      app.kubernetes.io/name: *app
-  path: ./kubernetes/apps/kube-system/csi-driver-nfs/app
-  prune: true
-  sourceRef:
-    kind: GitRepository
-    name: home-kubernetes
-  wait: true
-  interval: 30m
-  retryInterval: 1m
-  timeout: 5m

bootstrap/templates/addons/discord-template-notifier/app/helmrelease.yaml.j2

@@ -1,63 +0,0 @@
----
-apiVersion: helm.toolkit.fluxcd.io/v2beta2
-kind: HelmRelease
-metadata:
-  name: discord-template-notifier
-spec:
-  interval: 15m
-  chart:
-    spec:
-      chart: app-template
-      version: 2.4.0
-      interval: 30m
-      sourceRef:
-        kind: HelmRepository
-        name: bjw-s
-        namespace: flux-system
-  maxHistory: 2
-  install:
-    createNamespace: true
-    remediation:
-      retries: 3
-  upgrade:
-    cleanupOnFail: true
-    remediation:
-      retries: 3
-  uninstall:
-    keepHistory: false
-  values:
-    controllers:
-      main:
-        annotations:
-          reloader.stakater.com/auto: "true"
-        containers:
-          main:
-            image:
-              repository: ghcr.io/morphy2k/rss-forwarder
-              tag: 0.6.1
-            env:
-              TZ: "${TIMEZONE}"
-            probes:
-              liveness: &disabled
-                enabled: false
-              readiness: *disabled
-              startup: *disabled
-            resources:
-              requests:
-                cpu: 5m
-                memory: 10M
-              limits:
-                memory: 64M
-    service:
-      main: *disabled
-    ingress:
-      main: *disabled
-    persistence:
-      config:
-        enabled: true
-        type: secret
-        name: discord-template-notifier-secret
-        globalMounts:
-          - path: /data/config.toml
-            subPath: config.toml
-            readOnly: true

bootstrap/templates/addons/discord-template-notifier/app/secret.sops.yaml.j2

@@ -1,14 +0,0 @@
----
-apiVersion: v1
-kind: Secret
-metadata:
-  name: discord-template-notifier-secret
-type: Opaque
-stringData:
-  config.toml: |-
-    [feeds.github-template]
-    url = "https://github.com/onedr0p/flux-cluster-template/commits/main/.atom"
-    interval = "10m"
-    retry_limit = 5
-    sink.type = "discord"
-    sink.url = "{{ discord_template_notifier.webhook_url }}"

bootstrap/templates/addons/discord-template-notifier/ks.yaml.j2

@@ -1,20 +0,0 @@
----
-apiVersion: kustomize.toolkit.fluxcd.io/v1
-kind: Kustomization
-metadata:
-  name: &app discord-template-notifier
-  namespace: flux-system
-spec:
-  targetNamespace: default
-  commonMetadata:
-    labels:
-      app.kubernetes.io/name: *app
-  path: ./kubernetes/apps/default/discord-template-notifier/app
-  prune: true
-  sourceRef:
-    kind: GitRepository
-    name: home-kubernetes
-  wait: false
-  interval: 30m
-  retryInterval: 1m
-  timeout: 5m

bootstrap/templates/addons/grafana/app/helmrelease.yaml.j2

@@ -1,173 +0,0 @@
----
-apiVersion: helm.toolkit.fluxcd.io/v2beta2
-kind: HelmRelease
-metadata:
-  name: grafana
-spec:
-  interval: 30m
-  chart:
-    spec:
-      chart: grafana
-      version: 7.0.19
-      sourceRef:
-        kind: HelmRepository
-        name: grafana
-        namespace: flux-system
-  maxHistory: 2
-  install:
-    remediation:
-      retries: 3
-  upgrade:
-    cleanupOnFail: true
-    remediation:
-      retries: 3
-  uninstall:
-    keepHistory: false
-  dependsOn:
-    - name: local-path-provisioner
-      namespace: kube-system
-  values:
-    deploymentStrategy:
-      type: Recreate
-    admin:
-      existingSecret: grafana-admin-secret
-    env:
-      GF_EXPLORE_ENABLED: true
-      GF_SERVER_ROOT_URL: "https://grafana.${SECRET_DOMAIN}"
-    grafana.ini:
-      analytics:
-        check_for_updates: false
-        check_for_plugin_updates: false
-        reporting_enabled: false
-    dashboardProviders:
-      dashboardproviders.yaml:
-        apiVersion: 1
-        providers:
-          - name: default
-            orgId: 1
-            folder: ""
-            type: file
-            disableDeletion: false
-            editable: true
-            options:
-              path: /var/lib/grafana/dashboards/default
-          - name: flux
-            orgId: 1
-            folder: Flux
-            type: file
-            disableDeletion: false
-            editable: true
-            options:
-              path: /var/lib/grafana/dashboards/flux
-          - name: kubernetes
-            orgId: 1
-            folder: Kubernetes
-            type: file
-            disableDeletion: false
-            editable: true
-            options:
-              path: /var/lib/grafana/dashboards/kubernetes
-          - name: nginx
-            orgId: 1
-            folder: Nginx
-            type: file
-            disableDeletion: false
-            editable: true
-            options:
-              path: /var/lib/grafana/dashboards/nginx
-    datasources:
-      datasources.yaml:
-        apiVersion: 1
-        deleteDatasources:
-          - { name: Prometheus, orgId: 1 }
-        datasources:
-          - name: Prometheus
-            type: prometheus
-            uid: prometheus
-            access: proxy
-            url: http://kube-prometheus-stack-prometheus.monitoring.svc.cluster.local:9090
-            jsonData:
-              prometheusType: Prometheus
-            isDefault: true
-    dashboards:
-      default:
-        cloudflared:
-          gnetId: 17457 # https://grafana.com/grafana/dashboards/17457?tab=revisions
-          revision: 6
-          datasource:
-            - { name: DS_PROMETHEUS, value: Prometheus }
-        external-dns:
-          gnetId: 15038 # https://grafana.com/grafana/dashboards/15038?tab=revisions
-          revision: 1
-          datasource: Prometheus
-        cert-manager:
-          url: https://raw.githubusercontent.com/monitoring-mixins/website/master/assets/cert-manager/dashboards/cert-manager.json
-          datasource: Prometheus
-        node-exporter-full:
-          gnetId: 1860 # https://grafana.com/grafana/dashboards/1860?tab=revisions
-          revision: 31
-          datasource: Prometheus
-      flux:
-        flux-cluster:
-          url: https://raw.githubusercontent.com/fluxcd/flux2-monitoring-example/main/monitoring/configs/dashboards/cluster.json
-          datasource: Prometheus
-        flux-control-plane:
-          url: https://raw.githubusercontent.com/fluxcd/flux2-monitoring-example/main/monitoring/configs/dashboards/control-plane.json
-          datasource: Prometheus
-      kubernetes:
-        kubernetes-api-server:
-          url: https://raw.githubusercontent.com/dotdc/grafana-dashboards-kubernetes/master/dashboards/k8s-system-api-server.json
-          datasource: Prometheus
-        kubernetes-coredns:
-          url: https://raw.githubusercontent.com/dotdc/grafana-dashboards-kubernetes/master/dashboards/k8s-system-coredns.json
-          datasource: Prometheus
-        kubernetes-global:
-          url: https://raw.githubusercontent.com/dotdc/grafana-dashboards-kubernetes/master/dashboards/k8s-views-global.json
-          datasource: Prometheus
-        kubernetes-namespaces:
-          url: https://raw.githubusercontent.com/dotdc/grafana-dashboards-kubernetes/master/dashboards/k8s-views-namespaces.json
-          datasource: Prometheus
-        kubernetes-nodes:
-          url: https://raw.githubusercontent.com/dotdc/grafana-dashboards-kubernetes/master/dashboards/k8s-views-nodes.json
-          datasource: Prometheus
-        kubernetes-pods:
-          url: https://raw.githubusercontent.com/dotdc/grafana-dashboards-kubernetes/master/dashboards/k8s-views-pods.json
-          datasource: Prometheus
-      nginx:
-        nginx:
-          url: https://raw.githubusercontent.com/kubernetes/ingress-nginx/master/deploy/grafana/dashboards/nginx.json
-          datasource: Prometheus
-        nginx-request-handling-performance:
-          url: https://raw.githubusercontent.com/kubernetes/ingress-nginx/master/deploy/grafana/dashboards/request-handling-performance.json
-          datasource: Prometheus
-    sidecar:
-      dashboards:
-        enabled: true
-        searchNamespace: ALL
-        labelValue: ""
-        label: grafana_dashboard
-        folderAnnotation: grafana_folder
-        provider:
-          disableDelete: true
-          foldersFromFilesStructure: true
-      datasources:
-        enabled: true
-        searchNamespace: ALL
-        labelValue: ""
-    serviceMonitor:
-      enabled: true
-    ingress:
-      enabled: true
-      ingressClassName: internal
-      annotations:
-        hajimari.io/icon: simple-icons:grafana
-      hosts:
-        - &host "grafana.${SECRET_DOMAIN}"
-      tls:
-        - hosts:
-            - *host
-    persistence:
-      enabled: true
-      storageClassName: local-hostpath
-    testFramework:
-      enabled: false

bootstrap/templates/addons/grafana/app/secret.sops.yaml.j2

@@ -1,8 +0,0 @@
----
-apiVersion: v1
-kind: Secret
-metadata:
-  name: grafana-admin-secret
-stringData:
-  admin-user: admin
-  admin-password: "{{ grafana.password }}"

bootstrap/templates/addons/grafana/ks.yaml.j2

@@ -1,20 +0,0 @@
----
-apiVersion: kustomize.toolkit.fluxcd.io/v1
-kind: Kustomization
-metadata:
-  name: &app grafana
-  namespace: flux-system
-spec:
-  targetNamespace: monitoring
-  commonMetadata:
-    labels:
-      app.kubernetes.io/name: *app
-  path: ./kubernetes/apps/monitoring/grafana/app
-  prune: true
-  sourceRef:
-    kind: GitRepository
-    name: home-kubernetes
-  wait: false
-  interval: 30m
-  retryInterval: 1m
-  timeout: 5m

bootstrap/templates/addons/hajimari/app/helmrelease.yaml.j2

@@ -1,65 +0,0 @@
----
-apiVersion: helm.toolkit.fluxcd.io/v2beta2
-kind: HelmRelease
-metadata:
-  name: hajimari
-spec:
-  interval: 30m
-  chart:
-    spec:
-      chart: hajimari
-      version: 2.0.2
-      sourceRef:
-        kind: HelmRepository
-        name: hajimari
-        namespace: flux-system
-  maxHistory: 2
-  install:
-    remediation:
-      retries: 3
-  upgrade:
-    cleanupOnFail: true
-    remediation:
-      retries: 3
-  uninstall:
-    keepHistory: false
-  values:
-    hajimari:
-      title: Apps
-      darkTheme: espresso
-      alwaysTargetBlank: true
-      showGreeting: false
-      showAppGroups: false
-      showAppStatus: false
-      showBookmarkGroups: false
-      showGlobalBookmarks: false
-      showAppUrls: false
-      defaultEnable: true
-      namespaceSelector:
-        matchNames:
-          - default
-          - monitoring
-    ingress:
-      main:
-        enabled: true
-        ingressClassName: internal
-        annotations:
-          hajimari.io/enable: "false"
-        hosts:
-          - host: &host "hajimari.${SECRET_DOMAIN}"
-            paths:
-              - path: /
-                pathType: Prefix
-        tls:
-          - hosts:
-              - *host
-    podAnnotations:
-      configmap.reloader.stakater.com/reload: hajimari-settings
-    persistence:
-      data:
-        enabled: true
-        type: emptyDir
-    resources:
-      requests:
-        cpu: 100m
-        memory: 128M

bootstrap/templates/addons/hajimari/ks.yaml.j2

@@ -1,20 +0,0 @@
----
-apiVersion: kustomize.toolkit.fluxcd.io/v1
-kind: Kustomization
-metadata:
-  name: &app hajimari
-  namespace: flux-system
-spec:
-  targetNamespace: default
-  commonMetadata:
-    labels:
-      app.kubernetes.io/name: *app
-  path: ./kubernetes/apps/default/hajimari/app
-  prune: true
-  sourceRef:
-    kind: GitRepository
-    name: home-kubernetes
-  wait: false
-  interval: 30m
-  retryInterval: 1m
-  timeout: 5m

bootstrap/templates/addons/kube-prometheus-stack/app/helmrelease.yaml.j2

@@ -1,35 +0,0 @@
----
-apiVersion: helm.toolkit.fluxcd.io/v2beta2
-kind: HelmRelease
-metadata:
-  name: kube-prometheus-stack
-spec:
-  interval: 30m
-  timeout: 15m
-  chart:
-    spec:
-      chart: kube-prometheus-stack
-      version: 55.5.1
-      sourceRef:
-        kind: HelmRepository
-        name: prometheus-community
-        namespace: flux-system
-  maxHistory: 2
-  install:
-    crds: CreateReplace
-    remediation:
-      retries: 3
-  upgrade:
-    cleanupOnFail: true
-    crds: CreateReplace
-    remediation:
-      retries: 3
-  uninstall:
-    keepHistory: false
-  dependsOn:
-    - name: local-path-provisioner
-      namespace: kube-system
-  valuesFrom:
-    - name: kube-prometheus-stack-values
-      kind: ConfigMap
-      valuesKey: values.yaml

bootstrap/templates/addons/kube-prometheus-stack/app/helmvalues.yaml.j2

@@ -1,128 +0,0 @@
-#jinja2: trim_blocks: True, lstrip_blocks: True
----
-apiVersion: v1
-kind: ConfigMap
-metadata:
-  name: kube-prometheus-stack-values
-data:
-  values.yaml: |
-    crds:
-      enabled: true
-    cleanPrometheusOperatorObjectNames: true
-    alertmanager:
-      enabled: false
-    kube-state-metrics:
-      metricLabelsAllowlist:
-        - "deployments=[*]"
-        - "persistentvolumeclaims=[*]"
-        - "pods=[*]"
-      prometheus:
-        monitor:
-          enabled: true
-          relabelings:
-            - action: replace
-              sourceLabels: ["__meta_kubernetes_pod_node_name"]
-              regex: ^(.*)$
-              replacement: $1
-              targetLabel: kubernetes_node
-    kubelet:
-      enabled: true
-      serviceMonitor:
-        metricRelabelings:
-          # Remove duplicate labels provided by k3s
-          - action: keep
-            sourceLabels: ["__name__"]
-            regex: (apiserver_audit|apiserver_client|apiserver_delegated|apiserver_envelope|apiserver_storage|apiserver_webhooks|authentication_token|cadvisor_version|container_blkio|container_cpu|container_fs|container_last|container_memory|container_network|container_oom|container_processes|container|csi_operations|disabled_metric|get_token|go|hidden_metric|kubelet_certificate|kubelet_cgroup|kubelet_container|kubelet_containers|kubelet_cpu|kubelet_device|kubelet_graceful|kubelet_http|kubelet_lifecycle|kubelet_managed|kubelet_node|kubelet_pleg|kubelet_pod|kubelet_run|kubelet_running|kubelet_runtime|kubelet_server|kubelet_started|kubelet_volume|kubernetes_build|kubernetes_feature|machine_cpu|machine_memory|machine_nvm|machine_scrape|node_namespace|plugin_manager|prober_probe|process_cpu|process_max|process_open|process_resident|process_start|process_virtual|registered_metric|rest_client|scrape_duration|scrape_samples|scrape_series|storage_operation|volume_manager|volume_operation|workqueue)_(.+)
-          - action: replace
-            sourceLabels: ["node"]
-            targetLabel: instance
-          # Drop high cardinality labels
-          - action: labeldrop
-            regex: (uid)
-          - action: labeldrop
-            regex: (id|name)
-          - action: drop
-            sourceLabels: ["__name__"]
-            regex: (rest_client_request_duration_seconds_bucket|rest_client_request_duration_seconds_sum|rest_client_request_duration_seconds_count)
-    kubeApiServer:
-      enabled: true
-      serviceMonitor:
-        metricRelabelings:
-          # Remove duplicate labels provided by k3s
-          - action: keep
-            sourceLabels: ["__name__"]
-            regex: (aggregator_openapi|aggregator_unavailable|apiextensions_openapi|apiserver_admission|apiserver_audit|apiserver_cache|apiserver_cel|apiserver_client|apiserver_crd|apiserver_current|apiserver_envelope|apiserver_flowcontrol|apiserver_init|apiserver_kube|apiserver_longrunning|apiserver_request|apiserver_requested|apiserver_response|apiserver_selfrequest|apiserver_storage|apiserver_terminated|apiserver_tls|apiserver_watch|apiserver_webhooks|authenticated_user|authentication|disabled_metric|etcd_bookmark|etcd_lease|etcd_request|field_validation|get_token|go|grpc_client|hidden_metric|kube_apiserver|kubernetes_build|kubernetes_feature|node_authorizer|pod_security|process_cpu|process_max|process_open|process_resident|process_start|process_virtual|registered_metric|rest_client|scrape_duration|scrape_samples|scrape_series|serviceaccount_legacy|serviceaccount_stale|serviceaccount_valid|watch_cache|workqueue)_(.+)
-          # Drop high cardinality labels
-          - action: drop
-            sourceLabels: ["__name__"]
-            regex: (apiserver|etcd|rest_client)_request(|_sli|_slo)_duration_seconds_bucket
-          - action: drop
-            sourceLabels: ["__name__"]
-            regex: (apiserver_response_sizes_bucket|apiserver_watch_events_sizes_bucket)
-    kubeControllerManager:
-      enabled: true
-      endpoints: &endpoints
-      {% for item in bootstrap_nodes.master %}
-        - {{ item.address }}
-      {% endfor %}
-      serviceMonitor:
-        metricRelabelings:
-          # Remove duplicate labels provided by k3s
-          - action: keep
-            sourceLabels: ["__name__"]
-            regex: "(apiserver_audit|apiserver_client|apiserver_delegated|apiserver_envelope|apiserver_storage|apiserver_webhooks|attachdetach_controller|authenticated_user|authentication|cronjob_controller|disabled_metric|endpoint_slice|ephemeral_volume|garbagecollector_controller|get_token|go|hidden_metric|job_controller|kubernetes_build|kubernetes_feature|leader_election|node_collector|node_ipam|process_cpu|process_max|process_open|process_resident|process_start|process_virtual|pv_collector|registered_metric|replicaset_controller|rest_client|retroactive_storageclass|root_ca|running_managed|scrape_duration|scrape_samples|scrape_series|service_controller|storage_count|storage_operation|ttl_after|volume_operation|workqueue)_(.+)"
-    kubeEtcd:
-      {% if bootstrap_nodes.master | length > 1 %}
-      enabled: true
-      {% else %}
-      enabled: false
-      {% endif %}
-      endpoints: *endpoints
-    kubeScheduler:
-      enabled: true
-      endpoints: *endpoints
-      serviceMonitor:
-        metricRelabelings:
-          # Remove duplicate labels provided by k3s
-          - action: keep
-            sourceLabels: ["__name__"]
-            regex: "(apiserver_audit|apiserver_client|apiserver_delegated|apiserver_envelope|apiserver_storage|apiserver_webhooks|authenticated_user|authentication|disabled_metric|go|hidden_metric|kubernetes_build|kubernetes_feature|leader_election|process_cpu|process_max|process_open|process_resident|process_start|process_virtual|registered_metric|rest_client|scheduler|scrape_duration|scrape_samples|scrape_series|workqueue)_(.+)"
-    kubeProxy:
-      enabled: false # Disabled due to eBPF
-    prometheus:
-      ingress:
-        enabled: true
-        ingressClassName: internal
-        annotations:
-          hajimari.io/appName: Prometheus
-          hajimari.io/icon: simple-icons:prometheus
-        pathType: Prefix
-        hosts:
-          - "prometheus.${SECRET_DOMAIN}"
-        tls:
-          - hosts:
-              - "prometheus.${SECRET_DOMAIN}"
-      prometheusSpec:
-        ruleSelectorNilUsesHelmValues: false
-        serviceMonitorSelectorNilUsesHelmValues: false
-        podMonitorSelectorNilUsesHelmValues: false
-        probeSelectorNilUsesHelmValues: false
-        scrapeConfigSelectorNilUsesHelmValues: false
-        enableAdminAPI: true
-        walCompression: true
-        retentionSize: 8GB
-        storageSpec:
-          volumeClaimTemplate:
-            spec:
-              storageClassName: local-hostpath
-              resources:
-                requests:
-                  storage: 10Gi
-    grafana:
-      enabled: false
-      forceDeployDashboards: true
-      sidecar:
-        dashboards:
-          multicluster:
-            etcd:
-              enabled: true

bootstrap/templates/addons/kube-prometheus-stack/app/kustomization.yaml.j2

@@ -1,6 +0,0 @@
----
-apiVersion: kustomize.config.k8s.io/v1beta1
-kind: Kustomization
-resources:
-  - ./helmvalues.yaml
-  - ./helmrelease.yaml

bootstrap/templates/addons/kube-prometheus-stack/ks.yaml.j2

@@ -1,20 +0,0 @@
----
-apiVersion: kustomize.toolkit.fluxcd.io/v1
-kind: Kustomization
-metadata:
-  name: &app kube-prometheus-stack
-  namespace: flux-system
-spec:
-  targetNamespace: monitoring
-  commonMetadata:
-    labels:
-      app.kubernetes.io/name: *app
-  path: ./kubernetes/apps/monitoring/kube-prometheus-stack/app
-  prune: true
-  sourceRef:
-    kind: GitRepository
-    name: home-kubernetes
-  wait: false
-  interval: 30m
-  retryInterval: 1m
-  timeout: 5m

bootstrap/templates/addons/kubernetes-dashboard/app/helmrelease.yaml.j2

@@ -1,42 +0,0 @@
----
-apiVersion: helm.toolkit.fluxcd.io/v2beta2
-kind: HelmRelease
-metadata:
-  name: kubernetes-dashboard
-spec:
-  interval: 30m
-  chart:
-    spec:
-      chart: kubernetes-dashboard
-      version: 6.0.8
-      sourceRef:
-        kind: HelmRepository
-        name: kubernetes-dashboard
-        namespace: flux-system
-  maxHistory: 2
-  install:
-    remediation:
-      retries: 3
-  upgrade:
-    cleanupOnFail: true
-    remediation:
-      retries: 3
-  uninstall:
-    keepHistory: false
-  values:
-    extraArgs:
-      - --enable-insecure-login
-      - --enable-skip-login
-      - --disable-settings-authorizer
-    ingress:
-      enabled: true
-      className: internal
-      annotations:
-        hajimari.io/icon: mdi:kubernetes
-      hosts:
-        - &host "kubernetes.${SECRET_DOMAIN}"
-      tls:
-        - hosts:
-            - *host
-    metricsScraper:
-      enabled: true

bootstrap/templates/addons/kubernetes-dashboard/app/kustomization.yaml.j2

@@ -1,6 +0,0 @@
----
-apiVersion: kustomize.config.k8s.io/v1beta1
-kind: Kustomization
-resources:
-  - ./rbac.yaml
-  - ./helmrelease.yaml

bootstrap/templates/addons/kubernetes-dashboard/app/rbac.yaml.j2

@@ -1,39 +0,0 @@
-# For dashboard sign in token:
-# kubectl -n monitoring get secret kubernetes-dashboard -o jsonpath='{.data.token}' | base64 -d
----
-apiVersion: v1
-kind: ServiceAccount
-metadata:
-  name: kubernetes-dashboard
-  labels:
-    app.kubernetes.io/managed-by: Helm
-  annotations:
-    meta.helm.sh/release-name: kubernetes-dashboard
-    meta.helm.sh/release-namespace: monitoring
-secrets:
-  - name: kubernetes-dashboard
----
-apiVersion: v1
-kind: Secret
-type: kubernetes.io/service-account-token
-metadata:
-  name: kubernetes-dashboard
-  labels:
-    app.kubernetes.io/managed-by: Helm
-  annotations:
-    meta.helm.sh/release-name: kubernetes-dashboard
-    meta.helm.sh/release-namespace: monitoring
-    kubernetes.io/service-account.name: kubernetes-dashboard
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
-  name: system:kubernetes-dashboard
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
-  name: cluster-admin
-subjects:
-  - kind: ServiceAccount
-    name: kubernetes-dashboard
-    namespace: monitoring

bootstrap/templates/addons/kubernetes-dashboard/ks.yaml.j2

@@ -1,23 +0,0 @@
----
-apiVersion: kustomize.toolkit.fluxcd.io/v1
-kind: Kustomization
-metadata:
-  name: &app kubernetes-dashboard
-  namespace: flux-system
-spec:
-  targetNamespace: monitoring
-  commonMetadata:
-    labels:
-      app.kubernetes.io/name: *app
-  dependsOn:
-    - name: cert-manager
-    - name: metrics-server
-  path: ./kubernetes/apps/monitoring/kubernetes-dashboard/app
-  prune: true
-  sourceRef:
-    kind: GitRepository
-    name: home-kubernetes
-  wait: false
-  interval: 30m
-  retryInterval: 1m
-  timeout: 5m

bootstrap/templates/addons/system-upgrade-controller/app/helmrelease.yaml.j2

@@ -1,103 +0,0 @@
----
-apiVersion: helm.toolkit.fluxcd.io/v2beta2
-kind: HelmRelease
-metadata:
-  name: &app system-upgrade-controller
-spec:
-  interval: 30m
-  chart:
-    spec:
-      chart: app-template
-      version: 2.4.0
-      sourceRef:
-        kind: HelmRepository
-        name: bjw-s
-        namespace: flux-system
-  maxHistory: 2
-  install:
-    remediation:
-      retries: 3
-  upgrade:
-    cleanupOnFail: true
-    remediation:
-      retries: 3
-  uninstall:
-    keepHistory: false
-  values:
-    controllers:
-      main:
-        strategy: RollingUpdate
-        containers:
-          main:
-            image:
-              repository: docker.io/rancher/system-upgrade-controller
-              tag: v0.13.2
-            env:
-              SYSTEM_UPGRADE_CONTROLLER_DEBUG: false
-              SYSTEM_UPGRADE_CONTROLLER_THREADS: 2
-              SYSTEM_UPGRADE_JOB_ACTIVE_DEADLINE_SECONDS: 900
-              SYSTEM_UPGRADE_JOB_BACKOFF_LIMIT: 99
-              SYSTEM_UPGRADE_JOB_IMAGE_PULL_POLICY: IfNotPresent
-              SYSTEM_UPGRADE_JOB_KUBECTL_IMAGE: docker.io/rancher/kubectl:v1.29.0
-              SYSTEM_UPGRADE_JOB_PRIVILEGED: true
-              SYSTEM_UPGRADE_JOB_TTL_SECONDS_AFTER_FINISH: 900
-              SYSTEM_UPGRADE_PLAN_POLLING_INTERVAL: 15m
-              SYSTEM_UPGRADE_CONTROLLER_NAME: *app
-              SYSTEM_UPGRADE_CONTROLLER_NAMESPACE:
-                valueFrom:
-                  fieldRef:
-                    fieldPath: metadata.namespace
-        pod:
-          securityContext:
-            runAsNonRoot: true
-            runAsUser: 65534
-            runAsGroup: 65534
-            allowPrivilegeEscalation: false
-            seccompProfile:
-              type: RuntimeDefault
-            capabilities:
-              drop: ["ALL"]
-          affinity:
-            nodeAffinity:
-              requiredDuringSchedulingIgnoredDuringExecution:
-                nodeSelectorTerms:
-                  - matchExpressions:
-                      - key: node-role.kubernetes.io/control-plane
-                        operator: Exists
-          tolerations:
-            - {key: CriticalAddonsOnly, operator: Exists}
-            - {key: node-role.kubernetes.io/master, operator: Exists, effect: NoSchedule}
-            - {key: node-role.kubernetes.io/controlplane, operator: Exists, effect: NoSchedule}
-            - {key: node-role.kubernetes.io/control-plane, operator: Exists, effect: NoSchedule}
-            - {key: node-role.kubernetes.io/etcd, operator: Exists, effect: NoExecute}
-    serviceAccount:
-      name: system-upgrade
-    service:
-      main:
-        enabled: false
-    persistence:
-      tmp:
-        type: emptyDir
-        globalMounts:
-          - path: /tmp
-      etc-ssl:
-        type: hostPath
-        hostPath: /etc/ssl
-        hostPathType: DirectoryOrCreate
-        globalMounts:
-          - path: /etc/ssl
-            readOnly: true
-      etc-pki:
-        type: hostPath
-        hostPath: /etc/pki
-        hostPathType: DirectoryOrCreate
-        globalMounts:
-          - path: /etc/pki
-            readOnly: true
-      etc-ca-certificates:
-        type: hostPath
-        hostPath: /etc/ca-certificates
-        hostPathType: DirectoryOrCreate
-        globalMounts:
-          - path: /etc/ca-certificates
-            readOnly: true

bootstrap/templates/addons/system-upgrade-controller/app/kustomization.yaml.j2

@@ -1,8 +0,0 @@
----
-apiVersion: kustomize.config.k8s.io/v1beta1
-kind: Kustomization
-resources:
-  # renovate: datasource=github-releases depName=rancher/system-upgrade-controller
-  - https://github.com/rancher/system-upgrade-controller/releases/download/v0.13.2/crd.yaml
-  - helmrelease.yaml
-  - rbac.yaml

bootstrap/templates/addons/system-upgrade-controller/app/rbac.yaml.j2

@@ -1,28 +0,0 @@
----
-apiVersion: v1
-kind: ServiceAccount
-metadata:
-  name: system-upgrade
-secrets:
-  - name: system-upgrade
----
-apiVersion: v1
-kind: Secret
-type: kubernetes.io/service-account-token
-metadata:
-  name: system-upgrade
-  annotations:
-    kubernetes.io/service-account.name: system-upgrade
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
-  name:  system-upgrade
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
-  name: cluster-admin
-subjects:
-  - kind: ServiceAccount
-    name: system-upgrade
-    namespace: kube-system

bootstrap/templates/addons/system-upgrade-controller/ks.yaml.j2

@@ -1,42 +0,0 @@
----
-apiVersion: kustomize.toolkit.fluxcd.io/v1
-kind: Kustomization
-metadata:
-  name: &app system-upgrade-controller
-  namespace: flux-system
-spec:
-  targetNamespace: kube-system
-  commonMetadata:
-    labels:
-      app.kubernetes.io/name: *app
-  path: ./kubernetes/apps/kube-system/system-upgrade-controller/app
-  prune: true
-  sourceRef:
-    kind: GitRepository
-    name: home-kubernetes
-  wait: true
-  interval: 30m
-  retryInterval: 1m
-  timeout: 5m
----
-apiVersion: kustomize.toolkit.fluxcd.io/v1
-kind: Kustomization
-metadata:
-  name: &app system-upgrade-controller-plans
-  namespace: flux-system
-spec:
-  targetNamespace: kube-system
-  commonMetadata:
-    labels:
-      app.kubernetes.io/name: *app
-  dependsOn:
-    - name: system-upgrade-controller
-  path: ./kubernetes/apps/kube-system/system-upgrade-controller/plans
-  prune: true
-  sourceRef:
-    kind: GitRepository
-    name: home-kubernetes
-  wait: false
-  interval: 30m
-  retryInterval: 1m
-  timeout: 5m

bootstrap/templates/addons/system-upgrade-controller/plans/agent.yaml.j2

@@ -1,18 +0,0 @@
----
-apiVersion: upgrade.cattle.io/v1
-kind: Plan
-metadata:
-  name: agent
-spec:
-  # renovate: datasource=github-releases depName=k3s-io/k3s
-  version: "v1.29.0+k3s1"
-  serviceAccountName: system-upgrade
-  concurrency: 1
-  nodeSelector:
-    matchExpressions:
-      - {key: node-role.kubernetes.io/control-plane, operator: DoesNotExist}
-  prepare:
-    image: rancher/k3s-upgrade
-    args: ["prepare", "server"]
-  upgrade:
-    image: rancher/k3s-upgrade

bootstrap/templates/addons/system-upgrade-controller/plans/kustomization.yaml.j2

@@ -1,6 +0,0 @@
----
-apiVersion: kustomize.config.k8s.io/v1beta1
-kind: Kustomization
-resources:
-  - ./server.yaml
-  - ./agent.yaml

bootstrap/templates/addons/system-upgrade-controller/plans/server.yaml.j2

@@ -1,23 +0,0 @@
----
-apiVersion: upgrade.cattle.io/v1
-kind: Plan
-metadata:
-  name: server
-spec:
-  # renovate: datasource=github-releases depName=k3s-io/k3s
-  version: "v1.29.0+k3s1"
-  serviceAccountName: system-upgrade
-  concurrency: 1
-  cordon: true
-  nodeSelector:
-    matchExpressions:
-      - {key: node-role.kubernetes.io/control-plane, operator: Exists}
-  tolerations:
-    - {effect: NoSchedule, operator: Exists}
-    - {effect: NoExecute, operator: Exists}
-    - {key: node-role.kubernetes.io/control-plane, effect: NoSchedule, operator: Exists}
-    - {key: node-role.kubernetes.io/master, effect: NoSchedule, operator: Exists}
-    - {key: node-role.kubernetes.io/etcd, effect: NoExecute, operator: Exists}
-    - {key: CriticalAddonsOnly, operator: Exists}
-  upgrade:
-    image: rancher/k3s-upgrade

bootstrap/templates/addons/weave-gitops/app/helmrelease.yaml.j2

@@ -1,52 +0,0 @@
----
-apiVersion: helm.toolkit.fluxcd.io/v2beta2
-kind: HelmRelease
-metadata:
-  name: weave-gitops
-spec:
-  interval: 30m
-  chart:
-    spec:
-      chart: weave-gitops
-      version: 4.0.36
-      sourceRef:
-        kind: HelmRepository
-        name: weave-gitops
-        namespace: flux-system
-  maxHistory: 2
-  install:
-    remediation:
-      retries: 3
-  upgrade:
-    cleanupOnFail: true
-    remediation:
-      retries: 3
-  uninstall:
-    keepHistory: false
-  values:
-    adminUser:
-      create: true
-      createSecret: false
-      username: admin
-    ingress:
-      enabled: true
-      className: internal
-      annotations:
-        hajimari.io/icon: sawtooth-wave
-      hosts:
-        - host: &host "gitops.${SECRET_DOMAIN}"
-          paths:
-            - path: /
-              pathType: Prefix
-      tls:
-        - hosts:
-            - *host
-    networkPolicy:
-      create: false
-    metrics:
-      enabled: true
-    rbac:
-      create: true
-      impersonationResourceNames: ["admin"]
-    podAnnotations:
-      secret.reloader.stakater.com/reload: cluster-user-auth

bootstrap/templates/addons/weave-gitops/app/secret.sops.yaml.j2

@@ -1,9 +0,0 @@
----
-apiVersion: v1
-kind: Secret
-metadata:
-  name: cluster-user-auth
-type: Opaque
-stringData:
-  username: admin
-  password: "{{ weave_gitops.password | password_hash('bcrypt', rounds=10) }}"

bootstrap/templates/addons/weave-gitops/ks.yaml.j2

@@ -1,20 +0,0 @@
----
-apiVersion: kustomize.toolkit.fluxcd.io/v1
-kind: Kustomization
-metadata:
-  name: &app weave-gitops
-  namespace: flux-system
-spec:
-  targetNamespace: flux-system
-  commonMetadata:
-    labels:
-      app.kubernetes.io/name: *app
-  path: ./kubernetes/apps/flux-system/weave-gitops/app
-  prune: true
-  sourceRef:
-    kind: GitRepository
-    name: home-kubernetes
-  wait: false
-  interval: 30m
-  retryInterval: 1m
-  timeout: 5m

bootstrap/templates/ansible/.ansible-lint.j2

@@ -1,8 +0,0 @@
-skip_list:
-  - yaml[line-length]
-  - var-naming
-warn_list:
-  - command-instead-of-shell
-  - deprecated-command-syntax
-  - experimental
-  - no-changed-when

bootstrap/templates/ansible/inventory/group_vars/kubernetes/main.yaml.j2

@@ -1,44 +0,0 @@
-#jinja2: trim_blocks: True, lstrip_blocks: True
----
-#
-# Below vars are for the xanmanning.k3s role
-# ...see https://github.com/PyratLabs/ansible-role-k3s
-#
-
-# renovate: datasource=github-releases depName=k3s-io/k3s
-k3s_release_version: "v1.29.0+k3s1"
-k3s_install_hard_links: true
-k3s_become: true
-{% if bootstrap_nodes.master | length > 1 %}
-k3s_etcd_datastore: true
-{% else %}
-k3s_etcd_datastore: false
-{% endif %}
-k3s_registration_address: "{% raw %}{{ kube_vip_addr }}{% endraw %}"
-k3s_server_manifests_urls:
-  {% if bootstrap_kube_vip_enabled | default(true) %}
-  # Kube-vip RBAC
-  - url: https://raw.githubusercontent.com/kube-vip/kube-vip/main/docs/manifests/rbac.yaml
-    filename: kube-vip-rbac.yaml
-  {% endif %}
-  # Essential Prometheus Operator CRDs (the rest are installed with the kube-prometheus-stack helm release)
-  - url: https://raw.githubusercontent.com/prometheus-operator/prometheus-operator/v0.70.0/example/prometheus-operator-crd/monitoring.coreos.com_podmonitors.yaml
-    filename: custom-prometheus-podmonitors.yaml
-  - url: https://raw.githubusercontent.com/prometheus-operator/prometheus-operator/v0.70.0/example/prometheus-operator-crd/monitoring.coreos.com_prometheusrules.yaml
-    filename: custom-prometheus-prometheusrules.yaml
-  - url: https://raw.githubusercontent.com/prometheus-operator/prometheus-operator/v0.70.0/example/prometheus-operator-crd/monitoring.coreos.com_scrapeconfigs.yaml
-    filename: custom-prometheus-scrapeconfigs.yaml
-  - url: https://raw.githubusercontent.com/prometheus-operator/prometheus-operator/v0.70.0/example/prometheus-operator-crd/monitoring.coreos.com_servicemonitors.yaml
-    filename: custom-prometheus-servicemonitors.yaml
-# /var/lib/rancher/k3s/server/manifests
-k3s_server_manifests_templates:
-  - custom-cilium-helmchart.yaml.j2
-  {% if not bootstrap_ipv6_enabled | default(false) %}
-  - custom-cilium-l2.yaml.j2
-  {% endif %}
-  - custom-coredns-helmchart.yaml.j2
-{% if bootstrap_kube_vip_enabled | default(true) %}
-# /var/lib/rancher/k3s/agent/pod-manifests
-k3s_server_pod_manifests_templates:
-  - kube-vip-static-pod.yaml.j2
-{% endif %}

bootstrap/templates/ansible/inventory/group_vars/kubernetes/supplemental.yaml.j2

@@ -1,13 +0,0 @@
-#jinja2: trim_blocks: True, lstrip_blocks: True
----
-timezone: "{{ bootstrap_timezone }}"
-github_username: "{{ bootstrap_github_username }}"
-coredns_addr: "{{ bootstrap_service_cidr.split(',')[0] | ansible.utils.nthhost(10) }}"
-kube_vip_addr: "{{ bootstrap_kube_vip_addr }}"
-cluster_cidr: "{{ bootstrap_cluster_cidr.split(',')[0] }}"
-service_cidr: "{{ bootstrap_service_cidr.split(',')[0] }}"
-node_cidr: "{{ bootstrap_node_cidr }}"
-{% if bootstrap_ipv6_enabled | default(false) %}
-cluster_cidr_v6: "{{ bootstrap_cluster_cidr.split(',')[1] }}"
-service_cidr_v6: "{{ bootstrap_service_cidr.split(',')[1] }}"
-{% endif %}

bootstrap/templates/ansible/inventory/group_vars/master/main.yaml.j2

@@ -1,43 +0,0 @@
-#jinja2: trim_blocks: True, lstrip_blocks: True
----
-# https://rancher.com/docs/k3s/latest/en/installation/install-options/server-config/
-# https://github.com/PyratLabs/ansible-role-k3s
-
-k3s_control_node: true
-k3s_server:
-{% if bootstrap_ipv6_enabled | default(false) %}
-  node-ip: "{% raw %}{{ ansible_host }},{{ ansible_default_ipv6.address }}{% endraw %}"
-{% else %}
-  node-ip: "{% raw %}{{ ansible_host }}{% endraw %}"
-{% endif %}
-  tls-san:
-    - "{% raw %}{{ kube_vip_addr }}{% endraw %}"
-  docker: false
-  flannel-backend: "none"             # This needs to be in quotes
-  disable:
-    - coredns                         # Disable coredns                 - replaced with Coredns Helm Chart
-    - flannel                         # Disable flannel                 - replaced with Cilium Helm Chart
-    - local-storage                   # Disable local-path-provisioner  - replaced with democratic-csi
-    - metrics-server                  # Disable metrics-server          - installed with Flux
-    - servicelb                       # Disable servicelb               - replaced with Cilium Helm Chart
-    - traefik                         # Disable traefik                 - replaced with ingress-nginx and installed with Flux
-  disable-network-policy: true
-  disable-cloud-controller: true
-  disable-kube-proxy: true            # Cilium uses eBPF
-  write-kubeconfig-mode: "644"
-  pause-image: registry.k8s.io/pause:3.9
-  secrets-encryption: true
-{% if bootstrap_ipv6_enabled | default(false) %}
-  cluster-cidr: "{% raw %}{{ cluster_cidr }},{{ cluster_cidr_v6 }}{% endraw %}"
-  service-cidr: "{% raw %}{{ service_cidr }},{{ service_cidr_v6 }}{% endraw %}"
-{% else %}
-  cluster-cidr: "{% raw %}{{ cluster_cidr }}{% endraw %}"
-  service-cidr: "{% raw %}{{ service_cidr }}{% endraw %}"
-{% endif %}
-  etcd-expose-metrics: true           # Required to monitor etcd with kube-prometheus-stack
-  kube-controller-manager-arg:
-    - "bind-address=0.0.0.0"          # Required to monitor kube-controller-manager with kube-prometheus-stack
-  kube-scheduler-arg:
-    - "bind-address=0.0.0.0"          # Required to monitor kube-scheduler with kube-prometheus-stack
-  kube-apiserver-arg:
-    - "anonymous-auth=true"           # Required for HAProxy health-checks

bootstrap/templates/ansible/inventory/group_vars/worker/main.yaml.j2

@@ -1,13 +0,0 @@
-#jinja2: trim_blocks: True, lstrip_blocks: True
----
-# https://rancher.com/docs/k3s/latest/en/installation/install-options/agent-config/
-# https://github.com/PyratLabs/ansible-role-k3s
-
-k3s_control_node: false
-k3s_agent:
-{% if bootstrap_ipv6_enabled | default(false) %}
-  node-ip: "{% raw %}{{ ansible_host }},{{ ansible_default_ipv6.address }}{% endraw %}"
-{% else %}
-  node-ip: "{% raw %}{{ ansible_host }}{% endraw %}"
-{% endif %}
-  pause-image: registry.k8s.io/pause:3.9

bootstrap/templates/ansible/inventory/hosts.yaml.j2

@@ -1,28 +0,0 @@
-#jinja2: trim_blocks: True, lstrip_blocks: True
----
-kubernetes:
-  children:
-    master:
-      hosts:
-      {% for item in bootstrap_nodes.master %}
-        {{ item.name }}:
-          ansible_user: {{ item.username }}
-      {% if item.external_address is defined %}
-          ansible_host: {{ item.external_address }}
-      {% else %}
-          ansible_host: {{ item.address }}
-      {% endif %}
-      {% endfor %}
-    {% if bootstrap_nodes.worker | default([]) | length > 0 %}
-    worker:
-      hosts:
-      {% for item in bootstrap_nodes.worker %}
-        {{ item.name }}:
-          ansible_user: {{ item.username }}
-      {% if item.external_address is defined %}
-          ansible_host: {{ item.external_address }}
-      {% else %}
-          ansible_host: {{ item.address }}
-      {% endif %}
-      {% endfor %}
-    {% endif %}

bootstrap/templates/ansible/playbooks/cluster-installation.yaml.j2

@@ -1,75 +0,0 @@
-#jinja2: trim_blocks: True, lstrip_blocks: True
----
-- name: Cluster Installation
-  hosts: kubernetes
-  become: true
-  gather_facts: true
-  any_errors_fatal: true
-  pre_tasks:
-    - name: Pausing for 5 seconds...
-      ansible.builtin.pause:
-        seconds: 5
-  tasks:
-    - name: Check if cluster is installed
-      check_mode: false
-      ansible.builtin.stat:
-        path: /etc/rancher/k3s/config.yaml
-      register: k3s_installed
-
-    - name: Ignore manifests templates and urls if the cluster is already installed
-      when: k3s_installed.stat.exists
-      ansible.builtin.set_fact:
-        k3s_server_manifests_templates: []
-        k3s_server_manifests_urls: []
-
-    - name: Install Kubernetes
-      ansible.builtin.include_role:
-        name: xanmanning.k3s
-        public: true
-      vars:
-        k3s_state: installed
-
-    - name: Kubeconfig
-      ansible.builtin.include_tasks: tasks/kubeconfig.yaml
-
-    - name: Wait for custom manifests to rollout
-      when:
-        - k3s_primary_control_node
-        - (k3s_server_manifests_templates | length > 0
-            or k3s_server_manifests_urls | length > 0)
-      kubernetes.core.k8s_info:
-        kubeconfig: /etc/rancher/k3s/k3s.yaml
-        kind: "{% raw %}{{ item.kind }}{% endraw %}"
-        name: "{% raw %}{{ item.name }}{% endraw %}"
-        namespace: "{% raw %}{{ item.namespace | default('') }}{% endraw %}"
-        wait: true
-        wait_sleep: 10
-        wait_timeout: 360
-      loop:
-        - { name: cilium, kind: HelmChart, namespace: kube-system }
-        - { name: coredns, kind: HelmChart, namespace: kube-system }
-        {% if not bootstrap_ipv6_enabled | default(false) %}
-        - { name: policy, kind: CiliumL2AnnouncementPolicy }
-        - { name: pool, kind: CiliumLoadBalancerIPPool }
-        {% endif %}
-        - { name: podmonitors.monitoring.coreos.com, kind: CustomResourceDefinition }
-        - { name: prometheusrules.monitoring.coreos.com, kind: CustomResourceDefinition }
-        - { name: scrapeconfigs.monitoring.coreos.com, kind: CustomResourceDefinition }
-        - { name: servicemonitors.monitoring.coreos.com, kind: CustomResourceDefinition }
-
-    - name: Coredns
-      when: k3s_primary_control_node
-      ansible.builtin.include_tasks: tasks/coredns.yaml
-
-    - name: Cilium
-      when: k3s_primary_control_node
-      ansible.builtin.include_tasks: tasks/cilium.yaml
-
-    - name: Cruft
-      when: k3s_primary_control_node
-      ansible.builtin.include_tasks: tasks/cruft.yaml
-
-    - name: Stale Containers
-      ansible.builtin.include_tasks: tasks/stale_containers.yaml
-      vars:
-        stale_containers_state: enabled

bootstrap/templates/ansible/playbooks/cluster-kube-vip.yaml.j2

@@ -1,24 +0,0 @@
----
-- name: Cluster kube-vip
-  hosts: master
-  serial: 1
-  become: true
-  gather_facts: true
-  any_errors_fatal: true
-  pre_tasks:
-    - name: Pausing for 5 seconds...
-      ansible.builtin.pause:
-        seconds: 5
-  tasks:
-    - name: Ensure Kubernetes is running
-      ansible.builtin.include_role:
-        name: xanmanning.k3s
-        public: true
-      vars:
-        k3s_state: started
-
-    - name: Upgrade kube-vip
-      ansible.builtin.template:
-        src: templates/kube-vip-static-pod.yaml.j2
-        dest: "{% raw %}{{ k3s_server_pod_manifests_dir }}{% endraw %}/kube-vip-static-pod.yaml"
-        mode: preserve

bootstrap/templates/ansible/playbooks/cluster-nuke.yaml.j2

@@ -1,73 +0,0 @@
----
-- name: Cluster Nuke
-  hosts: kubernetes
-  become: true
-  gather_facts: true
-  any_errors_fatal: true
-  vars_prompt:
-    - name: nuke
-      prompt: |-
-        Are you sure you want to nuke this cluster?
-        Type 'YES I WANT TO DESTROY THIS CLUSTER' to proceed
-      default: "n"
-      private: false
-  pre_tasks:
-    - name: Check for confirmation
-      ansible.builtin.fail:
-        msg: Aborted nuking the cluster
-      when: nuke != 'YES I WANT TO DESTROY THIS CLUSTER'
-
-    - name: Pausing for 5 seconds...
-      ansible.builtin.pause:
-        seconds: 5
-  tasks:
-    - name: Stop Kubernetes # noqa: ignore-errors
-      ignore_errors: true
-      block:
-        - name: Stop Kubernetes
-          ansible.builtin.include_role:
-            name: xanmanning.k3s
-            public: true
-          vars:
-            k3s_state: stopped
-
-    # https://github.com/k3s-io/docs/blob/main/docs/installation/network-options.md
-    - name: Networking
-      block:
-        - name: Networking | Delete Cilium links
-          ansible.builtin.command:
-            cmd: "ip link delete {% raw %}{{ item }}{% endraw %}"
-            removes: "/sys/class/net/{% raw %}{{ item }}{% endraw %}"
-          loop: ["cilium_host", "cilium_net", "cilium_vxlan"]
-        - name: Networking | Flush iptables
-          ansible.builtin.iptables:
-            table: "{% raw %}{{ item }}{% endraw %}"
-            flush: true
-          loop: ["filter", "nat", "mangle", "raw"]
-        - name: Networking | Flush ip6tables
-          ansible.builtin.iptables:
-            table: "{% raw %}{{ item }}{% endraw %}"
-            flush: true
-            ip_version: ipv6
-          loop: ["filter", "nat", "mangle", "raw"]
-        - name: Networking | Delete CNI directory
-          ansible.builtin.file:
-            path: /etc/cni/net.d
-            state: absent
-
-    - name: Uninstall Kubernetes
-      ansible.builtin.include_role:
-        name: xanmanning.k3s
-        public: true
-      vars:
-        k3s_state: uninstalled
-
-    - name: Stale Containers
-      ansible.builtin.include_tasks: tasks/stale_containers.yaml
-      vars:
-        stale_containers_state: disabled
-
-    - name: Reboot
-      ansible.builtin.reboot:
-        msg: Rebooting nodes
-        reboot_timeout: 3600

bootstrap/templates/ansible/playbooks/cluster-prepare.yaml.j2

@@ -1,132 +0,0 @@
----
-- name: Prepare System
-  hosts: kubernetes
-  become: true
-  gather_facts: true
-  any_errors_fatal: true
-  pre_tasks:
-    - name: Pausing for 5 seconds...
-      ansible.builtin.pause:
-        seconds: 5
-    - name: Populate service facts
-      ansible.builtin.service_facts:
-  tasks:
-    - name: Locale
-      block:
-        - name: Locale | Set timezone
-          community.general.timezone:
-            name: "{% raw %}{{ timezone | default('Etc/UTC') }}{% endraw %}"
-
-    - name: Packages
-      block:
-        - name: Packages | Install
-          ansible.builtin.apt:
-            name: apt-transport-https,ca-certificates,conntrack,curl,dirmngr,gdisk,gnupg,hdparm,htop,
-              iptables,iputils-ping,ipvsadm,libseccomp2,lm-sensors,neofetch,net-tools,nfs-common,
-              nvme-cli,open-iscsi,parted,psmisc,python3,python3-apt,python3-kubernetes,python3-yaml,
-              smartmontools,socat,software-properties-common,unzip,util-linux
-            install_recommends: false
-
-    - name: User Configuration
-      block:
-        - name: User Configuration | SSH keys
-          ansible.posix.authorized_key:
-            user: "{% raw %}{{ ansible_user }}{% endraw %}"
-            key: "https://github.com/{% raw %}{{ github_username }}{% endraw %}.keys"
-        - name: User Configuration | Silence login
-          ansible.builtin.file:
-            dest: "{% raw %}{{ '/home/' + ansible_user if ansible_user != 'root' else '/root' }}{% endraw %}/.hushlogin"
-            state: touch
-            owner: "{% raw %}{{ ansible_user }}{% endraw %}"
-            group: "{% raw %}{{ ansible_user }}{% endraw %}"
-            mode: "0644"
-            modification_time: preserve
-            access_time: preserve
-
-    - name: Network Configuration
-      notify: Reboot
-      block:
-        - name: Network Configuration | Set hostname
-          ansible.builtin.hostname:
-            name: "{% raw %}{{ inventory_hostname }}{% endraw %}"
-        - name: Network Configuration | Update hosts
-          ansible.builtin.copy:
-            content: |
-              127.0.0.1 localhost
-              127.0.1.1 {% raw %}{{ inventory_hostname }}{% endraw %}
-
-              # The following lines are desirable for IPv6 capable hosts
-              ::1     localhost ip6-localhost ip6-loopback
-              ff02::1 ip6-allnodes
-              ff02::2 ip6-allrouters
-            dest: /etc/hosts
-            mode: preserve
-        # https://github.com/onedr0p/flux-cluster-template/discussions/635
-        - name: Network Configuration | Remove immutable flag from /etc/resolv.conf
-          ansible.builtin.file:
-            attributes: -i
-            path: /etc/resolv.conf
-        - name: Network Configuration | Remove /etc/resolv.conf
-          ansible.builtin.file:
-            attributes: -i
-            path: /etc/resolv.conf
-            state: absent
-        - name: Network Configuration | Add custom /etc/resolv.conf
-          ansible.builtin.copy:
-            attributes: +i
-            mode: '0644'
-            dest: /etc/resolv.conf
-            content: |
-              search .
-              nameserver 1.1.1.1
-
-    - name: System Configuration
-      notify: Reboot
-      block:
-        - name: System Configuration | Neofetch
-          ansible.builtin.copy:
-            dest: /etc/profile.d/neofetch.sh
-            mode: "0755"
-            content: neofetch --config none
-        - name: System Configuration | Disable apparmor
-          when: ansible_facts.services['apparmor.service'] is defined
-          ansible.builtin.systemd:
-            name: apparmor
-            state: stopped
-            masked: true
-        - name: System Configuration | Disable swap
-          ansible.posix.mount:
-            name: "{% raw %}{{ item }}{% endraw %}"
-            fstype: swap
-            state: absent
-          loop: ["none", "swap"]
-        - name: System Configuration | Create Kernel modules
-          ansible.builtin.copy:
-            dest: "/etc/modules-load.d/{% raw %}{{ item }}{% endraw %}.conf"
-            mode: "0644"
-            content: "{% raw %}{{ item }}{% endraw %}"
-          loop: ["br_netfilter", "ceph", "ip_vs", "ip_vs_rr", "nbd", "overlay", "rbd"]
-          register: modules_status
-        - name: System Configuration | Reload Kernel modules # noqa: no-changed-when no-handler
-          when: modules_status.changed
-          ansible.builtin.systemd:
-            name: systemd-modules-load
-            state: restarted
-        - name: System Configuration | Sysctl
-          ansible.posix.sysctl:
-            name: "{% raw %}{{ item.key }}{% endraw %}"
-            value: "{% raw %}{{ item.value }}{% endraw %}"
-            sysctl_file: /etc/sysctl.d/99-kubernetes.conf
-            reload: true
-          with_dict: "{% raw %}{{ sysctl_config }}{% endraw %}"
-          vars:
-            sysctl_config:
-              fs.inotify.max_queued_events: 65536
-              fs.inotify.max_user_watches: 524288
-              fs.inotify.max_user_instances: 8192
-
-  handlers:
-    - name: Reboot
-      ansible.builtin.reboot:
-        msg: Rebooting nodes
-        reboot_timeout: 3600

bootstrap/templates/ansible/playbooks/cluster-reboot.yaml.j2

@@ -1,15 +0,0 @@
----
-- name: Reboot
-  hosts: kubernetes
-  become: true
-  gather_facts: true
-  any_errors_fatal: true
-  pre_tasks:
-    - name: Pausing for 5 seconds...
-      ansible.builtin.pause:
-        seconds: 5
-  tasks:
-    - name: Reboot
-      ansible.builtin.reboot:
-        msg: Rebooting nodes
-        reboot_timeout: 3600

bootstrap/templates/ansible/playbooks/cluster-rollout-update.yaml.j2

@@ -1,72 +0,0 @@
----
-# https://github.com/kevincoakley/ansible-role-k8s-rolling-update
-- name: Cluster rollout update
-  hosts: kubernetes
-  become: true
-  gather_facts: true
-  any_errors_fatal: true
-  serial: 1
-  pre_tasks:
-    - name: Pausing for 5 seconds...
-      ansible.builtin.pause:
-        seconds: 5
-  tasks:
-    - name: Details
-      ansible.builtin.command: "kubectl get node {% raw %}{{ inventory_hostname }}{% endraw %} -o json"
-      register: kubectl_get_node
-      delegate_to: "{% raw %}{{ groups['master'][0] }}{% endraw %}"
-      failed_when: false
-      changed_when: false
-
-    - name: Update
-      when:
-        # When status.conditions[x].type == Ready then check stats.conditions[x].status for True|False
-        - kubectl_get_node['stdout'] | from_json | json_query("status.conditions[?type == 'Ready'].status")
-        # If spec.unschedulable is defined then the node is cordoned
-        - not (kubectl_get_node['stdout'] | from_json).spec.unschedulable is defined
-      block:
-        - name: Cordon
-          kubernetes.core.k8s_drain:
-            name: "{% raw %}{{ inventory_hostname }}{% endraw %}"
-            kubeconfig: /etc/rancher/k3s/k3s.yaml
-            state: cordon
-          delegate_to: "{% raw %}{{ groups['master'][0] }}{% endraw %}"
-
-        - name: Drain
-          kubernetes.core.k8s_drain:
-            name: "{% raw %}{{ inventory_hostname }}{% endraw %}"
-            kubeconfig: /etc/rancher/k3s/k3s.yaml
-            state: drain
-            delete_options:
-              delete_emptydir_data: true
-              ignore_daemonsets: true
-              terminate_grace_period: 600
-              wait_timeout: 900
-            pod_selectors:
-              # Rook Ceph
-              - app!=rook-ceph-osd
-          delegate_to: "{% raw %}{{ groups['master'][0] }}{% endraw %}"
-
-        - name: Update
-          ansible.builtin.apt:
-            upgrade: dist
-            update_cache: true
-
-        - name: Check if reboot is required
-          ansible.builtin.stat:
-            path: /var/run/reboot-required
-          register: reboot_required
-
-        - name: Reboot
-          when: reboot_required.stat.exists
-          ansible.builtin.reboot:
-            msg: Rebooting node
-            post_reboot_delay: 60
-            reboot_timeout: 3600
-
-        - name: Uncordon
-          kubernetes.core.k8s_drain:
-            name: "{% raw %}{{ inventory_hostname }}{% endraw %}"
-            kubeconfig: /etc/rancher/k3s/k3s.yaml
-            state: uncordon
-          delegate_to: "{% raw %}{{ groups['master'][0] }}{% endraw %}"