chore: add media section with YouTube video link

Added a section for media with a YouTube video link.

.config.sample.env

@@ -1,94 +0,0 @@
-#
-# Cluster related variables
-#
-
-# The repo you created from this template
-# e.g. https://github.com/onedr0p/home-cluster
-export BOOTSTRAP_GIT_REPOSITORY=""
-
-# To enable Flux to update your cluster on `git push` set the following to one of:
-# `generated` - this will generate a token and print it in the logs
-# Set this to any other string and it will be used for the secret
-export BOOTSTRAP_FLUX_GITHUB_WEBHOOK_SECRET="generated" # NOTE: Must only contain alphanumeric characters and dashes
-
-# The Weave GitOps dashboard admin password
-# `generated` - this will generate a token and print it in the logs
-# Set this to any other string and it will be used for the secret
-export BOOTSTRAP_WEAVE_GITOPS_ADMIN_PASSWORD="generated" # NOTE: Must only contain alphanumeric characters and dashes
-
-# Choose one of your cloudflare domains
-# e.g. onedr0p.com
-export BOOTSTRAP_CLOUDFLARE_DOMAIN=""
-# The email you use to sign into Cloudflare with
-export BOOTSTRAP_CLOUDFLARE_EMAIL=""
-# Your global Cloudflare API Key
-export BOOTSTRAP_CLOUDFLARE_APIKEY=""
-
-# Pick a range of unused IPs that are on the same network as your nodes
-# You don't need many IPs, just choose 10 IPs to start with
-# e.g. 192.168.1.220-192.168.1.230
-export BOOTSTRAP_METALLB_LB_RANGE=""
-# The load balancer IP for k8s_gateway, choose from one of the available IPs above
-# e.g. 192.168.1.220
-export BOOTSTRAP_METALLB_K8S_GATEWAY_ADDR=""
-# The load balancer IP for the ingress controller, choose from one of the available IPs above
-# that doesn't conflict with any other IP addresses here
-# e.g. 192.168.1.221
-export BOOTSTRAP_METALLB_INGRESS_ADDR=""
-
-# Age Public Key - string should start with age
-# e.g. age15uzrw396e67z9wdzsxzdk7ka0g2gr3l460e0slaea563zll3hdfqwqxdta
-export BOOTSTRAP_AGE_PUBLIC_KEY=""
-
-# The IP Address to use with kube-vip
-# Pick a unused IP that is on the same network as your nodes
-# and outside the ${BOOTSTRAP_METALLB_LB_RANGE} range
-# and doesn't conflict with any other IP addresses here
-# e.g. 192.168.1.254
-export BOOTSTRAP_KUBE_VIP_ADDR=""
-
-# Choose your timezone
-# e.g. America/New_York
-export BOOTSTRAP_TIMEZONE="Etc/UTC"
-
-#
-# Ansible related variables
-#
-
-#
-# Default prefixes for hostnames assigned by Ansible
-# These are unused on nodes where BOOTSTRAP_ANSIBLE_HOSTNAME_ is provided
-#
-
-export BOOTSTRAP_ANSIBLE_DEFAULT_CONTROL_NODE_HOSTNAME_PREFIX="k8s-" # NOTE: Must only contain alphanumeric characters and dashes
-export BOOTSTRAP_ANSIBLE_DEFAULT_NODE_HOSTNAME_PREFIX="k8s-" # NOTE: Must only contain alphanumeric characters and dashes
-
-#
-# Ansible hosts - repeat this block as many times as you need,
-# incrementing the last digit on the variable name for each node
-#
-
-# Host IP Address to the control plane node
-# That doesn't conflict with any other IP addresses here
-# e.g. 192.168.1.200
-export BOOTSTRAP_ANSIBLE_HOST_ADDR_0=""
-# User Ansible will log into the nodes
-export BOOTSTRAP_ANSIBLE_SSH_USERNAME_0="" # NOTE: Must only contain alphanumeric characters and dashes
-# Password Ansible will use to escalate to sudo
-export BOOTSTRAP_ANSIBLE_SUDO_PASSWORD_0="" # NOTE: Must only contain alphanumeric characters and dashes
-# Set this node as a control node (true/false)
-export BOOTSTRAP_ANSIBLE_CONTROL_NODE_0=""
-# Optional: Set the hostname of the node, if set this will override the *_HOSTNAME_PREFIX vars above
-export BOOTSTRAP_ANSIBLE_HOSTNAME_0=""
-
-# export BOOTSTRAP_ANSIBLE_HOST_ADDR_1=""
-# export BOOTSTRAP_ANSIBLE_SSH_USERNAME_1="" # NOTE: Must only contain alphanumeric characters and dashes
-# export BOOTSTRAP_ANSIBLE_SUDO_PASSWORD_1="" # NOTE: Must only contain alphanumeric characters and dashes
-# export BOOTSTRAP_ANSIBLE_CONTROL_NODE_1=""
-# export BOOTSTRAP_ANSIBLE_HOSTNAME_1=""
-
-# export BOOTSTRAP_ANSIBLE_HOST_ADDR_2=""
-# export BOOTSTRAP_ANSIBLE_SSH_USERNAME_2="" # NOTE: Must only contain alphanumeric characters and dashes
-# export BOOTSTRAP_ANSIBLE_SUDO_PASSWORD_2="" # NOTE: Must only contain alphanumeric characters and dashes
-# export BOOTSTRAP_ANSIBLE_CONTROL_NODE_2=""
-# export BOOTSTRAP_ANSIBLE_HOSTNAME_2=""

.editorconfig

@@ -1,4 +1,5 @@
-# editorconfig.org
+; https://editorconfig.org/
+
 root = true
 
 [*]
@@ -9,10 +10,13 @@ charset = utf-8
 trim_trailing_whitespace = true
 insert_final_newline = true
 
-[Makefile]
-indent_style = space
+[*.cue]
+indent_style = tab
 indent_size = 4
 
-[*.{bash,sh}]
-indent_style = space
+[*.md]
+indent_size = 4
+trim_trailing_whitespace = false
+
+[*.sh]
 indent_size = 4

.envrc

@@ -1,6 +0,0 @@
-#shellcheck disable=SC2148,SC2155
-export KUBECONFIG=$(expand_path ./kubeconfig)
-export ANSIBLE_CONFIG=$(expand_path ./ansible.cfg)
-export ANSIBLE_HOST_KEY_CHECKING="False"
-export K8S_AUTH_KUBECONFIG=$(expand_path ./kubeconfig)
-export SOPS_AGE_KEY_FILE=$(expand_path ~/.config/sops/age/keys.txt)

.gitattributes

@@ -1,3 +1,10 @@
 * text=auto eol=lf
-*.sops.* diff=sopsdiffer
-*.sops.toml linguist-language=JSON
+*.env linguist-detectable linguist-language=SHELL
+*.json linguist-detectable linguist-language=JSON
+*.json5 linguist-detectable linguist-language=JSON5
+*.md linguist-detectable linguist-language=MARKDOWN
+*.sh linguist-detectable linguist-language=SHELL
+*.toml linguist-detectable linguist-language=TOML
+*.yml linguist-detectable linguist-language=YAML
+*.yaml linguist-detectable linguist-language=YAML
+*.yaml.j2 linguist-detectable linguist-language=YAML

.github/labeler.yaml

@@ -1,11 +1,43 @@
 ---
-area/ansible:
-  - "ansible/**/*"
+area/bootstrap:
+  - changed-files:
+      - any-glob-to-any-file:
+          - bootstrap/**/*
+area/docs:
+  - changed-files:
+      - any-glob-to-any-file:
+          - README.md
 area/github:
-  - ".github/**/*"
+  - changed-files:
+      - any-glob-to-any-file:
+          - .github/**/*
 area/kubernetes:
-  - "kubernetes/**/*"
-area/terraform:
-  - "terraform/**/*"
+  - changed-files:
+      - any-glob-to-any-file:
+          - kubernetes/**/*
+area/mise:
+  - changed-files:
+      - any-glob-to-any-file:
+          - .mise.toml
+area/renovate:
+  - changed-files:
+      - any-glob-to-any-file:
+          - .renovate/**/*
+          - .renovaterc.json5
+area/scripts:
+  - changed-files:
+      - any-glob-to-any-file:
+          - scripts/**/*
+area/talos:
+  - changed-files:
+      - any-glob-to-any-file:
+          - talos/**/*
+area/taskfile:
+  - changed-files:
+      - any-glob-to-any-file:
+          - .taskfiles/**/*
+          - Taskfile.yaml
 area/templates:
-  - "tmpl/**/*"
+  - changed-files:
+      - any-glob-to-any-file:
+          - templates/**/*

.github/labels.yaml

@@ -1,59 +1,47 @@
 ---
-# Area
-- name: area/ansible
-  color: "72ccf3"
-  description: >-
-    Changes made in the ansible directory
-- name: area/github
-  color: "72ccf3"
-  description: >-
-    Changes made in the github directory
-- name: area/kubernetes
-  color: "72ccf3"
-  description: >-
-    Changes made in the kubernetes directory
-- name: area/template
-  color: "72ccf3"
-  description: >-
-    Changes made in the tmpl directory
-- name: area/terraform
-  color: "72ccf3"
-  description: >-
-    Changes made in the terraform directory
-# Renovate
-- name: renovate/ansible
-  color: "ffc300"
-- name: renovate/container
-  color: "ffc300"
-- name: renovate/github-action
-  color: "ffc300"
-- name: renovate/github-release
-  color: "ffc300"
-- name: renovate/helm
-  color: "ffc300"
-- name: renovate/terraform
-  color: "ffc300"
-# Semantic Type
-- name: type/patch
-  color: "FFEC19"
-- name: type/minor
-  color: "FF9800"
-- name: type/major
-  color: "F6412D"
-- name: type/break
-  color: "F6412D"
-# Uncategorized
-- name: bug
-  color: "ee0701"
-- name: do-not-merge
-  color: "ee0701"
-- name: docs
-  color: "F4D1B7"
-- name: enhancement
-  color: "84b6eb"
-- name: broken-links
-  color: "7B55D7"
-- name: question
-  color: "cc317c"
-- name: community
+# Areas
+- name: area/bootstrap
   color: "0e8a16"
+- name: area/docs
+  color: "0e8a16"
+- name: area/github
+  color: "0e8a16"
+- name: area/kubernetes
+  color: "0e8a16"
+- name: area/mise
+  color: "0e8a16"
+- name: area/renovate
+  color: "0e8a16"
+- name: area/scripts
+  color: "0e8a16"
+- name: area/talos
+  color: "0e8a16"
+- name: area/templates
+  color: "0e8a16"
+- name: area/taskfile
+  color: "0e8a16"
+# Renovate Types
+- name: renovate/container
+  color: "027fa0"
+- name: renovate/github-action
+  color: "027fa0"
+- name: renovate/grafana-dashboard
+  color: "027fa0"
+- name: renovate/github-release
+  color: "027fa0"
+- name: renovate/helm
+  color: "027fa0"
+# Semantic Types
+- name: type/digest
+  color: "ffeC19"
+- name: type/patch
+  color: "ffeC19"
+- name: type/minor
+  color: "ff9800"
+- name: type/major
+  color: "f6412d"
+# Uncategorized
+- name: community
+  color: "370fb2"
+- name: hold
+  color: "ee0701"

.github/release-drafter.yaml

@@ -1,32 +0,0 @@
----
-name-template: "Release v$RESOLVED_VERSION"
-tag-template: "v$RESOLVED_VERSION"
-change-template: "- $TITLE @$AUTHOR (#$NUMBER)"
-change-title-escapes: '\<*_&'
-categories:
-  - title: "Community Contributions"
-    labels: ["community"]
-  - title: "Kubernetes"
-    labels: ["area/kubernetes"]
-  - title: "Github"
-    labels: ["area/github"]
-  - title: "Ansible"
-    labels: ["area/ansible"]
-  - title: "Terraform"
-    labels: ["area/terraform"]
-  - title: "Maintenance"
-    labels: ["docs"]
-version-resolver:
-  major:
-    labels: ["type/break"]
-  minor:
-    labels: ["type/major", "type/minor"]
-  patch:
-    labels: ["type/patch"]
-  default: patch
-template: |
-  ## What's Changed
-
-  $CHANGES
-
-  **Full Changelog**: https://github.com/$OWNER/$REPOSITORY/compare/$PREVIOUS_TAG...v$RESOLVED_VERSION

.github/release.yaml

@@ -0,0 +1,5 @@
+changelog:
+  exclude:
+    authors:
+      - github-actions
+      - renovate

.github/renovate.json5

@@ -1,51 +0,0 @@
-{
-  "extends": [
-    "config:base",
-    "docker:enableMajor",
-    ":disableRateLimiting",
-    ":dependencyDashboard",
-    ":semanticCommits",
-    ":enablePreCommit",
-    ":automergeDigest",
-    ":automergeBranch",
-    "github>onedr0p/flux-cluster-template//.github/renovate/autoMerge.json5",
-    "github>onedr0p/flux-cluster-template//.github/renovate/commitMessage.json5",
-    "github>onedr0p/flux-cluster-template//.github/renovate/labels.json5",
-    "github>onedr0p/flux-cluster-template//.github/renovate/semanticCommits.json5",
-    "helpers:pinGitHubActionDigests"
-  ],
-  "dependencyDashboard": true,
-  "dependencyDashboardTitle": "Renovate Dashboard 🤖",
-  "suppressNotifications": ["prIgnoreNotification"],
-  "rebaseWhen": "conflicted",
-  "schedule": ["every saturday"],
-  "pre-commit": {
-    "enabled": true
-  },
-  "flux": {
-    "fileMatch": ["kubernetes/.+\\.ya?ml$"]
-  },
-  "helm-values": {
-    "fileMatch": ["kubernetes/.+\\.ya?ml$"]
-  },
-  "kubernetes": {
-    "fileMatch": [
-      "ansible/.+\\.ya?ml.j2$",
-      "kubernetes/.+\\.ya?ml$"
-    ]
-  },
-  "regexManagers": [
-    {
-      "description": "Process various other dependencies",
-      "fileMatch": [
-        "ansible/.+\\.ya?ml$",
-        "kubernetes/.+\\.ya?ml$"
-      ],
-      "matchStrings": [
-        "datasource=(?<datasource>\\S+) depName=(?<depName>\\S+)( versioning=(?<versioning>\\S+))?\n.*?\"(?<currentValue>.*)\"\n"
-      ],
-      "datasourceTemplate": "{{#if datasource}}{{{datasource}}}{{else}}github-releases{{/if}}",
-      "versioningTemplate": "{{#if versioning}}{{{versioning}}}{{else}}semver{{/if}}"
-    }
-  ]
-}

.github/renovate/autoMerge.json5

@@ -1,13 +0,0 @@
-{
-  "$schema": "https://docs.renovatebot.com/renovate-schema.json",
-  "packageRules": [
-    {
-      "description": "Auto merge GitHub Actions",
-      "matchManagers": ["github-actions"],
-      "automerge": true,
-      "automergeType": "branch",
-      "ignoreTests": true,
-      "matchUpdateTypes": ["minor", "patch", "digest"]
-    }
-  ]
-}

.github/renovate/commitMessage.json5

@@ -1,15 +0,0 @@
-{
-  "commitMessageTopic": "{{depName}}",
-  "commitMessageExtra": "to {{newVersion}}",
-  "commitMessageSuffix": "",
-  "packageRules": [
-    {
-      "matchDatasources": ["helm"],
-      "commitMessageTopic": "chart {{depName}}"
-    },
-    {
-      "matchDatasources": ["docker"],
-      "commitMessageTopic": "image {{depName}}"
-    }
-  ]
-}

.github/renovate/labels.json5

@@ -1,40 +0,0 @@
-{
-  "packageRules": [
-    {
-      "matchUpdateTypes": ["major"],
-      "labels": ["type/major"]
-    },
-    {
-      "matchUpdateTypes": ["minor"],
-      "labels": ["type/minor"]
-    },
-    {
-      "matchUpdateTypes": ["patch"],
-      "labels": ["type/patch"]
-    },
-    {
-      "matchDatasources": ["docker"],
-      "addLabels": ["renovate/container"]
-    },
-    {
-      "matchDatasources": ["helm"],
-      "addLabels": ["renovate/helm"]
-    },
-    {
-      "matchDatasources": ["galaxy", "galaxy-collection"],
-      "addLabels": ["renovate/ansible"]
-    },
-    {
-      "matchDatasources": ["terraform-provider"],
-      "addLabels": ["renovate/terraform"]
-    },
-    {
-      "matchDatasources": ["github-releases", "github-tags"],
-      "addLabels": ["renovate/github-release"]
-    },
-    {
-      "matchManagers": ["github-actions"],
-      "addLabels": ["renovate/github-action"]
-    }
-  ]
-}

.github/renovate/semanticCommits.json5

@@ -1,114 +0,0 @@
-{
-  "packageRules": [
-    {
-      "matchDatasources": ["docker"],
-      "matchUpdateTypes": ["major"],
-      "commitMessagePrefix": "feat(container)!: "
-    },
-    {
-      "matchDatasources": ["docker"],
-      "matchUpdateTypes": ["minor"],
-      "semanticCommitType": "feat",
-      "semanticCommitScope": "container"
-    },
-    {
-      "matchDatasources": ["docker"],
-      "matchUpdateTypes": ["patch"],
-      "semanticCommitType": "fix",
-      "semanticCommitScope": "container"
-    },
-    {
-      "matchDatasources": ["docker"],
-      "matchUpdateTypes": ["digest"],
-      "semanticCommitType": "chore",
-      "semanticCommitScope": "container"
-    },
-    {
-      "matchDatasources": ["helm"],
-      "matchUpdateTypes": ["major"],
-      "commitMessagePrefix": "feat(helm)!: "
-    },
-    {
-      "matchDatasources": ["helm"],
-      "matchUpdateTypes": ["minor"],
-      "semanticCommitType": "feat",
-      "semanticCommitScope": "helm"
-    },
-
-    {
-      "matchDatasources": ["helm"],
-      "matchUpdateTypes": ["patch"],
-      "semanticCommitType": "fix",
-      "semanticCommitScope": "helm"
-    },
-    {
-      "matchDatasources": ["galaxy", "galaxy-collection"],
-      "matchUpdateTypes": ["major"],
-      "commitMessagePrefix": "feat(ansible)!: "
-    },
-    {
-      "matchDatasources": ["galaxy", "galaxy-collection"],
-      "matchUpdateTypes": ["minor"],
-      "semanticCommitType": "feat",
-      "semanticCommitScope": "ansible"
-    },
-
-    {
-      "matchDatasources": ["galaxy", "galaxy-collection"],
-      "matchUpdateTypes": ["patch"],
-      "semanticCommitType": "fix",
-      "semanticCommitScope": "ansible"
-    },
-    {
-      "matchDatasources": ["terraform-provider"],
-      "matchUpdateTypes": ["major"],
-      "commitMessagePrefix": "feat(terraform)!: "
-    },
-    {
-      "matchDatasources": ["terraform-provider"],
-      "matchUpdateTypes": ["minor"],
-      "semanticCommitType": "feat",
-      "semanticCommitScope": "terraform"
-    },
-    {
-      "matchDatasources": ["terraform-provider"],
-      "matchUpdateTypes": ["patch"],
-      "semanticCommitType": "fix",
-      "semanticCommitScope": "terraform"
-    },
-    {
-      "matchDatasources": ["github-releases", "github-tags"],
-      "matchUpdateTypes": ["major"],
-      "commitMessagePrefix": "feat(github-release)!: "
-    },
-    {
-      "matchDatasources": ["github-releases", "github-tags"],
-      "matchUpdateTypes": ["minor"],
-      "semanticCommitType": "feat",
-      "semanticCommitScope": "github-release"
-    },
-    {
-      "matchDatasources": ["github-releases", "github-tags"],
-      "matchUpdateTypes": ["patch"],
-      "semanticCommitType": "fix",
-      "semanticCommitScope": "github-release"
-    },
-    {
-      "matchManagers": ["github-actions"],
-      "matchUpdateTypes": ["major"],
-      "commitMessagePrefix": "feat(github-action)!: "
-    },
-    {
-      "matchManagers": ["github-actions"],
-      "matchUpdateTypes": ["minor"],
-      "semanticCommitType": "feat",
-      "semanticCommitScope": "github-action"
-    },
-    {
-      "matchManagers": ["github-actions"],
-      "matchUpdateTypes": ["patch"],
-      "semanticCommitType": "fix",
-      "semanticCommitScope": "github-action"
-    }
-  ]
-}

.github/tests/nodes.yaml

@@ -0,0 +1,19 @@
+nodes:
+  - name: k8s-0
+    address: 10.10.10.100
+    controller: true
+    disk: /dev/sdfake
+    mac_addr: 00:00:00:00:00:00
+    schematic_id: "376567988ad370138ad8b2698212367b8edcb69b5fd68c80be1f2ec7d603b4ba"
+  - name: k8s-1
+    address: 10.10.10.101
+    controller: false
+    disk: /dev/sdfake
+    mac_addr: 00:00:00:00:00:01
+    schematic_id: "376567988ad370138ad8b2698212367b8edcb69b5fd68c80be1f2ec7d603b4ba"
+    mtu: 1500
+    secureboot: true
+    encrypt_disk: true
+    kernel_modules:
+      - nvidia
+      - nvidia_uvm

.github/tests/private.yaml

@@ -0,0 +1,22 @@
+---
+node_cidr: "10.10.10.0/24"
+# node_default_gateway: ""
+# node_vlan_tag:
+# cluster_pod_cidr: ""
+# cluster_svc_cidr: ""
+# node_dns_servers: []
+# node_ntp_servers: []
+cluster_api_addr: "10.10.10.254"
+# cluster_api_tls_sans: []
+cluster_gateway_addr: "10.10.10.252"
+cluster_dns_gateway_addr: "10.10.10.253"
+repository_name: "onedr0p/cluster-template"
+# repository_branch: ""
+repository_visibility: "private"
+cloudflare_domain: "example.com"
+cloudflare_token: "fake"
+cloudflare_gateway_addr: "10.10.10.251"
+# cilium_bgp_router_addr: ""
+# cilium_bgp_router_asn: ""
+# cilium_bgp_node_asn: ""
+# cilium_loadbalancer_mode: ""

.github/tests/public.yaml

@@ -0,0 +1,22 @@
+---
+node_cidr: "10.10.10.0/24"
+node_default_gateway: "10.10.10.1"
+node_vlan_tag: "100"
+cluster_pod_cidr: "10.42.0.0/16"
+cluster_svc_cidr: "10.43.0.0/16"
+node_dns_servers: ["1.1.1.1"]
+node_ntp_servers: ["162.159.200.123"]
+cluster_api_addr: "10.10.10.254"
+cluster_api_tls_sans: ["example.com"]
+cluster_gateway_addr: "10.10.10.252"
+cluster_dns_gateway_addr: "10.10.10.253"
+repository_name: "onedr0p/cluster-template"
+repository_branch: "main"
+repository_visibility: "public"
+cloudflare_domain: "example.com"
+cloudflare_token: "fake"
+cloudflare_gateway_addr: "10.10.10.251"
+cilium_loadbalancer_mode: "dsr"
+cilium_bgp_router_addr: "10.10.1.1"
+cilium_bgp_router_asn: "64513"
+cilium_bgp_node_asn: "64514"

.github/workflows/e2e.yaml

@@ -0,0 +1,71 @@
+---
+name: "e2e"
+
+on:
+  workflow_dispatch:
+  pull_request:
+    branches: ["main"]
+    paths-ignore:
+      - kubernetes/**
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.event.number || github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  configure:
+    if: ${{ github.repository == 'onedr0p/cluster-template' }}
+    name: configure
+    runs-on: ubuntu-latest
+    strategy:
+      fail-fast: false
+      matrix:
+        config-files:
+          - public
+          - private
+    steps:
+      - name: Checkout
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+
+      - name: Setup mise
+        uses: jdx/mise-action@6d1e696aa24c1aa1bcc1adea0212707c71ab78a8 # v3.6.1
+        env:
+          GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}"
+        with:
+          cache: false
+
+      - name: Run init task
+        run: task init
+
+      - name: Prepare files
+        run: |
+          cp ./.github/tests/${{ matrix.config-files }}.yaml cluster.yaml
+          cp ./.github/tests/nodes.yaml nodes.yaml
+          echo '{"AccountTag":"fake","TunnelSecret":"fake","TunnelID":"fake"}' > cloudflare-tunnel.json
+          touch kubeconfig
+
+      - name: Run configure task
+        run: task configure --yes
+
+      - name: Run generate talconfig task
+        run: |
+          FILENAME=talos/talsecret.sops.yaml
+          talhelper gensecret | sops --filename-override $FILENAME --encrypt /dev/stdin > $FILENAME
+          task talos:generate-config
+
+      - name: Run flux-local test
+        uses: docker://ghcr.io/allenporter/flux-local:v8.1.0@sha256:37c3c4309a351830b04f93c323adfcb0e28c368001818cd819cbce3e08828261
+        with:
+          args: test --enable-helm --all-namespaces --path /github/workspace/kubernetes/flux/cluster -v
+
+      - name: Dry run bootstrap talos task
+        run: task bootstrap:talos --dry
+
+      - name: Dry run bootstrap apps task
+        run: task bootstrap:apps --dry
+
+      - name: Run reset task
+        run: task template:reset --yes
+
+      - name: Run cleanup task
+        run: task template:tidy --yes

.github/workflows/flux-local.yaml

@@ -0,0 +1,121 @@
+---
+name: "Flux Local"
+
+on:
+  pull_request:
+    branches: ["main"]
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.event.number || github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  pre-job:
+    name: Flux Local Pre-Job
+    runs-on: ubuntu-latest
+    outputs:
+      any_changed: ${{ steps.changed-files.outputs.any_changed }}
+    steps:
+      - name: Checkout
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+
+      - name: Get Changed Files
+        id: changed-files
+        uses: tj-actions/changed-files@7dee1b0c1557f278e5c7dc244927139d78c0e22a # v47.0.4
+        with:
+          files: kubernetes/**
+
+  test:
+    name: Flux Local Test
+    needs: pre-job
+    runs-on: ubuntu-latest
+    if: ${{ needs.pre-job.outputs.any_changed == 'true' }}
+    steps:
+      - name: Checkout
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+
+      - name: Run flux-local test
+        uses: docker://ghcr.io/allenporter/flux-local:v8.1.0
+        with:
+          args: test --enable-helm --all-namespaces --path /github/workspace/kubernetes/flux/cluster -v
+
+  diff:
+    name: Flux Local Diff
+    needs: pre-job
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      pull-requests: write
+    strategy:
+      matrix:
+        resources: ["helmrelease", "kustomization"]
+      max-parallel: 4
+      fail-fast: false
+    if: ${{ needs.pre-job.outputs.any_changed == 'true' }}
+    steps:
+      - name: Checkout Pull Request Branch
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          path: pull
+
+      - name: Checkout Default Branch
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          ref: "${{ github.event.repository.default_branch }}"
+          path: default
+
+      - name: Run flux-local diff
+        uses: docker://ghcr.io/allenporter/flux-local:v8.1.0
+        with:
+          args: >-
+            diff ${{ matrix.resources }}
+            --unified 6
+            --path /github/workspace/pull/kubernetes/flux/cluster
+            --path-orig /github/workspace/default/kubernetes/flux/cluster
+            --strip-attrs "helm.sh/chart,checksum/config,app.kubernetes.io/version,chart"
+            --limit-bytes 10000
+            --all-namespaces
+            --sources "flux-system"
+            --output-file diff.patch
+
+      - name: Generate Diff
+        id: diff
+        run: |
+          cat diff.patch;
+          {
+              echo 'diff<<EOF'
+              cat diff.patch
+              echo EOF
+          } >> "$GITHUB_OUTPUT";
+          {
+              echo "### Diff"
+              echo '```diff'
+              cat diff.patch
+              echo '```'
+          } >> "$GITHUB_STEP_SUMMARY"
+
+      - name: Add Comment
+        if: ${{ steps.diff.outputs.diff != '' }}
+        continue-on-error: true
+        uses: mshick/add-pr-comment@b8f338c590a895d50bcbfa6c5859251edc8952fc # v2.8.2
+        with:
+          message-id: "${{ github.event.pull_request.number }}/kubernetes/${{ matrix.resources }}"
+          message-failure: Diff was not successful
+          message: |
+            ```diff
+            ${{ steps.diff.outputs.diff }}
+            ```
+
+  flux-local-status:
+    name: Flux Local Success
+    needs: ["test", "diff"]
+    runs-on: ubuntu-latest
+    if: ${{ always() }}
+    steps:
+      - name: Any jobs failed?
+        if: ${{ contains(needs.*.result, 'failure') }}
+        run: exit 1
+
+      - name: All jobs passed or skipped?
+        if: ${{ !(contains(needs.*.result, 'failure')) }}
+        run: echo "All jobs passed or skipped" && echo "${{ toJSON(needs.*.result) }}"

.github/workflows/label-sync.yaml

@@ -1,5 +1,5 @@
 ---
-name: "Meta Sync labels"
+name: "Label Sync"
 
 on:
   workflow_dispatch:
@@ -8,16 +8,18 @@ on:
     paths: [".github/labels.yaml"]
 
 jobs:
-  labels:
-    name: Sync Labels
+  label-sync:
+    name: Label Sync
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      issues: write
     steps:
       - name: Checkout
-        uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
 
       - name: Sync Labels
-        uses: EndBug/label-sync@da00f2c11fdb78e4fae44adac2fdd713778ea3e8 # renovate: tag=v2.3.2
+        uses: EndBug/label-sync@52074158190acb45f3077f9099fea818aa43f97a # v2.3.3
         with:
           config-file: .github/labels.yaml
-          token: "${{ secrets.GITHUB_TOKEN }}"
           delete-other-labels: true

.github/workflows/labeler.yaml

@@ -1,18 +1,21 @@
 ---
-name: "Meta Labeler"
+name: "Labeler"
 
 on:
   workflow_dispatch:
-  pull_request:
+  pull_request_target:
     branches: ["main"]
 
 jobs:
   labeler:
     name: Labeler
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      pull-requests: write
+      issues: write
     steps:
       - name: Labeler
-        uses: actions/labeler@5c7539237e04b714afd8ad9b4aed733815b9fab4 # renovate: tag=v4.0.2
+        uses: actions/labeler@634933edcd8ababfe52f92936142cc22ac488b1b # v6.0.1
         with:
           configuration-path: .github/labeler.yaml
-          repo-token: "${{ secrets.GITHUB_TOKEN }}"

.github/workflows/link-check.yaml

@@ -1,54 +0,0 @@
----
-name: "Link Check"
-
-on:
-  workflow_dispatch:
-  schedule:
-    - cron: "0 * * * *"
-
-jobs:
-  link-check:
-    name: Link Check
-    runs-on: ubuntu-latest
-    steps:
-      - name: Checkout
-        uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0
-
-      - name: Restore lychee cache
-        uses: actions/cache@58c146cc91c5b9e778e71775dfe9bf1442ad9a12 # v3.2.3
-        with:
-          path: .lycheecache
-          key: cache-lychee-${{ github.sha }}
-          restore-keys: cache-lychee-
-
-      - name: Link Checker
-        uses: lycheeverse/lychee-action@4dcb8bee2a0a4531cba1a1f392c54e8375d6dd81 # renovate: tag=v1.5.4
-        id: lychee
-        env:
-          GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}"
-        with:
-          args: >
-            --cache
-            --max-cache-age 1d
-            --verbose
-            --no-progress
-            --exclude-mail
-            './**/*.md'
-
-      - name: Find Link Checker Issue
-        id: link-checker-issue
-        uses: micalevisk/last-issue-action@044e1cb7e9a4dde20e22969cb67818bfca0797be # renovate: tag=2.0.0
-        with:
-          state: open
-          labels: |
-            broken-links
-
-      - name: Update Issue
-        uses: peter-evans/create-issue-from-file@433e51abf769039ee20ba1293a088ca19d573b7f # renovate: tag=v4.0.1
-        with:
-          title: Broken links detected 🔗
-          issue-number: "${{ steps.link-checker-issue.outputs.issue-number }}"
-          content-filepath: ./lychee/out.md
-          token: "${{ secrets.GITHUB_TOKEN }}"
-          labels: |
-            broken-links

.github/workflows/release-drafter.yaml

@@ -1,17 +0,0 @@
----
-name: "Draft Release"
-
-on:
-  workflow_dispatch:
-  push:
-    branches: ["main"]
-
-jobs:
-  update:
-    runs-on: ubuntu-latest
-    steps:
-      - uses: release-drafter/release-drafter@cfc5540ebc9d65a8731f02032e3d44db5e449fb6 # v5.22.0
-        with:
-          config-name: release-drafter.yaml
-        env:
-          GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}"

.github/workflows/release.yaml

@@ -4,13 +4,53 @@ name: "Release"
 on:
   workflow_dispatch:
   schedule:
-    - cron: "0 0 * * 0"
+    - cron: "0 0 1 * *" # 1st of every month at midnight
 
 jobs:
   release:
+    name: Release
     runs-on: ubuntu-latest
+    permissions:
+      contents: write
     steps:
-      - name: Publish Latest Release
-        uses: ivangabriele/publish-latest-release@df1a4afd8aea9d1f0ba5ebeb89452aeac7bca0a9 # renovate: tag=v3
-        env:
-          GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}"
+      - name: Get Previous Release Tag and Determine Next Tag
+        id: determine-next-tag
+        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
+        with:
+          github-token: "${{ secrets.GITHUB_TOKEN }}"
+          result-encoding: string
+          script: |
+            const { data: releases } = await github.rest.repos.listReleases({
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              per_page: 1,
+            });
+
+            let previousTag = "0.0.0"; // Default if no previous release exists
+            if (releases.length > 0) {
+              previousTag = releases[0].tag_name;
+            }
+
+            const [previousMajor, previousMinor, previousPatch] = previousTag.split('.').map(Number);
+            const currentYear = new Date().getFullYear();
+            const currentMonth = new Date().getMonth() + 1; // Months are 0-indexed in JavaScript
+
+            const nextMajorMinor = `${currentYear}.${currentMonth}`;
+            let nextPatch;
+
+            if (`${previousMajor}.${previousMinor}` === nextMajorMinor) {
+              console.log("Month release already exists for the year. Incrementing patch number by 1.");
+              nextPatch = previousPatch + 1;
+            } else {
+              console.log("Month release does not exist for the year. Starting with patch number 0.");
+              nextPatch = 0;
+            }
+
+            return `${nextMajorMinor}.${nextPatch}`;
+
+      - name: Create Release
+        uses: ncipollo/release-action@b7eabc95ff50cbeeedec83973935c8f306dfcd0b # v1.20.0
+        with:
+          generateReleaseNotes: true
+          tag: "${{ steps.determine-next-tag.outputs.result }}"
+          token: "${{ secrets.GITHUB_TOKEN }}"

.gitignore

@@ -1,17 +1,21 @@
-# Trash
-.DS_Store
-Thumbs.db
-# k8s
-kubeconfig
-# vscode-sops
-.decrypted~*.yaml
-.config.env
-*.agekey
+# Secrets
 *.pub
 *.key
-# Ansible
-xanmanning.k3s*
-# Terraform
-.terraform
-.terraform.tfstate*
-terraform.tfstate*
+*.decrypted~*.yaml
+/age.key
+/cloudflare-tunnel.json
+/github-deploy.key
+/github-deploy.key.pub
+/github-push-token.txt
+# Template config files
+/cluster.yaml
+/nodes.yaml
+# Kubernetes
+kubeconfig
+talosconfig
+# Misc.
+.private/
+.task/
+.venv/
+.DS_Store
+Thumbs.db

.lycheeignore

@@ -1,2 +0,0 @@
-https://dash.cloudflare.com/profile/api-tokens
-https://www.mend.io/free-developer-tools/renovate/

.mise.toml

@@ -0,0 +1,28 @@
+[env]
+_.python.venv = { path = "{{config_root}}/.venv", create = true } # required:template
+KUBECONFIG = "{{config_root}}/kubeconfig"
+SOPS_AGE_KEY_FILE = "{{config_root}}/age.key"
+TALOSCONFIG = "{{config_root}}/talos/clusterconfig/talosconfig"
+
+[tools]
+"python" = "3.14.3" # required:template
+"uv" = "0.10.7" # required:template
+"pipx" = "1.8.0" # required:template
+"pipx:makejinja" = "2.8.2" # required:template
+"aqua:budimanjojo/talhelper" = "3.1.5"
+"aqua:cilium/cilium-cli" = "0.19.2"
+"aqua:cli/cli" = "2.87.3"
+"aqua:cloudflare/cloudflared" = "2026.2.0"
+"aqua:cue-lang/cue" = "0.15.4" # required:template
+"aqua:FiloSottile/age" = "1.3.1"
+"aqua:fluxcd/flux2" = "2.8.1"
+"aqua:getsops/sops" = "3.12.1"
+"aqua:go-task/task" = "3.48.0"
+"aqua:helm/helm" = "4.1.1"
+"aqua:helmfile/helmfile" = "1.3.2"
+"aqua:jqlang/jq" = "1.8.1"
+"aqua:kubernetes-sigs/kustomize" = "5.7.1"
+"aqua:kubernetes/kubernetes/kubectl" = "1.35.2"
+"aqua:mikefarah/yq" = "4.52.4"
+"aqua:siderolabs/talos" = "1.12.4"
+"aqua:yannh/kubeconform" = "0.7.0"

.pre-commit-config.yaml

@@ -1,14 +0,0 @@
----
-fail_fast: false
-repos:
-  - repo: https://github.com/adrienverge/yamllint
-    rev: v1.29.0
-    hooks:
-      - args:
-          - --config-file
-          - .yamllint.yaml
-        id: yamllint
-  - repo: https://github.com/gruntwork-io/pre-commit
-    rev: v0.1.17
-    hooks:
-      - id: terraform-fmt

.renovaterc.json5

@@ -0,0 +1,172 @@
+{
+  $schema: "https://docs.renovatebot.com/renovate-schema.json",
+  extends: [
+    "config:recommended",
+    "docker:enableMajor",
+    "helpers:pinGitHubActionDigests",
+    ":automergeBranch",
+    ":dependencyDashboard",
+    ":disableRateLimiting",
+    ":semanticCommits",
+  ],
+  dependencyDashboard: true,
+  dependencyDashboardTitle: "Renovate Dashboard :robot:",
+  schedule: ["every weekend"],
+  ignorePaths: ["**/*.sops.*"],
+  flux: {
+    managerFilePatterns: ["/(^|/)kubernetes/.+\\.ya?ml(?:\\.j2)?$/"],
+  },
+  helmfile: {
+    managerFilePatterns: [
+      "/(^|/)helmfile\\.ya?ml(?:\\.gotmpl)?(?:\\.j2)?$/",
+      "/(^|/)helmfile\\.d/.+\\.ya?ml(?:\\.gotmpl)?(?:\\.j2)?$/",
+    ],
+  },
+  kubernetes: {
+    managerFilePatterns: ["/(^|/)kubernetes/.+\\.ya?ml(?:\\.j2)?$/"],
+  },
+  kustomize: {
+    managerFilePatterns: ["/^kustomization\\.ya?ml(?:\\.j2)?$/"],
+  },
+  packageRules: [
+    {
+      description: "Override Helmfile Dependency Name",
+      matchDatasources: ["docker"],
+      matchManagers: ["helmfile"],
+      overrideDepName: "{{packageName}}",
+    },
+    {
+      description: "Flux Operator Group",
+      groupName: "flux-operator",
+      matchDatasources: ["docker"],
+      matchPackageNames: ["/flux-operator/", "/flux-instance/", "/flux-operator-manifests/"],
+      group: {
+        commitMessageTopic: "{{{groupName}}} group",
+      },
+      minimumGroupSize: 3,
+    },
+    {
+      description: "Auto-merge GitHub Actions",
+      matchManagers: ["github-actions"],
+      automerge: true,
+      automergeType: "branch",
+      matchUpdateTypes: ["minor", "patch", "digest"],
+      minimumReleaseAge: "3 days",
+      ignoreTests: true,
+    },
+    {
+      matchUpdateTypes: ["major"],
+      semanticCommitType: "feat",
+      commitMessagePrefix: "{{semanticCommitType}}({{semanticCommitScope}})!:",
+      commitMessageExtra: "( {{currentVersion}} ➔ {{newVersion}} )",
+    },
+    {
+      matchUpdateTypes: ["minor"],
+      semanticCommitType: "feat",
+      commitMessageExtra: "( {{currentVersion}} ➔ {{newVersion}} )",
+    },
+    {
+      matchUpdateTypes: ["patch"],
+      semanticCommitType: "fix",
+      commitMessageExtra: "( {{currentVersion}} ➔ {{newVersion}} )",
+    },
+    {
+      matchUpdateTypes: ["digest"],
+      semanticCommitType: "chore",
+      commitMessageExtra: "( {{currentDigestShort}} ➔ {{newDigestShort}} )",
+    },
+    {
+      matchDatasources: ["docker"],
+      semanticCommitScope: "container",
+      commitMessageTopic: "image {{depName}}",
+    },
+    {
+      matchDatasources: ["helm"],
+      semanticCommitScope: "helm",
+      commitMessageTopic: "chart {{depName}}",
+    },
+    {
+      matchManagers: ["github-actions"],
+      semanticCommitType: "ci",
+      semanticCommitScope: "github-action",
+      commitMessageTopic: "action {{depName}}",
+    },
+    {
+      matchDatasources: ["github-releases"],
+      semanticCommitScope: "github-release",
+      commitMessageTopic: "release {{depName}}",
+    },
+    {
+      matchManagers: ["mise"],
+      semanticCommitScope: "mise",
+      commitMessageTopic: "tool {{depName}}",
+    },
+    {
+      matchUpdateTypes: ["major"],
+      labels: ["type/major"],
+    },
+    {
+      matchUpdateTypes: ["minor"],
+      labels: ["type/minor"],
+    },
+    {
+      matchUpdateTypes: ["patch"],
+      labels: ["type/patch"],
+    },
+    {
+      matchUpdateTypes: ["digest"],
+      labels: ["type/digest"],
+    },
+    {
+      matchDatasources: ["docker"],
+      addLabels: ["renovate/container"],
+    },
+    {
+      matchDatasources: ["helm"],
+      addLabels: ["renovate/helm"],
+    },
+    {
+      matchManagers: ["github-actions"],
+      addLabels: ["renovate/github-action"],
+    },
+    {
+      matchDatasources: ["github-releases"],
+      addLabels: ["renovate/github-release"],
+    },
+  ],
+  customManagers: [
+    {
+      description: "Process annotated dependencies",
+      customType: "regex",
+      managerFilePatterns: [
+        "/(^|/).+\\.env(?:\\.j2)?$/",
+        "/(^|/).+\\.sh(?:\\.j2)?$/",
+        "/(^|/).+\\.ya?ml(?:\\.j2)?$/",
+      ],
+      matchStrings: [
+        // # renovate: datasource=github-releases depName=k3s-io/k3s
+        // k3s_release_version: &version v1.29.0+k3s1
+        // # renovate: datasource=helm depName=cilium repository=https://helm.cilium.io
+        // version: 1.15.1
+        // # renovate: datasource=docker depName=ghcr.io/siderolabs/kubelet
+        // KUBERNETES_VERSION=v1.31.1
+        "datasource=(?<datasource>\\S+) depName=(?<depName>\\S+)( repository=(?<registryUrl>\\S+))?\\n.+(:\\s|=)(&\\S+\\s)?(?<currentValue>\\S+)",
+        // # renovate: datasource=docker depName=ghcr.io/prometheus-operator/prometheus-operator
+        // https://raw.githubusercontent.com/prometheus-operator/prometheus-operator/v0.80.0/example/prometheus-operator-crd/monitoring.coreos.com_alertmanagerconfigs.yaml
+        "datasource=(?<datasource>\\S+) depName=(?<depName>\\S+)\\n.+/(?<currentValue>(v|\\d)[^/]+)",
+      ],
+      datasourceTemplate: "{{#if datasource}}{{{datasource}}}{{else}}github-releases{{/if}}",
+    },
+    {
+      customType: "regex",
+      description: "Process OCI dependencies",
+      managerFilePatterns: [
+        "/\\.yaml(?:\\.j2)?$/",
+      ],
+      matchStrings: [
+        "oci://(?<depName>[^:]+):(?<currentValue>\\S+)",
+      ],
+      datasourceTemplate: "docker",
+    },
+  ],
+}

.shellcheckrc

@@ -0,0 +1,2 @@
+disable=SC1091
+disable=SC2155

.taskfiles/AnsibleTasks.yml

@@ -1,76 +0,0 @@
----
-version: "3"
-
-env:
-  ANSIBLE_CONFIG: "{{.ROOT_DIR}}/ansible.cfg"
-  K8S_AUTH_KUBECONFIG: "{{.ROOT_DIR}}/kubeconfig"
-
-vars:
-  ANSIBLE_PLAYBOOK_DIR: "{{.ANSIBLE_DIR}}/playbooks"
-  ANSIBLE_INVENTORY_DIR: "{{.ANSIBLE_DIR}}/inventory"
-
-tasks:
-
-  init:
-    desc: Install / Upgrade Ansible galaxy deps
-    dir: "{{.ANSIBLE_DIR}}"
-    cmds:
-      - pip3 install --user --requirement requirements.txt
-      - ansible-galaxy install -r requirements.yml --roles-path ~/.ansible/roles --force
-      - ansible-galaxy collection install -r requirements.yml --collections-path ~/.ansible/collections --force
-
-  list:
-    desc: List all the hosts
-    dir: "{{.ANSIBLE_DIR}}"
-    cmds:
-      - ansible all -i {{.ANSIBLE_INVENTORY_DIR}}/hosts.yml --list-hosts
-
-  prepare:
-    desc: Prepare all the k8s nodes for running k3s
-    dir: "{{.ANSIBLE_DIR}}"
-    cmds:
-      - ansible-playbook -i {{.ANSIBLE_INVENTORY_DIR}}/hosts.yml {{.ANSIBLE_PLAYBOOK_DIR}}/cluster-prepare.yml
-
-  install:
-    desc: Install Kubernetes on the nodes
-    dir: "{{.ANSIBLE_DIR}}"
-    cmds:
-      - ansible-playbook -i {{.ANSIBLE_INVENTORY_DIR}}/hosts.yml {{.ANSIBLE_PLAYBOOK_DIR}}/cluster-installation.yml
-
-  nuke:
-    desc: Uninstall Kubernetes on the nodes
-    dir: "{{.ANSIBLE_DIR}}"
-    interactive: true
-    cmds:
-      - ansible-playbook -i {{.ANSIBLE_INVENTORY_DIR}}/hosts.yml {{.ANSIBLE_PLAYBOOK_DIR}}/cluster-nuke.yml
-      - task: force-reboot
-
-  ping:
-    desc: Ping all the hosts
-    dir: "{{.ANSIBLE_DIR}}"
-    cmds:
-      - ansible all -i {{.ANSIBLE_INVENTORY_DIR}}/hosts.yml --one-line -m 'ping'
-
-  uptime:
-    desc: Uptime of all the hosts
-    dir: "{{.ANSIBLE_DIR}}"
-    cmds:
-      - ansible all -i {{.ANSIBLE_INVENTORY_DIR}}/hosts.yml --one-line -a 'uptime'
-
-  rollout-reboot:
-    desc: Rollout a reboot across all the k8s nodes
-    dir: "{{.ANSIBLE_DIR}}"
-    cmds:
-      - ansible-playbook -i {{.ANSIBLE_INVENTORY_DIR}}/hosts.yml {{.ANSIBLE_PLAYBOOK_DIR}}/cluster-rollout-reboot.yml
-
-  force-reboot:
-    desc: Reboot all the k8s nodes
-    dir: "{{.ANSIBLE_DIR}}"
-    cmds:
-      - ansible-playbook -i {{.ANSIBLE_INVENTORY_DIR}}/hosts.yml {{.ANSIBLE_PLAYBOOK_DIR}}/cluster-reboot.yml
-
-  force-poweroff:
-    desc: Shutdown all the k8s nodes
-    dir: "{{.ANSIBLE_DIR}}"
-    cmds:
-      - ansible kubernetes -i {{.ANSIBLE_INVENTORY_DIR}}/hosts.yml -a '/usr/bin/systemctl poweroff' --become

.taskfiles/ClusterTasks.yml

@@ -1,89 +0,0 @@
----
-version: "3"
-
-tasks:
-
-  verify:
-    desc: Verify flux meets the prerequisites
-    cmds:
-      - flux check --pre
-
-  install:
-    desc: Install Flux into your cluster
-    cmds:
-      - kubectl apply --kustomize {{.KUBERNETES_DIR}}/bootstrap
-      - cat {{.SOPS_AGE_KEY_FILE}} | kubectl -n flux-system create secret generic sops-age --from-file=age.agekey=/dev/stdin
-      - sops --decrypt {{.KUBERNETES_DIR}}/flux/vars/cluster-secrets.sops.yaml | kubectl apply -f -
-      - kubectl apply -f {{.KUBERNETES_DIR}}/flux/vars/cluster-settings.yaml
-      - kubectl apply --kustomize {{.KUBERNETES_DIR}}/flux/config
-    preconditions:
-      - sh: test -f {{.SOPS_AGE_KEY_FILE}}
-        msg: |
-          Age key file is not found. Did you forget to create it?
-    vars:
-      SOPS_AGE_KEY_FILE: ~/.config/sops/age/keys.txt
-
-  reconcile:
-    desc: Force update Flux to pull in changes from your Git repository
-    cmds:
-      - flux reconcile -n flux-system source git home-kubernetes
-      - flux reconcile -n flux-system kustomization cluster
-
-  hr-restart:
-    desc: Restart all failed Helm Releases
-    cmds:
-      - kubectl get hr --all-namespaces | grep False | awk '{print $2, $1}' | xargs -l bash -c 'flux suspend hr $0 -n $1'
-      - kubectl get hr --all-namespaces | grep False | awk '{print $2, $1}' | xargs -l bash -c 'flux resume hr $0 -n $1'
-
-  nodes:
-    desc: List all the nodes in your cluster
-    cmds:
-      - kubectl get nodes {{.CLI_ARGS | default "-o wide"}}
-
-  pods:
-    desc: List all the pods in your cluster
-    cmds:
-      - kubectl get pods {{.CLI_ARGS | default "-A"}}
-
-  kustomizations:
-    desc: List all the kustomizations in your cluster
-    cmds:
-      - kubectl get kustomizations {{.CLI_ARGS | default "-A"}}
-
-  helmreleases:
-    desc: List all the helmreleases in your cluster
-    cmds:
-      - kubectl get helmreleases {{.CLI_ARGS | default "-A"}}
-
-  helmrepositories:
-    desc: List all the helmrepositories in your cluster
-    cmds:
-      - kubectl get helmrepositories {{.CLI_ARGS | default "-A"}}
-
-  gitrepositories:
-    desc: List all the gitrepositories in your cluster
-    cmds:
-      - kubectl get gitrepositories {{.CLI_ARGS | default "-A"}}
-
-  certificates:
-    desc: List all the certificates in your cluster
-    cmds:
-      - kubectl get certificates {{.CLI_ARGS | default "-A"}}
-      - kubectl get certificaterequests {{.CLI_ARGS | default "-A"}}
-
-  ingresses:
-    desc: List all the ingresses in your cluster
-    cmds:
-      - kubectl get ingress {{.CLI_ARGS | default "-A"}}
-
-  resources:
-    desc: Gather common resources in your cluster, useful when asking for support
-    cmds:
-      - task: nodes
-      - task: kustomizations
-      - task: helmreleases
-      - task: helmrepositories
-      - task: gitrepositories
-      - task: certificates
-      - task: ingresses
-      - task: pods

.taskfiles/PrecommitTasks.yml

@@ -1,19 +0,0 @@
----
-version: "3"
-
-tasks:
-
-  init:
-    desc: Initialize pre-commit hooks
-    cmds:
-      - pre-commit install --install-hooks
-
-  run:
-    desc: Run pre-commit
-    cmds:
-      - pre-commit run --all-files
-
-  update:
-    desc: Update pre-commit hooks
-    cmds:
-      - pre-commit autoupdate

.taskfiles/TerraformTasks.yml

@@ -1,22 +0,0 @@
----
-version: "3"
-
-tasks:
-
-  init:
-    desc: Initialize terraform dependencies
-    dir: "{{.TERRAFORM_DIR}}/cloudflare"
-    cmds:
-      - terraform init {{.CLI_ARGS}}
-
-  plan:
-    desc: Show the changes terraform will make
-    dir: "{{.TERRAFORM_DIR}}/cloudflare"
-    cmds:
-      - terraform plan {{.CLI_ARGS}}
-
-  apply:
-    desc: Apply the changes to Cloudflare
-    dir: "{{.TERRAFORM_DIR}}/cloudflare"
-    cmds:
-      - terraform apply {{.CLI_ARGS}}

.taskfiles/bootstrap/Taskfile.yaml

@@ -0,0 +1,30 @@
+---
+version: '3'
+
+tasks:
+
+  talos:
+    desc: Bootstrap the Talos cluster
+    dir: '{{.TALOS_DIR}}'
+    cmds:
+      - '[ -f talsecret.sops.yaml ] || talhelper gensecret | sops --filename-override talos/talsecret.sops.yaml --encrypt /dev/stdin > talsecret.sops.yaml'
+      - talhelper genconfig
+      - talhelper gencommand apply --extra-flags="--insecure" | bash
+      - until talhelper gencommand bootstrap | bash; do sleep 10; done
+      - until talhelper gencommand kubeconfig --extra-flags="{{.ROOT_DIR}} --force" | bash; do sleep 10; done
+    preconditions:
+      - test -f {{.ROOT_DIR}}/.sops.yaml
+      - test -f {{.SOPS_AGE_KEY_FILE}}
+      - test -f {{.TALOS_DIR}}/talconfig.yaml
+      - which talhelper talosctl sops
+
+  apps:
+    desc: Bootstrap apps into the Talos cluster
+    cmd: bash {{.SCRIPTS_DIR}}/bootstrap-apps.sh
+    preconditions:
+      - msg: Unsupported bash version, run `brew install bash` to upgrade
+        sh: '{{if eq OS "darwin"}}test -f /opt/homebrew/bin/bash || test -f /usr/local/bin/bash{{end}}'
+      - test -f {{.KUBECONFIG}}
+      - test -f {{.ROOT_DIR}}/.sops.yaml
+      - test -f {{.SCRIPTS_DIR}}/bootstrap-apps.sh
+      - test -f {{.SOPS_AGE_KEY_FILE}}

.taskfiles/talos/Taskfile.yaml

@@ -0,0 +1,65 @@
+---
+version: '3'
+
+tasks:
+
+  generate-config:
+    desc: Generate Talos configuration
+    dir: '{{.TALOS_DIR}}'
+    cmd: talhelper genconfig
+    preconditions:
+      - test -f {{.TALOS_DIR}}/talconfig.yaml
+      - test -f {{.ROOT_DIR}}/.sops.yaml
+      - test -f {{.SOPS_AGE_KEY_FILE}}
+      - which talhelper
+
+  apply-node:
+    desc: Apply Talos config to a node [IP=required]
+    dir: '{{.TALOS_DIR}}'
+    cmd: talhelper gencommand apply --node {{.IP}} --extra-flags '--mode={{.MODE}}' | bash
+    vars:
+      MODE: '{{.MODE | default "auto"}}'
+    requires:
+      vars: [IP]
+    preconditions:
+      - talosctl --nodes {{.IP}} get machineconfig
+      - talosctl config info
+      - test -f {{.TALOSCONFIG}}
+      - which talhelper talosctl yq
+
+  upgrade-node:
+    desc: Upgrade Talos on a single node [IP=required]
+    dir: '{{.TALOS_DIR}}'
+    cmd: talhelper gencommand upgrade --node {{.IP}} --extra-flags "--image='{{.TALOS_IMAGE}}:{{.TALOS_VERSION}}' --timeout=10m" | bash
+    vars:
+      TALOS_IMAGE:
+        sh: yq '.nodes[] | select(.ipAddress == "{{.IP}}") | .talosImageURL' {{.TALOS_DIR}}/talconfig.yaml
+      TALOS_VERSION:
+        sh: yq '.talosVersion' {{.TALOS_DIR}}/talenv.yaml
+    requires:
+      vars: [IP]
+    preconditions:
+      - talosctl --nodes {{.IP}} get machineconfig
+      - talosctl config info
+      - test -f {{.TALOSCONFIG}}
+      - which kubectl talhelper talosctl yq
+
+  upgrade-k8s:
+    desc: Upgrade Kubernetes
+    dir: '{{.TALOS_DIR}}'
+    cmd: talhelper gencommand upgrade-k8s --extra-flags "--to '{{.KUBERNETES_VERSION}}'" | bash
+    vars:
+      KUBERNETES_VERSION:
+        sh: yq '.kubernetesVersion' {{.TALOS_DIR}}/talenv.yaml
+    preconditions:
+      - talosctl config info
+      - test -f {{.TALOSCONFIG}}
+      - which talhelper talosctl yq
+
+  reset:
+    desc: Resets nodes back to maintenance mode
+    dir: '{{.TALOS_DIR}}'
+    prompt: This will destroy your cluster and reset the nodes back to maintenance mode... continue?
+    cmd: talhelper gencommand reset --extra-flags="--reboot {{- if eq .CLI_FORCE false }} --system-labels-to-wipe STATE --system-labels-to-wipe EPHEMERAL{{ end }} --graceful=false --wait=false" | bash
+    preconditions:
+      - which talhelper

.taskfiles/template/Taskfile.yaml

@@ -0,0 +1,173 @@
+---
+version: '3'
+
+vars:
+  MAKEJINJA_CONFIG_FILE: '{{.ROOT_DIR}}/makejinja.toml'
+  TEMPLATE_DIR: '{{.ROOT_DIR}}/templates'
+  TEMPLATE_RESOURCES_DIR: '{{.ROOT_DIR}}/.taskfiles/template/resources'
+  TEMPLATE_CONFIG_FILE: '{{.ROOT_DIR}}/cluster.yaml'
+  TEMPLATE_NODE_CONFIG_FILE: '{{.ROOT_DIR}}/nodes.yaml'
+
+tasks:
+
+  :init:
+    desc: Initialize configuration files
+    cmds:
+      - task: generate-template-config
+      - task: generate-age-key
+      - task: generate-deploy-key
+      - task: generate-push-token
+
+  generate-template-config:
+    internal: true
+    cmds:
+      - mv {{.TEMPLATE_CONFIG_FILE | replace ".yaml" ".sample.yaml"}} {{.TEMPLATE_CONFIG_FILE}}
+      - mv {{.TEMPLATE_NODE_CONFIG_FILE | replace ".yaml" ".sample.yaml"}} {{.TEMPLATE_NODE_CONFIG_FILE}}
+    status:
+      - test -f {{.TEMPLATE_CONFIG_FILE}}
+      - test -f {{.TEMPLATE_NODE_CONFIG_FILE}}
+
+  generate-age-key:
+    internal: true
+    cmd: age-keygen --output {{.SOPS_AGE_KEY_FILE}}
+    status:
+      - test -f {{.SOPS_AGE_KEY_FILE}}
+    preconditions:
+      - which age-keygen
+
+  generate-deploy-key:
+    internal: true
+    cmd: ssh-keygen -t ed25519 -C "deploy-key" -f {{.ROOT_DIR}}/github-deploy.key -q -P ""
+    status:
+      - test -f {{.ROOT_DIR}}/github-deploy.key
+    preconditions:
+      - which ssh-keygen
+
+  generate-push-token:
+    internal: true
+    cmd: python -c "import secrets; print(secrets.token_hex(16))" > {{.ROOT_DIR}}/github-push-token.txt
+    status:
+      - test -f {{.ROOT_DIR}}/github-push-token.txt
+
+  :configure:
+    desc: Render and validate configuration files
+    prompt: Any conflicting files in the kubernetes directory will be overwritten... continue?
+    cmds:
+      - task: validate-schemas
+      - task: render-configs
+      - task: encrypt-secrets
+      - task: validate-kubernetes-config
+      - task: validate-talos-config
+    preconditions:
+      - msg: An existing Age key interferes with the age key in this repository, rename or delete ~/.config/sops/age/keys.txt
+        sh: '! test -f ~/.config/sops/age/keys.txt'
+      - msg: File cluster.yaml not found, did you run `task init`?
+        sh: test -f {{.TEMPLATE_CONFIG_FILE}}
+      - msg: File nodes.yaml not found, did you run `task init`?
+        sh: test -f {{.TEMPLATE_NODE_CONFIG_FILE}}
+      - msg: File cloudflare-tunnel.json not found, see the README for information on creating it.
+        sh: test -f {{.ROOT_DIR}}/cloudflare-tunnel.json
+
+  validate-schemas:
+    internal: true
+    cmds:
+      - cue vet {{.TEMPLATE_CONFIG_FILE}} {{.TEMPLATE_RESOURCES_DIR}}/cluster.schema.cue
+      - cue vet {{.TEMPLATE_NODE_CONFIG_FILE}} {{.TEMPLATE_RESOURCES_DIR}}/nodes.schema.cue
+    preconditions:
+      - test -f {{.TEMPLATE_RESOURCES_DIR}}/cluster.schema.cue
+      - test -f {{.TEMPLATE_RESOURCES_DIR}}/nodes.schema.cue
+      - which cue
+
+  render-configs:
+    internal: true
+    cmd: makejinja
+    env:
+      PYTHONDONTWRITEBYTECODE: '1'
+    preconditions:
+      - test -f {{.TEMPLATE_DIR}}/scripts/plugin.py
+      - test -f {{.MAKEJINJA_CONFIG_FILE}}
+      - which makejinja
+
+  encrypt-secrets:
+    internal: true
+    cmds:
+      - for: { var: SECRET_FILES }
+        cmd: |
+          if [ $(sops filestatus "{{.ITEM}}" | jq ".encrypted") == "false" ]; then
+              sops --encrypt --in-place "{{.ITEM}}"
+          fi
+    vars:
+      SECRET_FILES:
+        sh: find "{{.BOOTSTRAP_DIR}}" "{{.KUBERNETES_DIR}}" "{{.TALOS_DIR}}" -type f -name "*.sops.*" -print
+    preconditions:
+      - test -f {{.SOPS_AGE_KEY_FILE}}
+      - test -f {{.ROOT_DIR}}/.sops.yaml
+      - which jq sops
+
+  validate-kubernetes-config:
+    internal: true
+    cmd: bash {{.TEMPLATE_RESOURCES_DIR}}/kubeconform.sh {{.KUBERNETES_DIR}}
+    preconditions:
+      - test -f {{.TEMPLATE_RESOURCES_DIR}}/kubeconform.sh
+      - which kubeconform
+
+  validate-talos-config:
+    internal: true
+    dir: '{{.TALOS_DIR}}'
+    cmd: talhelper validate talconfig {{.TALOS_DIR}}/talconfig.yaml
+    preconditions:
+      - test -f {{.TALOS_DIR}}/talconfig.yaml
+      - which talhelper
+
+  debug:
+    desc: Gather common resources in your cluster
+    cmds:
+      - for:
+          matrix:
+            RESOURCE: [certificates, certificaterequests, gitrepositories, helmrepositories, helmreleases, httproutes, kustomizations, nodes, pods]
+        cmd: kubectl get --all-namespaces {{.ITEM.RESOURCE}}
+    preconditions:
+      - test -f {{.KUBECONFIG}}
+      - which kubectl
+
+  tidy:
+    desc: Archive or remove all template related config
+    prompt: All template related config will be archived or removed... continue?
+    cmds:
+      - mkdir -p {{.TIDY_FOLDER}}
+      - rm -rf {{.ROOT_DIR}}/.github/tests
+      - rm -rf {{.ROOT_DIR}}/.github/workflows/e2e.yaml
+      - rm -rf {{.ROOT_DIR}}/.github/workflows/mise.yaml
+      - rm -rf {{.ROOT_DIR}}/.github/workflows/release.yaml
+      - |
+        {{.SED}} -i 's/(..\.j2)\?//g' {{.ROOT_DIR}}/.renovaterc.json5
+      - mv {{.TEMPLATE_DIR}} {{.TIDY_FOLDER}}/templates
+      - mv {{.MAKEJINJA_CONFIG_FILE}} {{.TIDY_FOLDER}}/makejinja.toml
+      - mv {{.TEMPLATE_CONFIG_FILE}} {{.TIDY_FOLDER}}/cluster.yaml
+      - mv {{.TEMPLATE_NODE_CONFIG_FILE}} {{.TIDY_FOLDER}}/nodes.yaml
+      - |
+        {{.SED}} -i '/template:/d' {{.ROOT_DIR}}/Taskfile.yaml
+      - mv {{.ROOT_DIR}}/.taskfiles/template {{.TIDY_FOLDER}}/.taskfiles/
+      - |
+        {{.SED}} -i '/required:template/d' {{.ROOT_DIR}}/.mise.toml
+      - rm -rf {{.ROOT_DIR}}/.venv
+    vars:
+      TIDY_FOLDER: '{{.PRIVATE_DIR}}/{{now | unixEpoch}}'
+      SED:
+        sh: which gsed || which sed
+    preconditions:
+      - msg: Unsupported sed version, run `brew install gsed` to upgrade
+        sh: '{{if eq OS "darwin"}}test -f /opt/homebrew/bin/gsed || test -f /usr/local/bin/gsed{{end}}'
+      - test -d {{.ROOT_DIR}}/.taskfiles/template
+      - test -d {{.TEMPLATE_DIR}}
+      - test -f {{.MAKEJINJA_CONFIG_FILE}}
+      - test -f {{.ROOT_DIR}}/.renovaterc.json5
+
+  reset:
+    desc: Remove templated files and directories
+    prompt: Remove all templated files and directories... continue?
+    cmds:
+      - rm -rf {{.BOOTSTRAP_DIR}}
+      - rm -rf {{.KUBERNETES_DIR}}
+      - rm -rf {{.TALOS_DIR}}
+      - rm -rf {{.ROOT_DIR}}/.sops.yaml

.taskfiles/template/resources/cluster.schema.cue

@@ -0,0 +1,31 @@
+package config
+
+import (
+	"net"
+)
+
+#Config: {
+	node_cidr: net.IPCIDR & !=cluster_pod_cidr & !=cluster_svc_cidr
+	node_dns_servers?: [...net.IPv4]
+	node_ntp_servers?: [...net.IPv4]
+	node_default_gateway?: net.IPv4 & !=""
+	node_vlan_tag?: string & !=""
+	cluster_pod_cidr: *"10.42.0.0/16" | net.IPCIDR & !=node_cidr & !=cluster_svc_cidr
+	cluster_svc_cidr: *"10.43.0.0/16" | net.IPCIDR & !=node_cidr & !=cluster_pod_cidr
+	cluster_api_addr: net.IPv4
+	cluster_api_tls_sans?: [...net.FQDN]
+	cluster_gateway_addr: net.IPv4 & !=cluster_api_addr & !=cluster_dns_gateway_addr & !=cloudflare_gateway_addr
+	cluster_dns_gateway_addr: net.IPv4 & !=cluster_api_addr & !=cluster_gateway_addr & !=cloudflare_gateway_addr
+	repository_name: string
+	repository_branch?: string & !=""
+	repository_visibility?: *"public" | "private"
+	cloudflare_domain: net.FQDN
+	cloudflare_token: string
+	cloudflare_gateway_addr: net.IPv4 & !=cluster_api_addr & !=cluster_gateway_addr & !=cluster_dns_gateway_addr
+	cilium_bgp_router_addr?: net.IPv4 & !=""
+	cilium_bgp_router_asn?: string & !=""
+	cilium_bgp_node_asn?: string & !=""
+	cilium_loadbalancer_mode?: *"dsr" | "snat"
+}
+
+#Config

.taskfiles/template/resources/kubeconform.sh

@@ -0,0 +1,50 @@
+#!/usr/bin/env bash
+
+set -euo pipefail
+
+KUBERNETES_DIR=$1
+
+[[ -z "${KUBERNETES_DIR}" ]] && echo "Kubernetes location not specified" && exit 1
+
+kustomize_args=("--load-restrictor=LoadRestrictionsNone")
+kustomize_config="kustomization.yaml"
+kubeconform_args=(
+    "-strict"
+    "-ignore-missing-schemas"
+    "-skip"
+    "Gateway,HTTPRoute,Secret"
+    "-schema-location"
+    "default"
+    "-schema-location"
+    "https://kubernetes-schemas.pages.dev/{{.Group}}/{{.ResourceKind}}_{{.ResourceAPIVersion}}.json"
+    "-verbose"
+)
+
+echo "=== Validating standalone manifests in ${KUBERNETES_DIR}/flux ==="
+find "${KUBERNETES_DIR}/flux" -maxdepth 1 -type f -name '*.yaml' -print0 | while IFS= read -r -d $'\0' file;
+do
+    kubeconform "${kubeconform_args[@]}" "${file}"
+    if [[ ${PIPESTATUS[0]} != 0 ]]; then
+        exit 1
+    fi
+done
+
+echo "=== Validating kustomizations in ${KUBERNETES_DIR}/flux ==="
+find "${KUBERNETES_DIR}/flux" -type f -name $kustomize_config -print0 | while IFS= read -r -d $'\0' file;
+do
+    echo "=== Validating kustomizations in ${file/%$kustomize_config} ==="
+    kustomize build "${file/%$kustomize_config}" "${kustomize_args[@]}" | kubeconform "${kubeconform_args[@]}"
+    if [[ ${PIPESTATUS[0]} != 0 ]]; then
+        exit 1
+    fi
+done
+
+echo "=== Validating kustomizations in ${KUBERNETES_DIR}/apps ==="
+find "${KUBERNETES_DIR}/apps" -type f -name $kustomize_config -print0 | while IFS= read -r -d $'\0' file;
+do
+    echo "=== Validating kustomizations in ${file/%$kustomize_config} ==="
+    kustomize build "${file/%$kustomize_config}" "${kustomize_args[@]}" | kubeconform "${kubeconform_args[@]}"
+    if [[ ${PIPESTATUS[0]} != 0 ]]; then
+        exit 1
+    fi
+done

.taskfiles/template/resources/nodes.schema.cue

@@ -0,0 +1,30 @@
+package config
+
+import (
+	"net"
+	"list"
+)
+
+#Config: {
+	nodes: [...#Node]
+	_nodes_check: {
+		name: list.UniqueItems() & [for item in nodes {item.name}]
+		address: list.UniqueItems() & [for item in nodes {item.address}]
+		mac_addr: list.UniqueItems() & [for item in nodes {item.mac_addr}]
+	}
+}
+
+#Node: {
+	name:          =~"^[a-z0-9][a-z0-9\\-]{0,61}[a-z0-9]$|^[a-z0-9]$" & !="global" & !="controller" & !="worker"
+	address:       net.IPv4
+	controller:    bool
+	disk:          string
+	mac_addr:      =~"^([0-9a-f]{2}[:]){5}([0-9a-f]{2})$"
+	schematic_id:  =~"^[a-z0-9]{64}$"
+	mtu?:            >=1450 & <=9000
+	secureboot?:     bool
+	encrypt_disk?:   bool
+	kernel_modules?: [...string]
+}
+
+#Config

.vscode/extensions.json

@@ -1,14 +1,9 @@
 {
-    "recommendations": [
-        "albert.TabOut",
-        "britesnow.vscode-toggle-quotes",
-        "fcrespo82.markdown-table-formatter",
-        "mitchdenny.ecdc",
-        "redhat.ansible",
-        "signageos.signageos-vscode-sops",
-        "will-stone.in-any-case",
-        "EditorConfig.editorconfig",
-        "HashiCorp.terraform",
-        "PKief.material-icon-theme",
-    ]
+  "recommendations": [
+    "blueglassblock.better-json5",
+    "irongeek.vscode-env",
+    "redhat.vscode-yaml",
+    "signageos.signageos-vscode-sops",
+    "hverlin.mise-vscode"
+  ]
 }

.vscode/settings.json

@@ -1,20 +1,18 @@
 {
-    "files.associations": {
-        "*.json5": "jsonc",
-        "**/ansible/**/*.yml": "ansible",
-        "**/ansible/**/*.sops.yml": "yaml",
-        "**/ansible/**/inventory/**/*.yml": "yaml",
-        "**/terraform/**/*.tf": "terraform",
-        "**/kubernetes/**/*.sops.toml": "plaintext"
-    },
-    "yaml.schemas": {
-        "ansible": "ansible/*.yml",
-        "Kubernetes": "kubernetes/*.yaml"
-    },
     "editor.bracketPairColorization.enabled": true,
-    "editor.guides.bracketPairs": true,
-    "editor.guides.bracketPairsHorizontal": true,
-    "editor.guides.highlightActiveBracketPair": true,
-    "editor.hover.delay": 1500,
+    "files.associations": {
+        "**/*.json5": "json5"
+    },
     "files.trimTrailingWhitespace": true,
+    "sops.defaults.ageKeyFile": "age.key",
+    "vs-kubernetes": {
+        "vs-kubernetes.kubeconfig": "./kubeconfig",
+        "vs-kubernetes.knownKubeconfigs": [
+          "./kubeconfig"
+      ]
+    },
+    "yaml.schemaStore.enable": true,
+    "yaml.schemas": {
+        "kubernetes": "./kubernetes/**/*.yaml"
+    }
 }

.yamllint.yaml

@@ -1,17 +0,0 @@
----
-ignore: |
-  *.sops.*
-extends: default
-rules:
-  truthy:
-    allowed-values: ["true", "false", "on"]
-  comments:
-    min-spaces-from-content: 1
-  line-length: disable
-  braces:
-    min-spaces-inside: 0
-    max-spaces-inside: 1
-  brackets:
-    min-spaces-inside: 0
-    max-spaces-inside: 0
-  indentation: enable

LICENSE

@@ -1,6 +1,6 @@
 MIT License
 
-Copyright (c) 2023 onedr0p
+Copyright (c) 2025 onedr0p
 
 Permission is hereby granted, free of charge, to any person obtaining a copy
 of this software and associated documentation files (the "Software"), to deal

README.md

@@ -1,549 +1,485 @@
-# Template for deploying k3s backed by Flux
+# ⛵ Cluster Template
 
-Highly opinionated template for deploying a single [k3s](https://k3s.io) cluster with [Ansible](https://www.ansible.com) and [Terraform](https://www.terraform.io) backed by [Flux](https://toolkit.fluxcd.io/) and [SOPS](https://toolkit.fluxcd.io/guides/mozilla-sops/).
+Welcome to my template designed for deploying a single Kubernetes cluster. Whether you're setting up a cluster at home on bare-metal or virtual machines (VMs), this project aims to simplify the process and make Kubernetes more accessible. This template is inspired by my personal [home-ops](https://github.com/onedr0p/home-ops) repository, providing a practical starting point for anyone interested in managing their own Kubernetes environment.
 
-The purpose here is to showcase how you can deploy an entire Kubernetes cluster and show it off to the world using the [GitOps](https://www.weave.works/blog/what-is-gitops-really) tool [Flux](https://toolkit.fluxcd.io/). When completed, your Git repository will be driving the state of your Kubernetes cluster. In addition with the help of the [Ansible](https://github.com/ansible-collections/community.sops), [Terraform](https://github.com/carlpett/terraform-provider-sops) and [Flux](https://toolkit.fluxcd.io/guides/mozilla-sops/) SOPS integrations you'll be able to commit [Age](https://github.com/FiloSottile/age) encrypted secrets to your public repo.
+At its core, this project leverages [makejinja](https://github.com/mirkolenz/makejinja), a powerful tool for rendering templates. By reading configuration files—such as [cluster.yaml](./cluster.sample.yaml) and [nodes.yaml](./nodes.sample.yaml)—Makejinja generates the necessary configurations to deploy a Kubernetes cluster with the following features:
 
-## Overview
+- Easy configuration through YAML files.
+- Compatibility with home setups, whether on physical hardware or VMs.
+- A modular and extensible approach to cluster deployment and management.
 
-- [Introduction](https://github.com/onedr0p/flux-cluster-template#-introduction)
-- [Prerequisites](https://github.com/onedr0p/flux-cluster-template#-prerequisites)
-- [Repository structure](https://github.com/onedr0p/flux-cluster-template#-repository-structure)
-- [Lets go!](https://github.com/onedr0p/flux-cluster-template#-lets-go)
-- [Post installation](https://github.com/onedr0p/flux-cluster-template#-post-installation)
-- [Troubleshooting](https://github.com/onedr0p/flux-cluster-template#-troubleshooting)
-- [What's next](https://github.com/onedr0p/flux-cluster-template#-whats-next)
-- [Thanks](https://github.com/onedr0p/flux-cluster-template#-thanks)
+With this approach, you'll gain a solid foundation to build and manage your Kubernetes cluster efficiently.
 
-## 👋 Introduction
+## ✨ Features
 
-The following components will be installed in your [k3s](https://k3s.io/) cluster by default. Most are only included to get a minimum viable cluster up and running.
+A Kubernetes cluster deployed with [Talos Linux](https://github.com/siderolabs/talos) and an opinionated implementation of [Flux](https://github.com/fluxcd/flux2) using [GitHub](https://github.com/) as the Git provider, [sops](https://github.com/getsops/sops) to manage secrets and [cloudflared](https://github.com/cloudflare/cloudflared) to access applications external to your local network.
 
-- [flux](https://toolkit.fluxcd.io/) - GitOps operator for managing Kubernetes clusters from a Git repository
-- [kube-vip](https://kube-vip.io/) - Load balancer for the Kubernetes control plane nodes
-- [metallb](https://metallb.universe.tf/) - Load balancer for Kubernetes services
-- [cert-manager](https://cert-manager.io/) - Operator to request SSL certificates and store them as Kubernetes resources
-- [calico](https://www.tigera.io/project-calico/) - Container networking interface for inter pod and service networking
-- [external-dns](https://github.com/kubernetes-sigs/external-dns) - Operator to publish DNS records to Cloudflare (and other providers) based on Kubernetes ingresses
-- [k8s_gateway](https://github.com/ori-edge/k8s_gateway) - DNS resolver that provides local DNS to your Kubernetes ingresses
-- [ingress-nginx](https://kubernetes.github.io/ingress-nginx/) - Kubernetes ingress controller used for a HTTP reverse proxy of Kubernetes ingresses
-- [local-path-provisioner](https://github.com/rancher/local-path-provisioner) - provision persistent local storage with Kubernetes
+- **Required:** Some knowledge of [Containers](https://opencontainers.org/), [YAML](https://noyaml.com/), [Git](https://git-scm.com/), and a **Cloudflare account** with a **domain**.
+- **Included components:** [flux](https://github.com/fluxcd/flux2), [cilium](https://github.com/cilium/cilium), [cert-manager](https://github.com/cert-manager/cert-manager), [spegel](https://github.com/spegel-org/spegel), [reloader](https://github.com/stakater/Reloader), [envoy-gateway](https://github.com/envoyproxy/gateway), [external-dns](https://github.com/kubernetes-sigs/external-dns) and [cloudflared](https://github.com/cloudflare/cloudflared).
 
-_Additional applications include [hajimari](https://github.com/toboshii/hajimari), [error-pages](https://github.com/tarampampam/error-pages), [echo-server](https://github.com/Ealenn/Echo-Server), [system-upgrade-controller](https://github.com/rancher/system-upgrade-controller), [reloader](https://github.com/stakater/Reloader), and [kured](https://github.com/weaveworks/kured)_
+**Other features include:**
 
-For provisioning the following tools will be used:
+- Dev env managed w/ [mise](https://mise.jdx.dev/)
+- Workflow automation w/ [GitHub Actions](https://github.com/features/actions)
+- Dependency automation w/ [Renovate](https://www.mend.io/renovate)
+- Flux `HelmRelease` and `Kustomization` diffs w/ [flux-local](https://github.com/allenporter/flux-local)
 
-- [Ansible](https://www.ansible.com) - Sets up the operating system and installs k3s
-- [Terraform](https://www.terraform.io) - Provisions an existing Cloudflare domain and certain DNS records to be used with your Kubernetes cluster
+Does this sound cool to you? If so, continue to read on! 👇
 
-## 📝 Prerequisites
+## 🚀 Let's Go!
 
-**Note:** _This template has not been tested on cloud providers like AWS EC2, Hetzner, Scaleway etc... Those cloud offerings probably have a better way of provsioning a Kubernetes cluster and it's advisable to use those instead of the Ansible playbooks included here. This repository can still be tweaked for the GitOps/Flux portion if there's a cluster working in one those environments._
+There are **6 stages** outlined below for completing this project, make sure you follow the stages in order.
 
-First and foremost some experience in debugging/troubleshooting problems **and a positive attitude is required** ;)
+### Stage 1: Hardware Configuration
 
-### 📚 Reading material
+For a **stable** and **high-availability** production Kubernetes cluster, hardware selection is critical. NVMe/SSDs are strongly preferred over HDDs, and **Bare Metal is strongly recommended** over virtualized platforms like Proxmox.
 
-- [Organizing Cluster Access Using kubeconfig Files](https://kubernetes.io/docs/concepts/configuration/organize-cluster-access-kubeconfig/)
+Using **enterprise NVMe or SATA SSDs on Bare Metal** (even used drives) provides the most reliable performance and rock-solid stability. Consumer **NVMe or SATA SSDs**, on the other hand, carry risks such as latency spikes, corruption, and fsync delays, particularly in multi-node setups.
 
-### 💻 Systems
+**Proxmox with enterprise drives can work** for testing or carefully tuned production clusters, but it introduces additional layers of potential I/O contention — especially if consumer drives are used. Any **replicated storage** (e.g., Rook-Ceph, Longhorn) should always use **dedicated disks separate from control plane and etcd nodes** to ensure reliability. Worker nodes are more flexible, but risky configurations should still be avoided for stateful workloads to maintain cluster stability.
 
-- One or more nodes with a fresh install of [Fedora Server 36](https://getfedora.org/en/server/download/) or [Ubuntu 22.04 Server](https://ubuntu.com/download/server).
-  - These nodes can be ARM64/AMD64 bare metal or VMs.
-  - An odd number of control plane nodes, greater than or equal to 3 is required if deploying more than one control plane node.
-- A [Cloudflare](https://www.cloudflare.com/) account with a domain, this will be managed by Terraform and external-dns. You can [register new domains](https://www.cloudflare.com/products/registrar/) directly thru Cloudflare.
+These guidelines provide a strong baseline, but there are always exceptions and nuances. The best way to ensure your hardware configuration works is to **test it thoroughly and benchmark performance** under realistic workloads.
 
-📍 It is recommended to have 3 master nodes for a highly available control plane.
+### Stage 2: Machine Preparation
 
-## 📂 Repository structure
+> [!IMPORTANT]
+> If you have **3 or more nodes** it is recommended to make 3 of them controller nodes for a highly available control plane. This project configures **all nodes** to be able to run workloads. **Worker nodes** are therefore **optional**.
+>
+> **Minimum system requirements**
+> | Role    | Cores    | Memory        | System Disk               |
+> |---------|----------|---------------|---------------------------|
+> | Control/Worker | 4 | 16GB | 256GB SSD/NVMe |
 
-The Git repository contains the following directories under `kubernetes` and are ordered below by how Flux will apply them.
+1. Head over to the [Talos Linux Image Factory](https://factory.talos.dev) and follow the instructions. Be sure to only choose the **bare-minimum system extensions** as some might require additional configuration and prevent Talos from booting without it. Depending on your CPU start with the Intel/AMD system extensions (`i915`, `intel-ucode` & `mei` **or** `amdgpu` & `amd-ucode`), you can always add system extensions after Talos is installed and working.
 
-```sh
-📁 kubernetes      # Kubernetes cluster defined as code
-├─📁 bootstrap     # Flux installation
-├─📁 flux          # Main Flux configuration of repository
-└─📁 apps          # Apps deployed into the cluster grouped by namespace
-```
+2. This will eventually lead you to download a Talos Linux ISO (or for SBCs a RAW) image. Make sure to note the **schematic ID** you will need this later on.
 
-## 🚀 Lets go
+3. Flash the Talos ISO or RAW image to a USB drive and boot from it on your nodes.
 
-Very first step will be to create a new **public** repository by clicking the big green **Use this template** button on this page.
-
-Clone **your new repo** to you local workstation and `cd` into it.
-
-📍 **All of the below commands** are run on your **local** workstation, **not** on any of your cluster nodes.
-
-### 🔧 Workstation Tools
-
-📍 Install the **most recent version** of the CLI tools below. If you are **having trouble with future steps**, it is very likely you don't have the most recent version of these CLI tools, **!especially sops AND yq!**.
-
-1. Install the following CLI tools on your workstation, if you are **NOT** using [Homebrew](https://brew.sh/) on MacOS or Linux **ignore** steps 4 and 5.
-
-    * Required: [age](https://github.com/FiloSottile/age), [ansible](https://www.ansible.com), [flux](https://toolkit.fluxcd.io/), [weave-gitops](https://docs.gitops.weave.works/docs/installation/weave-gitops/), [go-task](https://github.com/go-task/task), [direnv](https://github.com/direnv/direnv), [ipcalc](http://jodies.de/ipcalc), [jq](https://stedolan.github.io/jq/), [kubectl](https://kubernetes.io/docs/tasks/tools/), [python-pip3](https://pypi.org/project/pip/), [pre-commit](https://github.com/pre-commit/pre-commit), [sops v3](https://github.com/mozilla/sops), [terraform](https://www.terraform.io), [yq v4](https://github.com/mikefarah/yq)
-
-    * Recommended: [helm](https://helm.sh/), [kustomize](https://github.com/kubernetes-sigs/kustomize), [stern](https://github.com/stern/stern), [yamllint](https://github.com/adrienverge/yamllint)
-
-2. This guide heavily relies on [go-task](https://github.com/go-task/task) as a framework for setting things up. It is advised to learn and understand the commands it is running under the hood.
-
-3. Install Python 3 and pip3 using your Linux OS package manager, or Homebrew if using MacOS.
-    - Ensure `pip3` is working on your command line by running `pip3 --version`
-
-4. [Homebrew] Install [go-task](https://github.com/go-task/task)
+4. Verify with `nmap` that your nodes are available on the network. (Replace `192.168.1.0/24` with the network your nodes are on.)
 
     ```sh
-    brew install go-task/tap/go-task
+    nmap -Pn -n -p 50000 192.168.1.0/24 -vv | grep 'Discovered'
     ```
 
-5. [Homebrew] Install workstation dependencies
+### Stage 3: Local Workstation
+
+> [!TIP]
+> It is recommended to set the visibility of your repository to `Public` so you can easily request help if you get stuck.
+
+1. Create a new repository by clicking the green `Use this template` button at the top of this page, then clone the new repo you just created and `cd` into it. Alternatively you can use the [GitHub CLI](https://cli.github.com/) ...
+
+    ```sh
+    export REPONAME="home-ops"
+    gh repo create $REPONAME --template onedr0p/cluster-template --public --clone
+    cd $REPONAME
+    ```
+
+2. **Install** the [Mise CLI](https://mise.jdx.dev/getting-started.html#installing-mise-cli) on your local workstation.
+
+3. **Activate** Mise in your shell by following the [activation guide](https://mise.jdx.dev/getting-started.html#activate-mise).
+
+4. Use `mise` to install the **required** CLI tools:
+
+    ```sh
+    mise trust
+    pip install pipx
+    mise install
+    ```
+
+   📍 _**Having trouble installing the tools?** Try unsetting the `GITHUB_TOKEN` env var and then run these commands again_
+
+   📍 _**Having trouble compiling Python?** Try running `mise settings python.compile=0` and then run these commands again_
+
+5. Logout of the GitHub Container Registry as this may cause authorization problems in future steps when using the public registry:
+
+    ```sh
+    docker logout ghcr.io
+    helm registry logout ghcr.io
+    ```
+
+### Stage 4: Cloudflare configuration
+
+> [!WARNING]
+> If any of the commands fail with `command not found` or `unknown command` it means `mise` is either not installed, activated or it could be configured incorrectly.
+
+1. Create a Cloudflare API token for use with cloudflared and external-dns by reviewing the official [documentation](https://developers.cloudflare.com/fundamentals/api/get-started/create-token/) and following the instructions below.
+
+   - Click the blue `Use template` button for the `Edit zone DNS` template.
+   - Name your token `kubernetes`
+   - Under `Permissions`, click `+ Add More` and add permissions `Zone - DNS - Edit` and `Account - Cloudflare Tunnel - Read`
+   - Limit the permissions to a specific account and/or zone resources and then click `Continue to Summary` and then `Create Token`.
+   - **Save this token somewhere safe**, you will need it later on.
+
+2. Create the Cloudflare Tunnel:
+
+    ```sh
+    cloudflared tunnel login
+    cloudflared tunnel create --credentials-file cloudflare-tunnel.json kubernetes
+    ```
+
+### Stage 5: Cluster configuration
+
+1. Generate the config files from the sample files:
 
     ```sh
     task init
     ```
 
-### ⚠️ pre-commit
+2. Fill out `cluster.yaml` and `nodes.yaml` configuration files using the comments in those file as a guide.
 
-It is advisable to install [pre-commit](https://pre-commit.com/) and the pre-commit hooks that come with this repository.
-
-1. Enable Pre-Commit
-
-    ```sh
-    task precommit:init
-    ```
-
-2. Update Pre-Commit, though it will occasionally make mistakes, so verify its results.
-
-    ```sh
-    task precommit:update
-    ```
-
-### 🔐 Setting up Age
-
-📍 Here we will create a Age Private and Public key. Using [SOPS](https://github.com/mozilla/sops) with [Age](https://github.com/FiloSottile/age) allows us to encrypt secrets and use them in Ansible, Terraform and Flux.
-
-1. Create a Age Private / Public Key
-
-    ```sh
-    age-keygen -o age.agekey
-    ```
-
-2. Set up the directory for the Age key and move the Age file to it
-
-    ```sh
-    mkdir -p ~/.config/sops/age
-    mv age.agekey ~/.config/sops/age/keys.txt
-    ```
-
-3. Export the `SOPS_AGE_KEY_FILE` variable in your `bashrc`, `zshrc` or `config.fish` and source it, e.g.
-
-    ```sh
-    export SOPS_AGE_KEY_FILE=~/.config/sops/age/keys.txt
-    source ~/.bashrc
-    ```
-
-4. Fill out the Age public key in the appropriate variable in configuration section below, **note** the public key should start with `age`...
-
-### ☁️ Global Cloudflare API Key
-
-In order to use Terraform and `cert-manager` with the Cloudflare DNS challenge you will need to create a API key.
-
-1. Head over to Cloudflare and create a API key by going [here](https://dash.cloudflare.com/profile/api-tokens).
-
-2. Under the `API Keys` section, create a global API Key.
-
-3. Use the API Key in the appropriate variable in configuration section below.
-
-📍 You may wish to update this later on to a Cloudflare **API Token** which can be scoped to certain resources. I do not recommend using a Cloudflare **API Key**, however for the purposes of this template it is easier getting started without having to define which scopes and resources are needed. For more information see the [Cloudflare docs on API Keys and Tokens](https://developers.cloudflare.com/api/).
-
-### 📄 Configuration
-
-📍 The `.config.env` file contains necessary configuration that is needed by Ansible, Terraform and Flux.
-
-1. Copy the `.config.sample.env` to `.config.env` and start filling out all the environment variables.
-
-    **All are required** unless otherwise noted in the comments.
-
-    ```sh
-    cp .config.sample.env .config.env
-    ```
-
-2. Once that is done, verify the configuration is correct by running:
-
-    ```sh
-    task verify
-    ```
-
-3. If you do not encounter any errors run start having the script wire up the templated files and place them where they need to be.
+3. Template out the kubernetes and talos configuration files, if any issues come up be sure to read the error and adjust your config files accordingly.
 
     ```sh
     task configure
     ```
 
-### ⚡ Preparing Fedora or Ubuntu Server with Ansible
+4. Push your changes to git:
 
-📍 Here we will be running a Ansible Playbook to prepare Fedora or Ubuntu Server for running a Kubernetes cluster.
-
-📍 Nodes are not security hardened by default, you can do this with [dev-sec/ansible-collection-hardening](https://github.com/dev-sec/ansible-collection-hardening) or similar if supported. This is an advanced configuration and generally not recommended unless you want to [DevSecOps](https://www.ibm.com/topics/devsecops) your cluster and nodes.
-
-1. Ensure you are able to SSH into your nodes from your workstation using a private SSH key **without a passphrase**. This is how Ansible is able to connect to your remote nodes.
-
-   [How to configure SSH key-based authentication](https://www.digitalocean.com/community/tutorials/how-to-configure-ssh-key-based-authentication-on-a-linux-server)
-
-2. Install the Ansible deps
-
-    ```sh
-    task ansible:init
-    ```
-
-3. Verify Ansible can view your config
-
-    ```sh
-    task ansible:list
-    ```
-
-4. Verify Ansible can ping your nodes
-
-    ```sh
-    task ansible:ping
-    ```
-
-5. Run the Fedora/Ubuntu Server Ansible prepare playbook
-
-    ```sh
-    task ansible:prepare
-    ```
-
-6. Reboot the nodes (if not done in step 5)
-
-    ```sh
-    task ansible:force-reboot
-    ```
-
-### ⛵ Installing k3s with Ansible
-
-📍 Here we will be running a Ansible Playbook to install [k3s](https://k3s.io/) with [this](https://galaxy.ansible.com/xanmanning/k3s) wonderful k3s Ansible galaxy role. After completion, Ansible will drop a `kubeconfig` in `./kubeconfig` for use with interacting with your cluster with `kubectl`.
-
-☢️ If you run into problems, you can run `task ansible:nuke` to destroy the k3s cluster and start over.
-
-1. Verify Ansible can view your config
-
-    ```sh
-    task ansible:list
-    ```
-
-2. Verify Ansible can ping your nodes
-
-    ```sh
-    task ansible:ping
-    ```
-
-3. Install k3s with Ansible
-
-    ```sh
-    task ansible:install
-    ```
-
-4. Verify the nodes are online
-
-    ```sh
-    task cluster:nodes
-    # NAME           STATUS   ROLES                       AGE     VERSION
-    # k8s-0          Ready    control-plane,master      4d20h   v1.21.5+k3s1
-    # k8s-1          Ready    worker                    4d20h   v1.21.5+k3s1
-    ```
-
-### ☁️ Configuring Cloudflare DNS with Terraform
-
-📍 Review the Terraform scripts under `./terraform/cloudflare/` and make sure you understand what it's doing (no really review it).
-
-If your domain already has existing DNS records **be sure to export those DNS settings before you continue**.
-
-1. Pull in the Terraform deps
-
-    ```sh
-    task terraform:init
-    ```
-
-2. Review the changes Terraform will make to your Cloudflare domain
-
-    ```sh
-    task terraform:plan
-    ```
-
-3. Have Terraform apply your Cloudflare settings
-
-    ```sh
-    task terraform:apply
-    ```
-
-If Terraform was ran successfully you can log into Cloudflare and validate the DNS records are present.
-
-The cluster application [external-dns](https://github.com/kubernetes-sigs/external-dns) will be managing the rest of the DNS records you will need.
-
-### 🔹 GitOps with Flux
-
-📍 Here we will be installing [flux](https://toolkit.fluxcd.io/) after some quick bootstrap steps.
-
-1. Verify Flux can be installed
-
-    ```sh
-    task cluster:verify
-    # ► checking prerequisites
-    # ✔ kubectl 1.21.5 >=1.18.0-0
-    # ✔ Kubernetes 1.21.5+k3s1 >=1.16.0-0
-    # ✔ prerequisites checks passed
-    ```
-
-2. Push you changes to git
-
-    📍 **Verify** all the `*.sops.yaml` and `*.sops.yml` files under the `./ansible`, `./kubernetes`, and `./terraform` folders are **encrypted** with SOPS
+   📍 _**Verify** all the `./kubernetes/**/*.sops.*` files are **encrypted** with SOPS_
 
     ```sh
     git add -A
-    git commit -m "Initial commit :rocket:"
+    git commit -m "chore: initial commit :rocket:"
     git push
     ```
 
-3. Install Flux and sync the cluster to the Git repository
+> [!TIP]
+> Using a **private repository**? Make sure to paste the public key from `github-deploy.key.pub` into the deploy keys section of your GitHub repository settings. This will make sure Flux has read/write access to your repository.
+
+### Stage 6: Bootstrap Talos, Kubernetes, and Flux
+
+> [!WARNING]
+> It might take a while for the cluster to be setup (10+ minutes is normal). During which time you will see a variety of error messages like: "couldn't get current server API group list," "error: no matching resources found", etc. 'Ready' will remain "False" as no CNI is deployed yet. **This is normal.** If this step gets interrupted, e.g. by pressing <kbd>Ctrl</kbd> + <kbd>C</kbd>, you likely will need to [reset the cluster](#-reset) before trying again
+
+1. Install Talos:
 
     ```sh
-    task cluster:install
-    # namespace/flux-system configured
-    # customresourcedefinition.apiextensions.k8s.io/alerts.notification.toolkit.fluxcd.io created
+    task bootstrap:talos
     ```
 
-4. Verify Flux components are running in the cluster
+2. Push your changes to git:
 
     ```sh
-    task cluster:pods -- -n flux-system
-    # NAME                                       READY   STATUS    RESTARTS   AGE
-    # helm-controller-5bbd94c75-89sb4            1/1     Running   0          1h
-    # kustomize-controller-7b67b6b77d-nqc67      1/1     Running   0          1h
-    # notification-controller-7c46575844-k4bvr   1/1     Running   0          1h
-    # source-controller-7d6875bcb4-zqw9f         1/1     Running   0          1h
+    git add -A
+    git commit -m "chore: add talhelper encrypted secret :lock:"
+    git push
     ```
 
-### 🎤 Verification Steps
-
-_Mic check, 1, 2_ - In a few moments applications should be lighting up like a Christmas tree 🎄
-
-You are able to run all the commands below with one task
-
-```sh
-task cluster:resources
-```
-
-1. View the Flux Git Repositories
+3. Install cilium, coredns, spegel, flux and sync the cluster to the repository state:
 
     ```sh
-    task cluster:gitrepositories
+    task bootstrap:apps
     ```
 
-2. View the Flux kustomizations
+4. Watch the rollout of your cluster happen:
 
     ```sh
-    task cluster:kustomizations
+    kubectl get pods --all-namespaces --watch
     ```
 
-3. View all the Flux Helm Releases
-
-    ```sh
-    task cluster:helmreleases
-    ```
-
-4. View all the Flux Helm Repositories
-
-    ```sh
-    task cluster:helmrepositories
-    ```
-
-5. View all the Pods
-
-    ```sh
-    task cluster:pods
-    ```
-
-6. View all the certificates and certificate requests
-
-    ```sh
-    task cluster:certificates
-    ```
-
-7. View all the ingresses
-
-    ```sh
-    task cluster:ingresses
-    ```
-
-🏆 **Congratulations** if all goes smooth you'll have a Kubernetes cluster managed by Flux, your Git repository is driving the state of your cluster.
-
-☢️ If you run into problems, you can run `task ansible:nuke` to destroy the k3s cluster and start over.
-
-🧠 Now it's time to pause and go get some coffee ☕ because next is describing how DNS is handled.
-
 ## 📣 Post installation
 
-### 🌱 Environment
+### ✅ Verifications
 
-[direnv](https://direnv.net/) will make it so anytime you `cd` to your repo's directory it export the required environment variables (e.g. `KUBECONFIG`). To set this up make sure you [hook it into your shell](https://direnv.net/docs/hook.html) and after that is done, run `direnv allow` while in your repos directory.
-
-### 🌐 DNS
-
-📍 The [external-dns](https://github.com/kubernetes-sigs/external-dns) application created in the `kube-system` namespace will handle creating public DNS records. By default, `echo-server` is the only public domain exposed on your Cloudflare domain. In order to make additional applications public you must set an ingress annotation like in the `HelmRelease` for `echo-server`. You do not need to use Terraform to create additional DNS records unless you need a record outside the purposes of your Kubernetes cluster (e.g. setting up MX records).
-
-[k8s_gateway](https://github.com/ori-edge/k8s_gateway) is deployed on the IP choosen for `${BOOTSTRAP_METALLB_K8S_GATEWAY_ADDR}`. Inorder to test DNS you can point your clients DNS to the `${BOOTSTRAP_METALLB_K8S_GATEWAY_ADDR}` IP address and load `https://hajimari.${BOOTSTRAP_CLOUDFLARE_DOMAIN}` in your browser.
-
-You can also try debugging with the command `dig`, e.g. `dig @${BOOTSTRAP_METALLB_K8S_GATEWAY_ADDR} hajimari.${BOOTSTRAP_CLOUDFLARE_DOMAIN}` and you should get a valid answer containing your `${BOOTSTRAP_METALLB_INGRESS_ADDR}` IP address.
-
-If your router (or Pi-Hole, Adguard Home or whatever) supports conditional DNS forwarding (also know as split-horizon DNS) you may have DNS requests for `${SECRET_DOMAIN}` only point to the  `${BOOTSTRAP_METALLB_K8S_GATEWAY_ADDR}` IP address. This will ensure only DNS requests for `${SECRET_DOMAIN}` will only get routed to your [k8s_gateway](https://github.com/ori-edge/k8s_gateway) service thus providing DNS resolution to your cluster applications/ingresses.
-
-To access services from the outside world port forwarded `80` and `443` in your router to the `${BOOTSTRAP_METALLB_INGRESS_ADDR}` IP, in a few moments head over to your browser and you _should_ be able to access `https://echo-server.${BOOTSTRAP_CLOUDFLARE_DOMAIN}` from a device outside your LAN.
-
-Now if nothing is working, that is expected. This is DNS after all!
-
-### 🤖 Renovatebot
-
-[Renovatebot](https://www.mend.io/free-developer-tools/renovate/) will scan your repository and offer PRs when it finds dependencies out of date. Common dependencies it will discover and update are Flux, Ansible Galaxy Roles, Terraform Providers, Kubernetes Helm Charts, Kubernetes Container Images, Pre-commit hooks updates, and more!
-
-The base Renovate configuration provided in your repository can be view at [.github/renovate.json5](https://github.com/onedr0p/flux-cluster-template/blob/main/.github/renovate.json5). If you notice this only runs on weekends and you can [change the schedule to anything you want](https://docs.renovatebot.com/presets-schedule/) or simply remove it.
-
-To enable Renovate on your repository, click the 'Configure' button over at their [Github app page](https://github.com/apps/renovate) and choose your repository. Over time Renovate will create PRs for out-of-date dependencies it finds. Any merged PRs that are in the kubernetes directory Flux will deploy.
-
-### 🪝 Github Webhook
-
-Flux is pull-based by design meaning it will periodically check your git repository for changes, using a webhook you can enable Flux to update your cluster on `git push`. In order to configure Github to send `push` events from your repository to the Flux webhook receiver you will need two things:
-
-1. Webhook URL - Your webhook receiver will be deployed on `https://flux-webhook.${BOOTSTRAP_CLOUDFLARE_DOMAIN}/hook/:hookId`. In order to find out your hook id you can run the following command:
+1. Check the status of Cilium:
 
     ```sh
-    kubectl -n flux-system get receiver/github-receiver
-    # NAME              AGE    READY   STATUS
-    # github-receiver   6h8m   True    Receiver initialized with URL: /hook/12ebd1e363c641dc3c2e430ecf3cee2b3c7a5ac9e1234506f6f5f3ce1230e123
+    cilium status
     ```
 
-    So if my domain was `onedr0p.com` the full url would look like this:
+2. Check the status of Flux and if the Flux resources are up-to-date and in a ready state:
+
+   📍 _Run `task reconcile` to force Flux to sync your Git repository state_
+
+    ```sh
+    flux check
+    flux get sources git flux-system
+    flux get ks -A
+    flux get hr -A
+    ```
+
+3. Check TCP connectivity to both the internal and external gateways:
+
+   📍 _The variables are only placeholders, replace them with your actual values_
+
+    ```sh
+    nmap -Pn -n -p 443 ${cluster_gateway_addr} ${cloudflare_gateway_addr} -vv
+    ```
+
+4. Check you can resolve DNS for `echo`, this should resolve to `${cloudflare_gateway_addr}`:
+
+   📍 _The variables are only placeholders, replace them with your actual values_
+
+    ```sh
+    dig @${cluster_dns_gateway_addr} echo.${cloudflare_domain}
+    ```
+
+5. Check the status of your wildcard `Certificate`:
+
+    ```sh
+    kubectl -n network describe certificates
+    ```
+
+### 🌐 Public DNS
+
+> [!TIP]
+> Use the `envoy-external` gateway on `HTTPRoutes` to make applications public to the internet. These are also accessible on your private network once you set up split DNS.
+
+The `external-dns` application created in the `network` namespace will handle creating public DNS records. By default, `echo` and the `flux-webhook` are the only subdomains reachable from the public internet. In order to make additional applications public you must **set the correct gateway** like in the HelmRelease for `echo`.
+
+### 🏠 Home DNS
+
+> [!TIP]
+> Use the `envoy-internal` gateway on `HTTPRoutes` to make applications private to your network. If you're having trouble with internal DNS resolution check out [this](https://github.com/onedr0p/cluster-template/discussions/719) GitHub discussion.
+
+`k8s_gateway` will provide DNS resolution to external Kubernetes resources (i.e. points of entry to the cluster) from any device that uses your home DNS server. For this to work, your home DNS server must be configured to forward DNS queries for `${cloudflare_domain}` to `${cluster_dns_gateway_addr}` instead of the upstream DNS server(s) it normally uses. This is a form of **split DNS** (aka split-horizon DNS / conditional forwarding).
+
+_... Nothing working? That is expected, this is DNS after all!_
+
+### 🪝 GitHub Webhook
+
+By default Flux will periodically check your git repository for changes. In-order to have Flux reconcile on `git push` you must configure GitHub to send `push` events to Flux.
+
+1. Obtain the webhook path:
+
+   📍 _Hook id and path should look like `/hook/12ebd1e363c641dc3c2e430ecf3cee2b3c7a5ac9e1234506f6f5f3ce1230e123`_
+
+    ```sh
+    kubectl -n flux-system get receiver github-webhook --output=jsonpath='{.status.webhookPath}'
+    ```
+
+2. Piece together the full URL with the webhook path appended:
 
     ```text
-    https://flux-webhook.onedr0p.com/hook/12ebd1e363c641dc3c2e430ecf3cee2b3c7a5ac9e1234506f6f5f3ce1230e123
+    https://flux-webhook.${cloudflare_domain}/hook/12ebd1e363c641dc3c2e430ecf3cee2b3c7a5ac9e1234506f6f5f3ce1230e123
     ```
 
-2. Webhook secret - Your webhook secret can be found by decrypting the `secret.sops.yaml` using the following command:
+3. Navigate to the settings of your repository on GitHub, under "Settings/Webhooks" press the "Add webhook" button. Fill in the webhook URL and your token from `github-push-token.txt`, Content type: `application/json`, Events: Choose Just the push event, and save.
 
-    ```sh
-    sops -d ./kubernetes/flux/config/webhooks/github/secret.sops.yaml | yq .stringData.token
-    ```
+## 💥 Reset
 
-    **Note:** Don't forget to update the `BOOTSTRAP_FLUX_GITHUB_WEBHOOK_SECRET` variable in your `.config.env` file so it matches the generated secret if applicable
+> [!CAUTION]
+> **Resetting** the cluster **multiple times in a short period of time** could lead to being **rate limited by DockerHub or Let's Encrypt**.
 
-Now that you have the webhook url and secret, it's time to set everything up on the Github repository side. Navigate to the settings of your repository on Github, under "Settings/Webhooks" press the "Add webhook" button. Fill in the webhook url and your secret.
-
-### 💾 Storage
-
-Rancher's `local-path-provisioner` is a great start for storage but soon you might find you need more features like replicated block storage, or to connect to a NFS/SMB/iSCSI server. Check out the projects below to read up more on some storage solutions that might work for you.
-
-- [rook-ceph](https://github.com/rook/rook)
-- [longhorn](https://github.com/longhorn/longhorn)
-- [openebs](https://github.com/openebs/openebs)
-- [nfs-subdir-external-provisioner](https://github.com/kubernetes-sigs/nfs-subdir-external-provisioner)
-- [democratic-csi](https://github.com/democratic-csi/democratic-csi)
-- [csi-driver-nfs](https://github.com/kubernetes-csi/csi-driver-nfs)
-- [synology-csi](https://github.com/SynologyOpenSource/synology-csi)
-
-### 🔏 Authenticate Flux over SSH
-
-Authenticating Flux to your git repository has a couple benefits like using a private git repository and/or using the Flux [Image Automation Controllers](https://fluxcd.io/docs/components/image/).
-
-By default this template only works on a public GitHub repository, it is advised to keep your repository public.
-
-The benefits of a public repository include:
-
-* Debugging or asking for help, you can provide a link to a resource you are having issues with.
-* Adding a topic to your repository of `k8s-at-home` to be included in the [k8s-at-home-search](https://whazor.github.io/k8s-at-home-search/). This search helps people discover different configurations of Helm charts across others Flux based repositories.
-
-<details>
-  <summary>Expand to read guide on adding Flux SSH authentication</summary>
-
-  1. Generate new SSH key:
-      ```sh
-      ssh-keygen -t ecdsa -b 521 -C "github-deploy-key" -f ./kubernetes/bootstrap/github-deploy.key -q -P ""
-      ```
-  2. Paste public key in the deploy keys section of your repository settings
-  3. Create sops secret in `./kubernetes/bootstrap/github-deploy-key.sops.yaml` with the contents of:
-      ```yaml
-      apiVersion: v1
-      kind: Secret
-      metadata:
-          name: github-deploy-key
-          namespace: flux-system
-      stringData:
-          # 3a. Contents of github-deploy-key
-          identity: |
-              -----BEGIN OPENSSH PRIVATE KEY-----
-                  ...
-              -----END OPENSSH PRIVATE KEY-----
-          # 3b. Output of curl --silent https://api.github.com/meta | jq --raw-output '"github.com "+.ssh_keys[]'
-          known_hosts: |
-              github.com ssh-ed25519 ...
-              github.com ecdsa-sha2-nistp256 ...
-              github.com ssh-rsa ...
-      ```
-  4. Encrypt secret:
-      ```sh
-      sops --encrypt --in-place ./kubernetes/bootstrap/github-deploy-key.sops.yaml
-      ```
-  5. Apply secret to cluster:
-      ```sh
-      sops --decrypt ./kubernetes/bootstrap/github-deploy-key.sops.yaml | kubectl apply -f -
-      ```
-  6.  Update `./kubernetes/flux/config/cluster.yaml`:
-      ```yaml
-      apiVersion: source.toolkit.fluxcd.io/v1beta2
-      kind: GitRepository
-      metadata:
-        name: home-kubernetes
-        namespace: flux-system
-      spec:
-        interval: 10m
-        # 6a: Change this to your user and repo names
-        url: ssh://git@github.com/$user/$repo
-        ref:
-          branch: main
-        secretRef:
-          name: github-deploy-key
-      ```
-  7. Commit and push changes
-  8. Force flux to reconcile your changes
-     ```sh
-     task cluster:reconcile
-     ```
-  9. Verify git repository is now using SSH:
-      ```sh
-      task cluster:gitrepositories
-      ```
-  10. Optionally set your repository to Private in your repository settings.
-</details>
-
-### 💨 Kubernetes Dashboard
-
-Included in your cluster is the [Kubernetes Dashboard](https://kubernetes.io/docs/tasks/access-application-cluster/web-ui-dashboard/). Inorder to log into this you will have to get the secret token from the cluster using the command below.
+There might be a situation where you want to destroy your Kubernetes cluster. The following command will reset your nodes back to maintenance mode.
 
 ```sh
-kubectl -n monitoring get secret kubernetes-dashboard -o jsonpath='{.data.token}' | base64 -d
+task talos:reset
 ```
 
-You should be able to access the dashboard at `https://kubernetes.${SECRET_DOMAIN}`
+## 🛠️ Talos and Kubernetes Maintenance
 
-## 👉 Help
+### ⚙️ Updating Talos node configuration
 
-- [Discussions](https://github.com/onedr0p/flux-cluster-template/discussions)
-- [Discord](https://discord.gg/k8s-at-home)
+> [!TIP]
+> Ensure you have updated `talconfig.yaml` and any patches with your updated configuration. In some cases you **not only need to apply the configuration but also upgrade talos** to apply new configuration.
+
+```sh
+# (Re)generate the Talos config
+task talos:generate-config
+# Apply the config to the node
+task talos:apply-node IP=? MODE=?
+# e.g. task talos:apply-node IP=10.10.10.10 MODE=auto
+```
+
+### ⬆️ Updating Talos and Kubernetes versions
+
+> [!TIP]
+> Ensure the `talosVersion` and `kubernetesVersion` in `talenv.yaml` are up-to-date with the version you wish to upgrade to.
+
+```sh
+# Upgrade node to a newer Talos version
+task talos:upgrade-node IP=?
+# e.g. task talos:upgrade-node IP=10.10.10.10
+```
+
+```sh
+# Upgrade cluster to a newer Kubernetes version
+task talos:upgrade-k8s
+# e.g. task talos:upgrade-k8s
+```
+
+### ➕ Adding a node to your cluster
+
+At some point you might want to expand your cluster to run more workloads and/or improve the reliability of your cluster. Keep in mind it is recommended to have an **odd number** of control plane nodes for quorum reasons.
+
+You don't need to re-bootstrap the cluster to add new nodes. Follow these steps:
+
+1. **Prepare the new node**: Review the [Stage 2: Machine Preparation](#stage-2-machine-preparation) section and boot your new node into maintenance mode.
+
+2. **Get the node information**: While the node is in maintenance mode, retrieve the disk and MAC address information needed for configuration:
+
+   ```sh
+   talosctl get disks -n <ip> --insecure
+   talosctl get links -n <ip> --insecure
+   ```
+
+3. **Update the configuration**: Read the documentation for [talhelper](https://budimanjojo.github.io/talhelper/latest/) and extend the `talconfig.yaml` file manually with the new node information (including the disk and MAC address from step 2).
+
+4. **Generate and apply the configuration**:
+
+   ```sh
+   # Render your talosconfig based on the talconfig.yaml file
+   task talos:generate-config
+
+   # Apply the configuration to the node
+   task talos:apply-node IP=?
+   # e.g. task talos:apply-node IP=10.10.10.10
+   ```
+
+The node should join the cluster automatically and workloads will be scheduled once they report as ready.
+
+## 🤖 Renovate
+
+[Renovate](https://www.mend.io/renovate) is a tool that automates dependency management. It is designed to scan your repository around the clock and open PRs for out-of-date dependencies it finds. Common dependencies it can discover are Helm charts, container images, GitHub Actions and more! In most cases merging a PR will cause Flux to apply the update to your cluster.
+
+To enable Renovate, click the 'Configure' button over at their [Github app page](https://github.com/apps/renovate) and select your repository. Renovate creates a "Dependency Dashboard" as an issue in your repository, giving an overview of the status of all updates. The dashboard has interactive checkboxes that let you do things like advance scheduling or reattempt update PRs you closed without merging.
+
+The base Renovate configuration in your repository can be viewed at [.renovaterc.json5](.renovaterc.json5). By default it is scheduled to be active with PRs every weekend, but you can [change the schedule to anything you want](https://docs.renovatebot.com/presets-schedule), or remove it if you want Renovate to open PRs immediately.
+
+## 🐛 Debugging
+
+Below is a general guide on trying to debug an issue with an resource or application. For example, if a workload/resource is not showing up or a pod has started but in a `CrashLoopBackOff` or `Pending` state. These steps do not include a way to fix the problem as the problem could be one of many different things.
+
+1. Check if the Flux resources are up-to-date and in a ready state:
+
+   📍 _Run `task reconcile` to force Flux to sync your Git repository state_
+
+    ```sh
+    flux get sources git -A
+    flux get ks -A
+    flux get hr -A
+    ```
+
+2. Do you see the pod of the workload you are debugging:
+
+    ```sh
+    kubectl -n <namespace> get pods -o wide
+    ```
+
+3. Check the logs of the pod if it's there:
+
+    ```sh
+    kubectl -n <namespace> logs <pod-name> -f
+    ```
+
+4. If a resource exists, try to describe it to see what problems it might have:
+
+    ```sh
+    kubectl -n <namespace> describe <resource> <name>
+    ```
+
+5. Check the namespace events:
+
+    ```sh
+    kubectl -n <namespace> get events --sort-by='.metadata.creationTimestamp'
+    ```
+
+Resolving problems that you have could take some tweaking of your YAML manifests in order to get things working, other times it could be a external factor like permissions on a NFS server. If you are unable to figure out your problem see the support sections below.
+
+## 🧹 Tidy up
+
+Once your cluster is fully configured and you no longer need to run `task configure`, it's a good idea to clean up the repository by removing the [templates](./templates) directory and any files related to the templating process. This will help eliminate unnecessary clutter from the upstream template repository and resolve any "duplicate registry" warnings from Renovate.
+
+1. Tidy up your repository:
+
+    ```sh
+    task template:tidy
+    ```
+
+2. Push your changes to git:
+
+    ```sh
+    git add -A
+    git commit -m "chore: tidy up :broom:"
+    git push
+    ```
 
 ## ❔ What's next
 
-The world is your cluster, have at it!
+There's a lot to absorb here, especially if you're new to these tools. Take some time to familiarize yourself with the tooling and understand how all the components interconnect. Dive into the documentation of the various tools included — they are a valuable resource. This shouldn't be a production environment yet, so embrace the freedom to experiment. Move fast, break things intentionally, and challenge yourself to fix them.
+
+Below are some optional considerations you may want to explore.
+
+### DNS
+
+The template uses [k8s_gateway](https://github.com/k8s-gateway/k8s_gateway) to provide DNS for your applications, consider exploring [external-dns](https://github.com/kubernetes-sigs/external-dns) as an alternative.
+
+External-DNS offers broad support for various DNS providers, including but not limited to:
+
+- [Pi-hole](https://github.com/kubernetes-sigs/external-dns/blob/master/docs/tutorials/pihole.md)
+- [UniFi](https://github.com/kashalls/external-dns-unifi-webhook)
+- [Adguard Home](https://github.com/muhlba91/external-dns-provider-adguard)
+- [Bind](https://github.com/kubernetes-sigs/external-dns/blob/master/docs/tutorials/rfc2136.md)
+
+This flexibility allows you to integrate seamlessly with a range of DNS solutions to suit your environment and offload DNS from your cluster to your router, or external device.
+
+### Secrets
+
+SOPS is an excellent tool for managing secrets in a GitOps workflow. However, it can become cumbersome when rotating secrets or maintaining a single source of truth for secret items.
+
+For a more streamlined approach to those issues, consider [External Secrets](https://external-secrets.io/latest/). This tool allows you to move away from SOPs and leverage an external provider for managing your secrets. External Secrets supports a wide range of providers, from cloud-based solutions to self-hosted options.
+
+### Storage
+
+If your workloads require persistent storage with features like replication or connectivity to NFS, SMB, or iSCSI servers, there are several projects worth exploring:
+
+- [rook-ceph](https://github.com/rook/rook) / [longhorn](https://github.com/longhorn/longhorn) / [openebs](https://github.com/openebs/openebs)
+- [democratic-csi](https://github.com/democratic-csi/democratic-csi)
+- [csi-driver-nfs](https://github.com/kubernetes-csi/csi-driver-nfs) / [csi-driver-smb](https://github.com/kubernetes-csi/csi-driver-smb)
+- [synology-csi](https://github.com/SynologyOpenSource/synology-csi)
+- [truenas-csi](https://github.com/truenas/truenas-csi) / [tns-csi](https://github.com/fenio/tns-csi)
+
+These tools offer a variety of solutions to meet your persistent storage needs, whether you’re using cloud-native or self-hosted infrastructures.
+
+### Community Repositories
+
+Community member [@whazor](https://github.com/whazor) created [Kubesearch](https://kubesearch.dev) to allow searching Flux HelmReleases across Github and Gitlab repositories with the `kubesearch` topic.
+
+## 🙋 Support
+
+### Community
+
+- Make a post in this repository's GitHub [Discussions](https://github.com/onedr0p/cluster-template/discussions).
+- Start a thread in the `#support` or `#cluster-template` channels in the [Home Operations](https://discord.gg/home-operations) Discord server.
+
+## 📺 Media
+
+Check out these videos below. If you find them helpful, a like and subscribe goes a long way!
+
+<a href="https://youtube.com/watch?v=aeUKOpeoiUs">
+  <img src="https://github.com/user-attachments/assets/2dab1c6f-7b27-4b94-a7ad-a6d9c5b17c78" alt="Youtube Video" width="300">
+</a>
+&nbsp;&nbsp;
+<a href="https://youtube.com/watch?v=hoi2GzvJUXM">
+  <img src="https://github.com/user-attachments/assets/5b939b90-0019-4515-b90c-321ffe7448cf" alt="Youtube Video" width="300">
+</a>
+
+## 🙌 Related Projects
+
+If this repo is too hot to handle or too cold to hold check out these following projects.
+
+- [ajaykumar4/cluster-template](https://github.com/ajaykumar4/cluster-template) - _A template for deploying a Talos Kubernetes cluster including Argo for GitOps_
+- [khuedoan/homelab](https://github.com/khuedoan/homelab) - _Fully automated homelab from empty disk to running services with a single command._
+- [mitchross/k3s-argocd-starter](https://github.com/mitchross/k3s-argocd-starter) - starter kit for k3s, argocd
+- [ricsanfre/pi-cluster](https://github.com/ricsanfre/pi-cluster) - _Pi Kubernetes Cluster. Homelab kubernetes cluster automated with Ansible and FluxCD_
+- [techno-tim/k3s-ansible](https://github.com/techno-tim/k3s-ansible) - _The easiest way to bootstrap a self-hosted High Availability Kubernetes cluster. A fully automated HA k3s etcd install with kube-vip, MetalLB, and more. Build. Destroy. Repeat._
+
+## ⭐ Stargazers
+
+<div align="center">
+
+<a href="https://star-history.com/#onedr0p/cluster-template&Date">
+  <picture>
+    <source media="(prefers-color-scheme: dark)" srcset="https://api.star-history.com/svg?repos=onedr0p/cluster-template&type=Date&theme=dark" />
+    <source media="(prefers-color-scheme: light)" srcset="https://api.star-history.com/svg?repos=onedr0p/cluster-template&type=Date" />
+    <img alt="Star History Chart" src="https://api.star-history.com/svg?repos=onedr0p/cluster-template&type=Date" />
+  </picture>
+</a>
+
+</div>
 
 ## 🤝 Thanks
 
-Big shout out to all the authors and contributors to the projects that we are using in this repository.
-
-[@whazor](https://github.com/whazor) created [this website](https://nanne.dev/k8s-at-home-search/) as a creative way to search Helm Releases across GitHub. You may use it as a means to get ideas on how to configure an applications' Helm values.
+Big shout out to all the contributors, sponsors and everyone else who has helped on this project.

Taskfile.yaml

@@ -0,0 +1,34 @@
+---
+version: '3'
+
+set: [pipefail]
+shopt: [globstar]
+
+vars:
+  BOOTSTRAP_DIR: '{{.ROOT_DIR}}/bootstrap'
+  KUBERNETES_DIR: '{{.ROOT_DIR}}/kubernetes'
+  SCRIPTS_DIR: '{{.ROOT_DIR}}/scripts'
+  TALOS_DIR: '{{.ROOT_DIR}}/talos'
+  PRIVATE_DIR: '{{.ROOT_DIR}}/.private'
+  TALOSCONFIG: '{{.ROOT_DIR}}/talos/clusterconfig/talosconfig'
+
+env:
+  KUBECONFIG: '{{.ROOT_DIR}}/kubeconfig'
+  SOPS_AGE_KEY_FILE: '{{.ROOT_DIR}}/age.key'
+  TALOSCONFIG: '{{.TALOSCONFIG}}'
+
+includes:
+  bootstrap: .taskfiles/bootstrap
+  talos: .taskfiles/talos
+  template: .taskfiles/template
+
+tasks:
+
+  default: task --list
+
+  reconcile:
+    desc: Force Flux to pull in changes from your Git repository
+    cmd: flux --namespace flux-system reconcile kustomization flux-system --with-source
+    preconditions:
+      - test -f {{.KUBECONFIG}}
+      - which flux

Taskfile.yml

@@ -1,62 +0,0 @@
----
-version: "3"
-
-vars:
-  KUBERNETES_DIR: "{{.ROOT_DIR}}/kubernetes"
-  ANSIBLE_DIR: "{{.ROOT_DIR}}/ansible"
-  TERRAFORM_DIR: "{{.ROOT_DIR}}/terraform"
-
-dotenv: [".config.env"]
-
-env:
-  KUBECONFIG: "{{.ROOT_DIR}}/kubeconfig"
-  SOPS_AGE_KEY_FILE: ~/.config/sops/age/keys.txt
-
-includes:
-  ansible: .taskfiles/AnsibleTasks.yml
-  cluster: .taskfiles/ClusterTasks.yml
-  precommit: .taskfiles/PrecommitTasks.yml
-  terraform: .taskfiles/TerraformTasks.yml
-
-tasks:
-
-  init:
-    desc: Initialize workstation dependencies with Brew
-    cmds:
-      - brew install {{.DEPS}} {{.CLI_ARGS}}
-    preconditions:
-      - sh: command -v brew
-        msg: |
-          Homebrew is not installed. Using MacOS, Linux or WSL?
-          Head over to https://brew.sh to get up and running.
-    vars:
-      DEPS: >-
-        age
-        ansible
-        direnv
-        fluxcd/tap/flux
-        go-task/tap/go-task
-        helm
-        ipcalc
-        jq
-        kubernetes-cli
-        kustomize
-        pre-commit
-        prettier
-        sops
-        stern
-        terraform
-        tflint
-        weaveworks/tap/gitops
-        yamllint
-        yq
-
-  verify:
-    desc: Verify env settings
-    cmds:
-      - ./configure --verify
-
-  configure:
-    desc: Configure repository from env settings
-    cmds:
-      - ./configure

ansible.cfg

@@ -1,35 +0,0 @@
-[defaults]
-# General settings
-nocows                      = True
-executable                  = /bin/bash
-stdout_callback             = yaml
-force_valid_group_names     = ignore
-# File/Directory settings
-log_path                    = ~/.ansible/ansible.log
-inventory                   = ./ansible/inventory
-roles_path                  = ~/.ansible/roles:./ansible/roles
-collections_path            = ~/.ansible/collections
-remote_tmp                  = /tmp
-local_tmp                   = ~/.ansible/tmp
-# Fact Caching settings
-fact_caching                = jsonfile
-fact_caching_connection     = ~/.ansible/facts_cache
-# SSH settings
-remote_port                 = 22
-timeout                     = 60
-host_key_checking           = False
-# Plugin settings
-vars_plugins_enabled        = host_group_vars,community.sops.sops
-
-[inventory]
-unparsed_is_failed          = true
-
-[privilege_escalation]
-become                      = True
-
-[ssh_connection]
-scp_if_ssh                  = smart
-retries                     = 3
-ssh_args                    = -o ControlMaster=auto -o ControlPersist=30m -o Compression=yes -o ServerAliveInterval=15s
-pipelining                  = True
-control_path                = %(directory)s/%%h-%%r

ansible/inventory/group_vars/kubernetes/k3s.yml

@@ -1,59 +0,0 @@
----
-#
-# Below vars are for the xanmanning.k3s role
-# ...see https://github.com/PyratLabs/ansible-role-k3s
-#
-
-# (string) Use a specific version of k3s
-# renovate: datasource=github-releases depName=k3s-io/k3s
-k3s_release_version: "v1.26.0+k3s2"
-
-# (bool) Install using hard links rather than symbolic links.
-k3s_install_hard_links: true
-
-# (bool) Escalate user privileges for all tasks
-k3s_become: true
-
-# (bool) Enable debug logging on the k3s service
-k3s_debug: false
-
-# (bool) Enable etcd embedded datastore
-k3s_etcd_datastore: true
-
-# (bool) Allow the use of unsupported configurations in k3s
-k3s_use_unsupported_config: true
-
-# (string) Control Plane registration address
-k3s_registration_address: "{{ kubevip_address }}"
-
-# (list) A list of URLs to deploy on the primary control plane. Read notes below.
-k3s_server_manifests_urls:
-  # Kube-vip
-  - url: https://kube-vip.io/manifests/rbac.yaml
-    filename: kube-vip-rbac.yaml
-  # Tigera Operator
-  - url: https://raw.githubusercontent.com/projectcalico/calico/v3.25.0/manifests/tigera-operator.yaml
-    filename: calico-tigera-operator.yaml
-  # Prometheus Operator
-  - url: https://raw.githubusercontent.com/prometheus-operator/prometheus-operator/v0.61.1/example/prometheus-operator-crd/monitoring.coreos.com_alertmanagerconfigs.yaml
-    filename: prometheus-alertmanagerconfigs.yaml
-  - url: https://raw.githubusercontent.com/prometheus-operator/prometheus-operator/v0.61.1/example/prometheus-operator-crd/monitoring.coreos.com_alertmanagers.yaml
-    filename: prometheus-alertmanagers.yaml
-  - url: https://raw.githubusercontent.com/prometheus-operator/prometheus-operator/v0.61.1/example/prometheus-operator-crd/monitoring.coreos.com_podmonitors.yaml
-    filename: prometheus-podmonitors.yaml
-  - url: https://raw.githubusercontent.com/prometheus-operator/prometheus-operator/v0.61.1/example/prometheus-operator-crd/monitoring.coreos.com_probes.yaml
-    filename: prometheus-probes.yaml
-  - url: https://raw.githubusercontent.com/prometheus-operator/prometheus-operator/v0.61.1/example/prometheus-operator-crd/monitoring.coreos.com_prometheuses.yaml
-    filename: prometheus-prometheuses.yaml
-  - url: https://raw.githubusercontent.com/prometheus-operator/prometheus-operator/v0.61.1/example/prometheus-operator-crd/monitoring.coreos.com_prometheusrules.yaml
-    filename: prometheus-prometheusrules.yaml
-  - url: https://raw.githubusercontent.com/prometheus-operator/prometheus-operator/v0.61.1/example/prometheus-operator-crd/monitoring.coreos.com_servicemonitors.yaml
-    filename: prometheus-servicemonitors.yaml
-  - url: https://raw.githubusercontent.com/prometheus-operator/prometheus-operator/v0.61.1/example/prometheus-operator-crd/monitoring.coreos.com_thanosrulers.yaml
-    filename: prometheus-thanosrulers.yaml
-
-# (list) A flat list of templates to deploy on the primary control plane
-# /var/lib/rancher/k3s/server/manifests
-k3s_server_manifests_templates:
-  - calico-installation.yaml.j2
-  - kube-vip-daemonset.yaml.j2

ansible/inventory/group_vars/kubernetes/os.yml

@@ -1,34 +0,0 @@
----
-# (string) Timezone for the servers
-# timezone: "America/New_York"
-
-# (list) Additional ssh public keys to add to the nodes
-# ssh_authorized_keys:
-
-fedora:
-  packages:
-    - dnf-plugin-system-upgrade
-    - dnf-utils
-    - hdparm
-    - htop
-    - ipvsadm
-    - lm_sensors
-    - nano
-    - nvme-cli
-    - socat
-    - python3-kubernetes
-    - python3-libselinux
-    - python3-pyyaml
-
-ubuntu:
-  packages:
-    - hdparm
-    - htop
-    - ipvsadm
-    - lm-sensors
-    - nano
-    - nfs-common
-    - nvme-cli
-    - socat
-    - python3-kubernetes
-    - python3-yaml

ansible/inventory/group_vars/master/k3s.yml

@@ -1,47 +0,0 @@
----
-# https://rancher.com/docs/k3s/latest/en/installation/install-options/server-config/
-# https://github.com/PyratLabs/ansible-role-k3s
-
-# (bool) Specify if a host (or host group) are part of the control plane
-k3s_control_node: true
-
-# (dict) k3s settings for all control-plane nodes
-k3s_server:
-  node-ip: "{{ ansible_host }}"
-  tls-san:
-    - "{{ kubevip_address }}"
-  # Disable Docker - this will use the default containerd CRI
-  docker: false
-  flannel-backend: "none" # This needs to be in quotes
-  disable:
-    # Disable flannel - replaced with Calico
-    - flannel
-    # Disable local-path-provisioner - installed with Flux
-    - local-storage
-    # Disable metrics-server - installed with Flux
-    - metrics-server
-    # Disable servicelb - replaced with metallb and installed with Flux
-    - servicelb
-    # Disable traefik - replaced with ingress-nginx and installed with Flux
-    - traefik
-  disable-network-policy: true
-  disable-cloud-controller: true
-  write-kubeconfig-mode: "644"
-  # Network CIDR to use for pod IPs
-  cluster-cidr: "10.42.0.0/16"
-  # Network CIDR to use for service IPs
-  service-cidr: "10.43.0.0/16"
-  kube-controller-manager-arg:
-    # Required to monitor kube-controller-manager with kube-prometheus-stack
-    - "bind-address=0.0.0.0"
-  kube-proxy-arg:
-    # Required to monitor kube-proxy with kube-prometheus-stack
-    - "metrics-bind-address=0.0.0.0"
-  kube-scheduler-arg:
-    # Required to monitor kube-scheduler with kube-prometheus-stack
-    - "bind-address=0.0.0.0"
-  # Required to monitor etcd with kube-prometheus-stack
-  etcd-expose-metrics: true
-  kube-apiserver-arg:
-    # Required for HAProxy health-checks
-    - "anonymous-auth=true"

ansible/inventory/group_vars/worker/k3s.yml

@@ -1,10 +0,0 @@
----
-# https://rancher.com/docs/k3s/latest/en/installation/install-options/agent-config/
-# https://github.com/PyratLabs/ansible-role-k3s
-
-# (bool) Specify if a host (or host group) are part of the control plane
-k3s_control_node: false
-
-# (dict) k3s settings for all worker nodes
-k3s_agent:
-  node-ip: "{{ ansible_host }}"

ansible/playbooks/cluster-installation.yml

@@ -1,119 +0,0 @@
----
-- hosts:
-    - master
-    - worker
-  become: true
-  gather_facts: true
-  any_errors_fatal: true
-  pre_tasks:
-    - name: Pausing for 5 seconds...
-      ansible.builtin.pause:
-        seconds: 5
-  tasks:
-    - name: Check if cluster is installed
-      check_mode: false
-      ansible.builtin.stat:
-        path: "/etc/rancher/k3s/config.yaml"
-      register: k3s_check_installed
-
-    - name: Set manifest facts
-      ansible.builtin.set_fact:
-        k3s_server_manifests_templates: []
-        k3s_server_manifests_urls: []
-      when: k3s_check_installed.stat.exists
-
-    - name: Install Kubernetes
-      ansible.builtin.include_role:
-        name: xanmanning.k3s
-        public: true
-      vars:
-        k3s_state: installed
-
-    - name: Get absolute path to this Git repository
-      delegate_to: localhost
-      become: false
-      run_once: true
-      check_mode: false
-      ansible.builtin.command: |-
-        git rev-parse --show-toplevel
-      register: repo_abs_path
-
-    - name: Copy kubeconfig project directory
-      run_once: true
-      ansible.builtin.fetch:
-        src: "/etc/rancher/k3s/k3s.yaml"
-        dest: "{{ repo_abs_path.stdout }}/kubeconfig"
-        flat: true
-      when:
-        - k3s_control_node is defined
-        - k3s_control_node
-
-    - name: Update kubeconfig with the correct IPv4 address
-      delegate_to: localhost
-      become: false
-      run_once: true
-      ansible.builtin.replace:
-        path: "{{ repo_abs_path.stdout }}/kubeconfig"
-        regexp: "https://127.0.0.1:6443"
-        replace: "https://{{ k3s_registration_address }}:6443"
-
-    - name: Resource Readiness Check
-      run_once: true
-      kubernetes.core.k8s_info:
-        kubeconfig: /etc/rancher/k3s/k3s.yaml
-        kind: "{{ item.kind }}"
-        name: "{{ item.name }}"
-        namespace: "{{ item.namespace | default('') }}"
-        wait: true
-        wait_sleep: 10
-        wait_timeout: 360
-      loop:
-        - kind: Deployment
-          name: tigera-operator
-          namespace: tigera-operator
-        - kind: DaemonSet
-          name: kube-vip
-          namespace: kube-system
-        - kind: Installation
-          name: default
-        - kind: CustomResourceDefinition
-          name: alertmanagerconfigs.monitoring.coreos.com
-        - kind: CustomResourceDefinition
-          name: alertmanagers.monitoring.coreos.com
-        - kind: CustomResourceDefinition
-          name: podmonitors.monitoring.coreos.com
-        - kind: CustomResourceDefinition
-          name: probes.monitoring.coreos.com
-        - kind: CustomResourceDefinition
-          name: prometheuses.monitoring.coreos.com
-        - kind: CustomResourceDefinition
-          name: prometheusrules.monitoring.coreos.com
-        - kind: CustomResourceDefinition
-          name: servicemonitors.monitoring.coreos.com
-        - kind: CustomResourceDefinition
-          name: thanosrulers.monitoring.coreos.com
-      when:
-        - k3s_server_manifests_templates | length > 0
-            or k3s_server_manifests_urls | length > 0
-        - k3s_control_node is defined
-        - k3s_control_node
-
-    # Cleaning up the manifests from the /var/lib/rancher/k3s/server/manifests
-    # directory is needed because k3s has an awesome "feature" to always deploy
-    # these on restarting the k3s systemd service. Removing them does NOT
-    # uninstall the manifests.
-
-    # Removing them means we can manage the lifecycle of these components
-    # outside of the /var/lib/rancher/k3s/server/manifests directory
-
-    - name: Remove deployed manifest templates
-      ansible.builtin.file:
-        path: "{{ k3s_server_manifests_dir }}/{{ item | basename | regex_replace('\\.j2$', '') }}"
-        state: absent
-      loop: "{{ k3s_server_manifests_templates | default([]) }}"
-
-    - name: Remove deployed manifest urls
-      ansible.builtin.file:
-        path: "{{ k3s_server_manifests_dir }}/{{ item.filename }}"
-        state: absent
-      loop: "{{ k3s_server_manifests_urls | default([]) }}"

ansible/playbooks/cluster-nuke.yml

@@ -1,41 +0,0 @@
----
-- hosts:
-    - master
-    - worker
-  become: true
-  gather_facts: true
-  any_errors_fatal: true
-  vars_prompt:
-    - name: nuke
-      prompt: |-
-        Are you sure you want to nuke this cluster?
-        Type YES I WANT TO DESTROY THIS CLUSTER to proceed
-      default: "n"
-      private: false
-  pre_tasks:
-    - name: Check for confirmation
-      ansible.builtin.fail:
-        msg: Aborted nuking the cluster
-      when: nuke != 'YES I WANT TO DESTROY THIS CLUSTER'
-
-    - name: Pausing for 5 seconds...
-      ansible.builtin.pause:
-        seconds: 5
-  tasks:
-    - name: Uninstall k3s
-      ansible.builtin.include_role:
-        name: xanmanning.k3s
-        public: true
-      vars:
-        k3s_state: uninstalled
-    - name: Gather list of CNI files
-      ansible.builtin.find:
-        paths: /etc/cni/net.d
-        patterns: "*"
-        hidden: true
-      register: directory_contents
-    - name: Delete CNI files
-      ansible.builtin.file:
-        path: "{{ item.path }}"
-        state: absent
-      loop: "{{ directory_contents.files }}"

ansible/playbooks/cluster-prepare.yml

@@ -1,142 +0,0 @@
----
-- hosts:
-    - master
-    - worker
-  become: true
-  gather_facts: true
-  any_errors_fatal: true
-  pre_tasks:
-    - name: Pausing for 5 seconds...
-      ansible.builtin.pause:
-        seconds: 5
-  tasks:
-    - name: Locale
-      block:
-        - name: Locale | Set timezone
-          community.general.timezone:
-            name: "{{ timezone | default('Etc/UTC') }}"
-    - name: Networking
-      block:
-        - name: Networking | Set hostname to inventory hostname
-          ansible.builtin.hostname:
-            name: "{{ inventory_hostname }}"
-        - name: Networking | Update /etc/hosts to include inventory hostname
-          ansible.builtin.blockinfile:
-            path: /etc/hosts
-            block: |
-              127.0.1.1   {{ inventory_hostname }}
-    - name: Packages | Fedora
-      block:
-        - name: Packages | Install required packages
-          ansible.builtin.dnf:
-            name: "{{ fedora.packages | default([]) }}"
-            state: present
-            update_cache: true
-        - name: Packages | Remove leaf packages
-          ansible.builtin.dnf:
-            autoremove: true
-      when: ansible_facts['distribution'] == 'Fedora'
-    - name: Packages | Ubuntu
-      block:
-        - name: Packages | Install required packages
-          ansible.builtin.apt:
-            name: "{{ ubuntu.packages | default([]) }}"
-            state: present
-            update_cache: true
-        - name: Packages | Remove leaf packages
-          ansible.builtin.apt:
-            autoremove: true
-        - name: Packages | RasPi packages
-          ansible.builtin.apt:
-            name: ["linux-modules-extra-raspi"]
-            install_recommends: false
-          notify: Reboot
-          when: "'raspi' in ansible_kernel"
-      when: ansible_facts['distribution'] == 'Ubuntu'
-    - name: User Configuration
-      block:
-        - name: User Configuration | Add additional SSH public keys
-          ansible.posix.authorized_key:
-            user: "{{ ansible_user }}"
-            key: "{{ item }}"
-          loop: "{{ public_ssh_keys | default([]) }}"
-    - name: System Configuration (1)
-      block:
-        - name: System Configuration (1) | Disable firewalld | Fedora
-          ansible.builtin.systemd:
-            service: firewalld.service
-            enabled: false
-            masked: true
-            state: stopped
-          when: ansible_facts['distribution'] == 'Fedora'
-        - name: System Configuration (1) | Disable ufw | Ubuntu
-          ansible.builtin.systemd:
-            service: ufw.service
-            enabled: false
-            masked: true
-            state: stopped
-          when: ansible_facts['distribution'] == 'Ubuntu'
-        - name: System Configuration (1) | Enable fstrim
-          ansible.builtin.systemd:
-            service: fstrim.timer
-            enabled: true
-    - name: System Configuration (2)
-      block:
-        - name: System Configuration (2) | Enable kernel modules now
-          community.general.modprobe:
-            name: "{{ item }}"
-            state: present
-          loop: [br_netfilter, overlay, rbd]
-        - name: System Configuration (2) | Enable kernel modules on boot
-          ansible.builtin.copy:
-            mode: 0644
-            content: "{{ item }}"
-            dest: "/etc/modules-load.d/{{ item }}.conf"
-          loop: [br_netfilter, overlay, rbd]
-        - name: System Configuration (2) | Set sysctls
-          ansible.posix.sysctl:
-            name: "{{ item.key }}"
-            value: "{{ item.value }}"
-            sysctl_file: /etc/sysctl.d/99-kubernetes.conf
-            reload: true
-          with_dict: "{{ sysctl_config }}"
-          vars:
-            sysctl_config:
-              net.ipv4.ip_forward: 1
-              net.ipv4.conf.all.forwarding: 1
-              net.ipv4.conf.all.rp_filter: 0
-              net.ipv4.conf.default.rp_filter: 0
-              net.ipv6.conf.all.forwarding: 1
-              net.bridge.bridge-nf-call-iptables: 1
-              net.bridge.bridge-nf-call-ip6tables: 1
-              fs.inotify.max_user_watches: 524288
-              fs.inotify.max_user_instances: 512
-        - name: System Configuration (2) | Disable swap | Fedora
-          ansible.builtin.dnf:
-            name: zram-generator-defaults
-            state: absent
-          when: ansible_facts['distribution'] == 'Fedora'
-        - name: System Configuration (2) | Disable swap at runtime | Ubuntu
-          ansible.builtin.command: swapoff -a
-          when:
-            - ansible_facts['distribution'] == 'Ubuntu'
-            - ansible_swaptotal_mb > 0
-        - name: System Configuration (2) | Disable swap at boot | Ubuntu
-          ansible.posix.mount:
-            name: "{{ item }}"
-            fstype: swap
-            state: absent
-          loop: ["none", "swap"]
-          when: ansible_facts['distribution'] == 'Ubuntu'
-        - name: System Configuration (2) | Permissive SELinux | Fedora
-          ansible.posix.selinux:
-            state: permissive
-            policy: targeted
-          when: ansible_facts['distribution'] == 'Fedora'
-      notify: Reboot
-
-  handlers:
-    - name: Reboot
-      ansible.builtin.reboot:
-        msg: Rebooting nodes
-        reboot_timeout: 3600

ansible/playbooks/cluster-reboot.yml

@@ -1,16 +0,0 @@
----
-- hosts:
-    - master
-    - worker
-  become: true
-  gather_facts: true
-  any_errors_fatal: true
-  pre_tasks:
-    - name: Pausing for 5 seconds...
-      ansible.builtin.pause:
-        seconds: 5
-  tasks:
-    - name: Reboot
-      ansible.builtin.reboot:
-        msg: Rebooting nodes
-        reboot_timeout: 3600

ansible/playbooks/templates/calico-installation.yaml.j2

@@ -1,22 +0,0 @@
----
-apiVersion: operator.tigera.io/v1
-kind: Installation
-metadata:
-  name: default
-spec:
-  registry: quay.io
-  imagePath: calico
-  calicoNetwork:
-    # https://projectcalico.docs.tigera.io/networking/ip-autodetection
-    nodeAddressAutodetectionV4:
-      cidrs:
-        - "{{ (ansible_default_ipv4.network + '/' + ansible_default_ipv4.netmask) | ansible.utils.ipaddr('network/prefix') }}"
-    # Note: The ipPools section cannot be modified post-install.
-    ipPools:
-      - blockSize: 26
-        cidr: "{{ k3s_server['cluster-cidr'] }}"
-        encapsulation: "VXLANCrossSubnet"
-        natOutgoing: Enabled
-        nodeSelector: all()
-  nodeMetricsPort: 9091
-  typhaMetricsPort: 9093

ansible/playbooks/templates/kube-vip-daemonset.yaml.j2

@@ -1,72 +0,0 @@
----
-apiVersion: apps/v1
-kind: DaemonSet
-metadata:
-  name: kube-vip
-  namespace: kube-system
-  labels:
-    app.kubernetes.io/instance: kube-vip
-    app.kubernetes.io/name: kube-vip
-spec:
-  selector:
-    matchLabels:
-      app.kubernetes.io/instance: kube-vip
-      app.kubernetes.io/name: kube-vip
-  template:
-    metadata:
-      labels:
-        app.kubernetes.io/instance: kube-vip
-        app.kubernetes.io/name: kube-vip
-    spec:
-      containers:
-        - name: kube-vip
-          image: ghcr.io/kube-vip/kube-vip:v0.5.8
-          imagePullPolicy: IfNotPresent
-          args: ["manager"]
-          env:
-            - name: vip_arp
-              value: "true"
-            - name: port
-              value: "6443"
-            - name: vip_cidr
-              value: "32"
-            - name: cp_enable
-              value: "true"
-            - name: cp_namespace
-              value: kube-system
-            - name: svc_enable
-              value: "false"
-            - name: vip_leaderelection
-              value: "true"
-            - name: vip_leaseduration
-              value: "15"
-            - name: vip_renewdeadline
-              value: "10"
-            - name: vip_retryperiod
-              value: "2"
-            - name: address
-              value: "{{ k3s_registration_address }}"
-          securityContext:
-            capabilities:
-              add: ["NET_ADMIN", "NET_RAW"]
-      hostAliases:
-        - hostnames:
-            - kubernetes
-          ip: 127.0.0.1
-      hostNetwork: true
-      serviceAccountName: kube-vip
-      affinity:
-        nodeAffinity:
-          requiredDuringSchedulingIgnoredDuringExecution:
-            nodeSelectorTerms:
-              - matchExpressions:
-                  - key: node-role.kubernetes.io/master
-                    operator: Exists
-              - matchExpressions:
-                  - key: node-role.kubernetes.io/control-plane
-                    operator: Exists
-      tolerations:
-        - effect: NoSchedule
-          operator: Exists
-        - effect: NoExecute
-          operator: Exists

ansible/requirements.txt

@@ -1 +0,0 @@
-openshift==0.13.1

ansible/requirements.yml

@@ -1,16 +0,0 @@
----
-collections:
-  - name: community.general
-    version: 6.2.0
-  - name: community.sops
-    version: 1.6.0
-  - name: ansible.posix
-    version: 1.5.1
-  - name: ansible.utils
-    version: 2.8.0
-  - name: kubernetes.core
-    version: 2.3.2
-roles:
-  - name: xanmanning.k3s
-    src: https://github.com/PyratLabs/ansible-role-k3s.git
-    version: v3.3.1

cluster.sample.yaml

@@ -0,0 +1,84 @@
+---
+# -- The network CIDR for the nodes.
+# (REQUIRED) / (e.g. 192.168.1.0/24)
+node_cidr: ""
+
+# -- DNS servers to use for the cluster.
+#    (OPTIONAL) / (DEFAULT: ["1.1.1.1", "1.0.0.1"]) / (Cloudflare DNS)
+# node_dns_servers: []
+
+# -- NTP servers to use for the cluster.
+#    (OPTIONAL) / (DEFAULT: ["162.159.200.1", "162.159.200.123"]) / (Cloudflare NTP)
+# node_ntp_servers: []
+
+# -- The default gateway for the nodes.
+#    (OPTIONAL) / (DEFAULT: the first IP in the node_cidr)
+# node_default_gateway: ""
+
+# -- Attach a vlan tag to the Talos nodes. Not needed if ports on your switch are tagged or you are not using VLANs.
+#    (OPTIONAL) / (REF: https://www.talos.dev/latest/advanced/advanced-networking/#vlans)
+# node_vlan_tag: ""
+
+# -- The IP address of the Kube API.
+#    (REQUIRED) / (NOTE: Choose an unused IP in node_cidr)
+cluster_api_addr: ""
+
+# -- Additional SANs to add to the Kube API cert. This is useful if you want to call the Kube API by hostname rather than IP
+#    (OPTIONAL) / (e.g. ["mycluster.example.com"])
+# cluster_api_tls_sans: []
+
+# -- The pod CIDR for the cluster, this must NOT overlap with any existing networks and should be a /16 (64K IPs).
+#    (OPTIONAL) / (DEFAULT: "10.42.0.0/16")
+# cluster_pod_cidr: ""
+
+# -- The service CIDR for the cluster, this must NOT overlap with any existing networks and should be a /16 (64K IPs).
+#    (OPTIONAL) / (DEFAULT: "10.43.0.0/16")
+# cluster_svc_cidr: ""
+
+# -- The Load balancer IP for k8s_gateway, this provides DNS to all your gateways when split DNS is configured on your internal DNS server (Dnsmasq, Pi-hole, etc)
+#    (REQUIRED) / (NOTE: Choose an unused IP in node_cidr)
+cluster_dns_gateway_addr: ""
+
+# -- The Load balancer IP for the internal gateway
+#    (REQUIRED) / (NOTE: Choose an unused IP in node_cidr)
+cluster_gateway_addr: ""
+
+# -- GitHub repository
+#    (REQUIRED) / (e.g. "onedr0p/cluster-template")
+repository_name: ""
+
+# -- GitHub repository branch
+#    (OPTIONAL) / (DEFAULT: "main")
+# repository_branch: ""
+
+# -- Repository visibility (public or private)
+#    (OPTIONAL) / (DEFAULT: "public") / (NOTE: See the README for information when set private)
+# repository_visibility: ""
+
+# -- Domain you wish to use from your Cloudflare account
+#    (REQUIRED) / (e.g. "example.com")
+cloudflare_domain: ""
+
+# -- API Token for Cloudflare with the 'Zone:DNS:Edit' and 'Account:Cloudflare Tunnel:Read' permissions
+#    (REQUIRED) (NOTE: See the README for information on creating this)
+cloudflare_token: ""
+
+# -- The Load balancer IP for the external gateway
+#    (REQUIRED) / (NOTE: Choose an unused IP in node_cidr)
+cloudflare_gateway_addr: ""
+
+# -- The load balancer mode for cilium.
+#    (OPTIONAL) / (DEFAULT: "dsr") / (NOTE: accepted values are 'dsr' or 'snat') / (REF: https://docs.cilium.io/en/stable/network/kubernetes/kubeproxy-free/)
+# cilium_loadbalancer_mode: ""
+
+# -- The IP address of the BGP router, to keep things simple, node network will be used for BGP peering.
+# (OPTIONAL) / (e.g. "192.168.1.1") / (REF: https://docs.cilium.io/en/latest/network/bgp-control-plane/bgp-control-plane/)
+# cilium_bgp_router_addr: ""
+
+# -- The BGP router ASN
+# (OPTIONAL) / (e.g. "64513")
+# cilium_bgp_router_asn: ""
+
+# -- The BGP node ASN
+# (OPTIONAL) / (e.g. "64514")
+# cilium_bgp_node_asn: ""

configure

@@ -1,497 +0,0 @@
-#!/usr/bin/env bash
-
-set -o errexit
-set -o pipefail
-
-# shellcheck disable=SC2155
-export PROJECT_DIR=$(git rev-parse --show-toplevel)
-
-# shellcheck disable=SC2155
-export SOPS_AGE_KEY_FILE=~/.config/sops/age/keys.txt
-
-# shellcheck disable=SC1091
-source "${PROJECT_DIR}/.config.env"
-
-show_help() {
-cat << EOF
-Usage: $(basename "$0") <options>
-    -h, --help                      Display help
-    --verify                        Verify .config.env settings
-EOF
-}
-
-main() {
-    local verify=
-    parse_command_line "$@"
-    if [[ "${verify}" == 1 ]]; then
-        verify_start
-        verify_binaries
-        verify_master_count
-        verify_ansible_hosts
-        verify_metallb
-        verify_kubevip
-        verify_addressing
-        verify_age
-        verify_git_repository
-        verify_cloudflare
-        verify_success
-    else
-        # generate sops configuration file
-        envsubst < "${PROJECT_DIR}/tmpl/.sops.yaml" \
-            > "${PROJECT_DIR}/.sops.yaml"
-        # generate cluster settings
-        envsubst < "${PROJECT_DIR}/tmpl/kubernetes/flux/cluster-settings.yaml" \
-            > "${PROJECT_DIR}/kubernetes/flux/vars/cluster-settings.yaml"
-        envsubst < "${PROJECT_DIR}/tmpl/kubernetes/flux/cluster.yaml" \
-            > "${PROJECT_DIR}/kubernetes/flux/config/cluster.yaml"
-        # generate secrets
-        envsubst < "${PROJECT_DIR}/tmpl/kubernetes/cluster-secrets.sops.yaml" \
-            > "${PROJECT_DIR}/kubernetes/flux/vars/cluster-secrets.sops.yaml"
-        sops --encrypt --in-place "${PROJECT_DIR}/kubernetes/flux/vars/cluster-secrets.sops.yaml"
-        envsubst < "${PROJECT_DIR}/tmpl/kubernetes/cert-manager-secret.sops.yaml" \
-            > "${PROJECT_DIR}/kubernetes/apps/cert-manager/cert-manager/issuers/secret.sops.yaml"
-        sops --encrypt --in-place "${PROJECT_DIR}/kubernetes/apps/cert-manager/cert-manager/issuers/secret.sops.yaml"
-        envsubst < "${PROJECT_DIR}/tmpl/kubernetes/cloudflare-ddns-secret.sops.yaml" \
-            > "${PROJECT_DIR}/kubernetes/apps/networking/cloudflare-ddns/app/secret.sops.yaml"
-        sops --encrypt --in-place "${PROJECT_DIR}/kubernetes/apps/networking/cloudflare-ddns/app/secret.sops.yaml"
-        envsubst < "${PROJECT_DIR}/tmpl/kubernetes/external-dns-secret.sops.yaml" \
-            > "${PROJECT_DIR}/kubernetes/apps/networking/external-dns/app/secret.sops.yaml"
-        sops --encrypt --in-place "${PROJECT_DIR}/kubernetes/apps/networking/external-dns/app/secret.sops.yaml"
-        envsubst < "${PROJECT_DIR}/tmpl/terraform/secret.sops.yaml" \
-            > "${PROJECT_DIR}/terraform/cloudflare/secret.sops.yaml"
-        sops --encrypt --in-place "${PROJECT_DIR}/terraform/cloudflare/secret.sops.yaml"
-        # generate ansible settings
-        envsubst < "${PROJECT_DIR}/tmpl/ansible/kube-vip.yml" \
-            > "${PROJECT_DIR}/ansible/inventory/group_vars/kubernetes/kube-vip.yml"
-        # generate ansible hosts file and secrets
-        generate_ansible_hosts
-        generate_ansible_host_secrets
-        setup_github_webhook
-        setup_weave_gitops
-        success
-    fi
-}
-
-parse_command_line() {
-    while :; do
-        case "${1:-}" in
-            -h|--help)
-                show_help
-                exit
-                ;;
-            --verify)
-                verify=1
-                ;;
-            *)
-                break
-                ;;
-        esac
-
-        shift
-    done
-    if [[ -z "$verify" ]]; then
-        verify=0
-    fi
-}
-
-_has_binary() {
-    command -v "${1}" >/dev/null 2>&1 || {
-        _log "ERROR(${FUNCNAME[0]})" "${1} is not installed or not found in \$PATH"
-        exit 1
-    }
-    _log "INFO(${FUNCNAME[0]})" "Found CLI tool ${1} and it is in \$PATH"
-}
-
-_has_optional_envar() {
-    local option="${1}"
-    # shellcheck disable=SC2015
-    [[ "${!option}" == "" ]] && {
-        _log "WARN" "Unset optional variable ${option}"
-    } || {
-        _log "INFO(${FUNCNAME[0]})" "Found variable '${option}' with value '${!option}'"
-    }
-}
-
-_has_envar() {
-    local option="${1}"
-    local secret="${2:-false}"
-    local value=
-    # shellcheck disable=SC2015
-    if [[ "${!option}" == "" ]]; then
-        _log "ERROR(${FUNCNAME[0]})" "Unset variable ${option}"
-        exit 1
-    fi
-    value="${!option}"
-    if [[ $secret == "true" ]]; then
-        value="***"
-    fi
-    _log "INFO(${FUNCNAME[0]})" "Found variable '${option}' with value '${value}'"
-}
-
-_has_valid_ip() {
-    local ip="${1}"
-    local variable_name="${2}"
-    if ! ipcalc "${ip}" | awk 'BEGIN{FS=":"; is_invalid=0} /^INVALID/ {is_invalid=1; print $1} END{exit is_invalid}' >/dev/null 2>&1; then
-        _log "INFO(${FUNCNAME[0]})" "Variable '${variable_name}' has an invalid IP address '${ip}'"
-        exit 1
-    else
-        _log "INFO(${FUNCNAME[0]})" "Variable '${variable_name}' has a valid IP address '${ip}'"
-    fi
-}
-
-verify_addressing() {
-    local found_kube_vip="false"
-    local found_k8s_gateway="false"
-    local found_ingress="false"
-    # Verify the metallb min and metallb ceiling are in the same network
-    metallb_subnet_min=$(echo "${BOOTSTRAP_METALLB_LB_RANGE}" | cut -d- -f1 | cut -d. -f1,2,3)
-    metallb_subnet_ceil=$(echo "${BOOTSTRAP_METALLB_LB_RANGE}" | cut -d- -f2 | cut -d. -f1,2,3)
-    if [[ "${metallb_subnet_min}" != "${metallb_subnet_ceil}" ]]; then
-        _log "ERROR(${FUNCNAME[0]})" "The provided MetalLB IP range '${BOOTSTRAP_METALLB_LB_RANGE}' is not in the same subnet"
-        exit 1
-    fi
-    # Verify the node IP addresses are on the same network as the metallb range
-    for var in "${!BOOTSTRAP_ANSIBLE_HOST_ADDR_@}"; do
-        node_subnet=$(echo "${!var}" | cut -d. -f1,2,3)
-        if [[ "${node_subnet}" != "${metallb_subnet_min}" ]]; then
-            _log "ERROR(${FUNCNAME[0]})" "The subnet for node '${!var}' is not in the same subnet as the provided metallb range '${BOOTSTRAP_METALLB_LB_RANGE}'"
-            exit 1
-        fi
-    done
-    # Verify the kube-vip IP is in the same network as the metallb range
-    kubevip_subnet=$(echo "${BOOTSTRAP_KUBE_VIP_ADDR}" | cut -d. -f1,2,3)
-    if [[ "${kubevip_subnet}" != "${metallb_subnet_min}" ]]; then
-        _log "ERROR(${FUNCNAME[0]})" "The subnet for kupe-vip '${BOOTSTRAP_KUBE_VIP_ADDR}' is not the same subnet as the provided metallb range '${BOOTSTRAP_METALLB_LB_RANGE}'"
-        exit 1
-    fi
-    # Depending on the IP address, verify if it should be in the metallb range or not
-    metallb_octet_min=$(echo "${BOOTSTRAP_METALLB_LB_RANGE}" | cut -d- -f1 | cut -d. -f4)
-    metallb_octet_ceil=$(echo "${BOOTSTRAP_METALLB_LB_RANGE}" | cut -d- -f2 | cut -d. -f4)
-    for (( octet=metallb_octet_min; octet<=metallb_octet_ceil; octet++ )); do
-        addr="${metallb_subnet_min}.${octet}"
-        if [[ "${addr}" == "${BOOTSTRAP_KUBE_VIP_ADDR}" ]]; then
-            found_kube_vip="true"
-        fi
-        if [[ "${addr}" == "${BOOTSTRAP_METALLB_K8S_GATEWAY_ADDR}" ]]; then
-            found_k8s_gateway="true"
-        fi
-        if [[ "${addr}" == "${BOOTSTRAP_METALLB_INGRESS_ADDR}" ]]; then
-            found_ingress="true"
-        fi
-        for var in "${!BOOTSTRAP_ANSIBLE_HOST_ADDR_@}"; do
-            if [[ "${!var}" == "${addr}" ]]; then
-                _log "ERROR(${FUNCNAME[0]})" "The IP for node '${!var}' should NOT be in the provided metallb range '${BOOTSTRAP_METALLB_LB_RANGE}'"
-                exit 1
-            fi
-        done
-    done
-    if [[ "${found_kube_vip}" == "true" ]]; then
-        _log "ERROR(${FUNCNAME[0]})" "The IP for kube-vip '${BOOTSTRAP_KUBE_VIP_ADDR}' should NOT be in the provided metallb range '${BOOTSTRAP_METALLB_LB_RANGE}'"
-        exit 1
-    fi
-    if [[ "${found_k8s_gateway}" == "false" ]]; then
-        _log "ERROR(${FUNCNAME[0]})" "The IP for k8s_gateway '${BOOTSTRAP_METALLB_K8S_GATEWAY_ADDR}' should be in the provided metallb range '${BOOTSTRAP_METALLB_LB_RANGE}'"
-        exit 1
-    fi
-    if [[ "${found_ingress}" == "false" ]]; then
-        _log "ERROR(${FUNCNAME[0]})" "The IP for ingress '${BOOTSTRAP_METALLB_INGRESS_ADDR}' should be in the provided metallb range '${BOOTSTRAP_METALLB_LB_RANGE}'"
-        exit 1
-    fi
-}
-
-verify_age() {
-    _has_envar "BOOTSTRAP_AGE_PUBLIC_KEY"
-    _has_envar "SOPS_AGE_KEY_FILE"
-    if [[ ! "$BOOTSTRAP_AGE_PUBLIC_KEY" =~ ^age.* ]]; then
-        _log "ERROR(${FUNCNAME[0]})" "BOOTSTRAP_AGE_PUBLIC_KEY does not start with age"
-        exit 1
-    else
-        _log "INFO(${FUNCNAME[0]})" "Age public key is in the correct format"
-    fi
-    if [[ ! -f ~/.config/sops/age/keys.txt ]]; then
-        _log "ERROR(${FUNCNAME[0]})" "Unable to find Age file keys.txt in ~/.config/sops/age"
-        exit 1
-    else
-        _log "INFO(${FUNCNAME[0]})" "Found Age public key '${BOOTSTRAP_AGE_PUBLIC_KEY}'"
-    fi
-}
-
-verify_binaries() {
-    _has_binary "age"
-    _has_binary "ansible"
-    _has_binary "envsubst"
-    _has_binary "flux"
-    _has_binary "git"
-    _has_binary "gitops"
-    _has_binary "ipcalc"
-    _has_binary "jq"
-    _has_binary "pip3"
-    _has_binary "sops"
-    _has_binary "ssh"
-    _has_binary "task"
-    _has_binary "terraform"
-    _has_binary "yq"
-    if ! [[ "$(sops --version)" =~ 3\.[0-9]+\.[0-9]+ ]]; then
-        _log "ERROR(${FUNCNAME[0]})" "Incompatible sops version, make sure you are using the latest release of github.com/mozilla/sops"
-        exit 1
-    fi
-    if ! [[ "$(yq --version)" =~ 4\.[0-9]+\.[0-9]+ ]]; then
-        _log "ERROR(${FUNCNAME[0]})" "Incompatible yq version, make sure you are using the latest release of github.com/mikefarah/yq"
-        exit 1
-    fi
-}
-
-verify_kubevip() {
-    _has_envar "BOOTSTRAP_KUBE_VIP_ADDR"
-    _has_valid_ip "${BOOTSTRAP_KUBE_VIP_ADDR}" "BOOTSTRAP_KUBE_VIP_ADDR"
-}
-
-verify_metallb() {
-    _has_envar "BOOTSTRAP_METALLB_LB_RANGE"
-    _has_envar "BOOTSTRAP_METALLB_K8S_GATEWAY_ADDR"
-    _has_envar "BOOTSTRAP_METALLB_INGRESS_ADDR"
-    _has_valid_ip "$(echo "${BOOTSTRAP_METALLB_LB_RANGE}" | cut -d- -f1)" "BOOTSTRAP_METALLB_LB_RANGE"
-    _has_valid_ip "$(echo "${BOOTSTRAP_METALLB_LB_RANGE}" | cut -d- -f2)" "BOOTSTRAP_METALLB_LB_RANGE"
-    _has_valid_ip "${BOOTSTRAP_METALLB_K8S_GATEWAY_ADDR}" "BOOTSTRAP_METALLB_K8S_GATEWAY_ADDR"
-    _has_valid_ip "${BOOTSTRAP_METALLB_INGRESS_ADDR}" "BOOTSTRAP_METALLB_INGRESS_ADDR"
-}
-
-verify_git_repository() {
-    _has_envar "BOOTSTRAP_GIT_REPOSITORY"
-    export GIT_TERMINAL_PROMPT=0
-    pushd "$(mktemp -d)" >/dev/null 2>&1
-    [ "$(git ls-remote "${BOOTSTRAP_GIT_REPOSITORY}" 2> /dev/null)" ] || {
-        _log "ERROR(${FUNCNAME[0]})" "Unable to find the remote Git repository '${BOOTSTRAP_GIT_REPOSITORY}'"
-        exit 1
-    }
-    popd >/dev/null 2>&1
-    export GIT_TERMINAL_PROMPT=1
-}
-
-verify_master_count() {
-    local master_node_count=
-    master_node_count=0
-    for var in "${!BOOTSTRAP_ANSIBLE_HOST_ADDR_@}"; do
-        node_id=$(echo "${var}" | awk -F"_" '{print $5}')
-        node_control="BOOTSTRAP_ANSIBLE_CONTROL_NODE_${node_id}"
-        if [[ "${!node_control}" == "true" ]]; then
-            master_node_count=$((master_node_count+1))
-        fi
-    done
-    # Check for existance of master nodes and that their count is not an even number
-    if [[ ${master_node_count} -eq 0 || $((master_node_count%2)) -eq 0 ]]; then
-      _log "ERROR(${FUNCNAME[0]})" "You must have 1, 3 or an odd number of master nodes >=3 inorder for etcd to have quorum"
-      exit 1
-    fi
-    _log "INFO(${FUNCNAME[0]})" "Verified control plane node count"
-}
-
-verify_cloudflare() {
-    local account_zone=
-    local errors=
-    _has_envar "BOOTSTRAP_CLOUDFLARE_APIKEY" "true"
-    _has_envar "BOOTSTRAP_CLOUDFLARE_DOMAIN" "true"
-    _has_envar "BOOTSTRAP_CLOUDFLARE_EMAIL" "true"
-    # Try to retrieve zone information from Cloudflare's API
-    account_zone=$(curl -s -X GET "https://api.cloudflare.com/client/v4/zones?name=${BOOTSTRAP_CLOUDFLARE_DOMAIN}&status=active" \
-        -H "X-Auth-Email: ${BOOTSTRAP_CLOUDFLARE_EMAIL}" \
-        -H "X-Auth-Key: ${BOOTSTRAP_CLOUDFLARE_APIKEY}" \
-        -H "Content-Type: application/json"
-    )
-    if [[ "$(echo "${account_zone}" | jq ".success")" == "true" ]]; then
-        _log "INFO(${FUNCNAME[0]})" "Verified Cloudflare Account and Zone information"
-    else
-        errors=$(echo "${account_zone}" | jq -c ".errors")
-        _log "ERROR(${FUNCNAME[0]})" "Unable to get Cloudflare Account and Zone information ${errors}"
-        exit 1
-    fi
-}
-
-verify_ansible_hosts() {
-    local node_id=
-    local node_addr=
-    local node_username=
-    local node_password=
-    local node_control=
-    local node_hostname=
-    local default_control_node_prefix=
-    local default_worker_node_prefix=
-    default_control_node_prefix="BOOTSTRAP_ANSIBLE_DEFAULT_CONTROL_NODE_HOSTNAME_PREFIX"
-    default_worker_node_prefix="BOOTSTRAP_ANSIBLE_DEFAULT_NODE_HOSTNAME_PREFIX"
-    _has_optional_envar "${default_control_node_prefix}"
-    _has_optional_envar "${default_worker_node_prefix}"
-    for var in "${!BOOTSTRAP_ANSIBLE_HOST_ADDR_@}"; do
-        node_id=$(echo "${var}" | awk -F"_" '{print $5}')
-        node_addr="BOOTSTRAP_ANSIBLE_HOST_ADDR_${node_id}"
-        node_username="BOOTSTRAP_ANSIBLE_SSH_USERNAME_${node_id}"
-        node_password="BOOTSTRAP_ANSIBLE_SUDO_PASSWORD_${node_id}"
-        node_control="BOOTSTRAP_ANSIBLE_CONTROL_NODE_${node_id}"
-        node_hostname="BOOTSTRAP_ANSIBLE_HOSTNAME_${node_id}"
-        _has_envar "${node_addr}"
-        _has_envar "${node_username}"
-        _has_envar "${node_password}" "true"
-        _has_envar "${node_control}"
-        _has_optional_envar "${node_hostname}"
-        if [[ "${!node_addr}" == "${BOOTSTRAP_KUBE_VIP_ADDR}" && "${BOOTSTRAP_KUBE_VIP_ENABLED}" == "true" ]]; then
-            _log "ERROR(${FUNCNAME[0]})" "The kube-vip IP '${BOOTSTRAP_KUBE_VIP_ADDR}' should not be the same as the IP for node '${!node_addr}'"
-            exit 1
-        fi
-        if [[ "${!node_addr}" == "${BOOTSTRAP_METALLB_K8S_GATEWAY_ADDR}" ]]; then
-            _log "ERROR(${FUNCNAME[0]})" "The k8s-gateway load balancer IP '${BOOTSTRAP_METALLB_K8S_GATEWAY_ADDR}' should not be the same as the IP for node '${!node_addr}'"
-            exit 1
-        fi
-        if [[ "${!node_addr}" == "${BOOTSTRAP_METALLB_INGRESS_ADDR}" ]]; then
-            _log "ERROR(${FUNCNAME[0]})" "The ingress load balancer IP '${BOOTSTRAP_METALLB_INGRESS_ADDR}' should not be the same as the IP for node '${!node_addr}'"
-            exit 1
-        fi
-        if ssh -q -o BatchMode=yes -o ConnectTimeout=5 "${!node_username}"@"${!var}" "true"; then
-            _log "INFO(${FUNCNAME[0]})" "SSH into host '${!var}' with username '${!node_username}' was successfull"
-        else
-            _log "ERROR(${FUNCNAME[0]})" "SSH into host '${!var}' with username '${!node_username}'was NOT successful, did you copy over your SSH key?"
-            exit 1
-        fi
-    done
-}
-
-verify_start() {
-    _log "INFO(${FUNCNAME[0]})" "Starting verification of .config.env, please wait..."
-}
-
-verify_success() {
-    _log "INFO(${FUNCNAME[0]})" "All checks passed!"
-    _log "INFO(${FUNCNAME[0]})" "Run the script without --verify to template all the files out"
-    exit 0
-}
-
-generate_ansible_host_secrets() {
-    local node_id=
-    local node_username=
-    local node_password=
-    local node_hostname=
-    local node_control=
-    default_control_node_prefix=${BOOTSTRAP_ANSIBLE_DEFAULT_CONTROL_NODE_HOSTNAME_PREFIX:-k8s-}
-    default_worker_node_prefix=${BOOTSTRAP_ANSIBLE_DEFAULT_NODE_HOSTNAME_PREFIX:-k8s-}
-    for var in "${!BOOTSTRAP_ANSIBLE_HOST_ADDR_@}"; do
-        node_id=$(echo "${var}" | awk -F"_" '{print $5}')
-        node_control="BOOTSTRAP_ANSIBLE_CONTROL_NODE_${node_id}"
-        if [[ "${!node_control}" == "true" ]]; then
-            node_hostname="BOOTSTRAP_ANSIBLE_HOSTNAME_${node_id}"
-            host_key="${!node_hostname:-${default_control_node_prefix}}"
-            if [ "${host_key}" == "${default_control_node_prefix}" ]; then
-                node_hostname=${default_control_node_prefix}${node_id}
-            else
-                node_hostname=${!node_hostname}
-            fi
-        else
-            node_hostname="BOOTSTRAP_ANSIBLE_HOSTNAME_${node_id}"
-            host_key="${!node_hostname:-${default_worker_node_prefix}}"
-            if [ "${host_key}" == "${default_worker_node_prefix}" ]; then
-                node_hostname=${default_worker_node_prefix}${node_id}
-            else
-                node_hostname=${!node_hostname}
-            fi
-        fi
-        {
-            node_username="BOOTSTRAP_ANSIBLE_SSH_USERNAME_${node_id}"
-            node_password="BOOTSTRAP_ANSIBLE_SUDO_PASSWORD_${node_id}"
-            printf "kind: Secret\n"
-            printf "ansible_user: %s\n" "${!node_username}"
-            printf "ansible_become_pass: %s\n" "${!node_password}"
-        } > "${PROJECT_DIR}/ansible/inventory/host_vars/${node_hostname}.sops.yml"
-        sops --encrypt --in-place "${PROJECT_DIR}/ansible/inventory/host_vars/${node_hostname}.sops.yml"
-    done
-}
-
-generate_ansible_hosts() {
-    local worker_node_count=
-    default_control_node_prefix=${BOOTSTRAP_ANSIBLE_DEFAULT_CONTROL_NODE_HOSTNAME_PREFIX:-k8s-}
-    default_worker_node_prefix=${BOOTSTRAP_ANSIBLE_DEFAULT_NODE_HOSTNAME_PREFIX:-k8s-}
-    {
-        printf -- "---\n"
-        printf "kubernetes:\n"
-        printf "  children:\n"
-        printf "    master:\n"
-        printf "      hosts:\n"
-        master_node_count=0
-        worker_node_count=0
-        for var in "${!BOOTSTRAP_ANSIBLE_HOST_ADDR_@}"; do
-            node_id=$(echo "${var}" | awk -F"_" '{print $5}')
-            node_control="BOOTSTRAP_ANSIBLE_CONTROL_NODE_${node_id}"
-            if [[ "${!node_control}" == "true" ]]; then
-                master_node_count=$((master_node_count+1))
-                node_hostname="BOOTSTRAP_ANSIBLE_HOSTNAME_${node_id}"
-                host_key="${!node_hostname:-${default_control_node_prefix}}"
-                if [ "${host_key}" == "${default_control_node_prefix}" ]; then
-                    node_hostname=${default_control_node_prefix}${node_id}
-                else
-                    node_hostname=${!node_hostname}
-                fi
-                printf "        %s:\n" "${node_hostname}"
-                printf "          ansible_host: %s\n" "${!var}"
-            else
-                worker_node_count=$((worker_node_count+1))
-            fi
-        done
-        if [[ ${worker_node_count} -gt 0 ]]; then
-            printf "    worker:\n"
-            printf "      hosts:\n"
-            for var in "${!BOOTSTRAP_ANSIBLE_HOST_ADDR_@}"; do
-                node_id=$(echo "${var}" | awk -F"_" '{print $5}')
-                node_control="BOOTSTRAP_ANSIBLE_CONTROL_NODE_${node_id}"
-                if [[ "${!node_control}" == "false" ]]; then
-                    node_hostname="BOOTSTRAP_ANSIBLE_HOSTNAME_${node_id}"
-                    host_key="${!node_hostname:-${default_worker_node_prefix}}"
-                    if [ "${host_key}" == "${default_worker_node_prefix}" ]; then
-                        node_hostname=${default_worker_node_prefix}${node_id}
-                    else
-                        node_hostname=${!node_hostname}
-                    fi
-                    printf "        %s:\n" "${node_hostname}"
-                    printf "          ansible_host: %s\n" "${!var}"
-                fi
-            done
-        fi
-    } > "${PROJECT_DIR}/ansible/inventory/hosts.yml"
-}
-
-setup_github_webhook() {
-    _has_envar "BOOTSTRAP_FLUX_GITHUB_WEBHOOK_SECRET"
-    WEBHOOK_SECRET="${BOOTSTRAP_FLUX_GITHUB_WEBHOOK_SECRET}"
-    if [[ "${WEBHOOK_SECRET}" == "generated" ]]; then
-        WEBHOOK_SECRET="$(openssl rand -base64 30)"
-    fi
-    export BOOTSTRAP_FLUX_GITHUB_WEBHOOK_SECRET="${WEBHOOK_SECRET}"
-    _log "INFO(${FUNCNAME[0]})" "Using GitHub Token '${WEBHOOK_SECRET}' for Flux"
-    envsubst < "${PROJECT_DIR}/tmpl/kubernetes/github-webhook-token-secret.sops.yaml" \
-        > "${PROJECT_DIR}/kubernetes/apps/flux-system/addons/webhooks/github/secret.sops.yaml"
-    sops --encrypt --in-place "${PROJECT_DIR}/kubernetes/apps/flux-system/addons/webhooks/github/secret.sops.yaml"
-}
-
-setup_weave_gitops() {
-    _has_envar "BOOTSTRAP_WEAVE_GITOPS_ADMIN_PASSWORD"
-    WEAVE_GITOPS_ADMIN_PASSWORD="${BOOTSTRAP_WEAVE_GITOPS_ADMIN_PASSWORD}"
-    if [[ "${WEAVE_GITOPS_ADMIN_PASSWORD}" == "generated" ]]; then
-        WEAVE_GITOPS_ADMIN_PASSWORD="$(openssl rand -base64 30)"
-    fi
-    export BOOTSTRAP_WEAVE_GITOPS_ADMIN_PASSWORD="${WEAVE_GITOPS_ADMIN_PASSWORD}"
-    _log "INFO(${FUNCNAME[0]})" "Using admin password '${WEAVE_GITOPS_ADMIN_PASSWORD}' for Weave Gitops"
-    # Convert password to bcrypt hash
-    # shellcheck disable=SC2155
-    export BOOTSTRAP_WEAVE_GITOPS_ADMIN_PASSWORD="$(echo -n "${BOOTSTRAP_WEAVE_GITOPS_ADMIN_PASSWORD}" | gitops get bcrypt-hash)"
-    envsubst < "${PROJECT_DIR}/tmpl/kubernetes/weave-gitops-secret.sops.yaml" \
-        > "${PROJECT_DIR}/kubernetes/apps/flux-system/weave-gitops/app/secret.sops.yaml"
-    sops --encrypt --in-place "${PROJECT_DIR}/kubernetes/apps/flux-system/weave-gitops/app/secret.sops.yaml"
-}
-
-success() {
-    _log "INFO(${FUNCNAME[0]})" "All files have been templated, proceed to the next steps outlined in the README"
-    exit 0
-}
-
-_log() {
-    local type="${1}"
-    local msg="${2}"
-    printf 'timestamp="%s" type="%s" message="%s"\n' "$(date)" "${type}" "${msg}"
-}
-
-main "$@"

kubernetes/apps/cert-manager/cert-manager/app/helmrelease.yaml

@@ -1,42 +0,0 @@
----
-apiVersion: helm.toolkit.fluxcd.io/v2beta1
-kind: HelmRelease
-metadata:
-  name: cert-manager
-  namespace: cert-manager
-spec:
-  interval: 15m
-  chart:
-    spec:
-      chart: cert-manager
-      version: v1.11.0
-      sourceRef:
-        kind: HelmRepository
-        name: jetstack
-        namespace: flux-system
-  maxHistory: 3
-  install:
-    createNamespace: true
-    remediation:
-      retries: 3
-  upgrade:
-    cleanupOnFail: true
-    remediation:
-      retries: 3
-  uninstall:
-    keepHistory: false
-  values:
-    installCRDs: true
-    extraArgs:
-      - --dns01-recursive-nameservers=1.1.1.1:53,9.9.9.9:53
-      - --dns01-recursive-nameservers-only
-    podDnsPolicy: None
-    podDnsConfig:
-      nameservers:
-        - "1.1.1.1"
-        - "9.9.9.9"
-    prometheus:
-      enabled: true
-      servicemonitor:
-        enabled: true
-        prometheusInstance: monitoring

kubernetes/apps/cert-manager/cert-manager/app/kustomization.yaml

@@ -1,17 +0,0 @@
----
-apiVersion: kustomize.config.k8s.io/v1beta1
-kind: Kustomization
-namespace: cert-manager
-resources:
-  - ./helmrelease.yaml
-  - ./prometheusrule.yaml
-configMapGenerator:
-  - name: cert-manager-dashboard
-    files:
-      - cert-manager-dashboard.json=https://raw.githubusercontent.com/monitoring-mixins/website/master/assets/cert-manager/dashboards/cert-manager.json
-generatorOptions:
-  disableNameSuffixHash: true
-  annotations:
-    kustomize.toolkit.fluxcd.io/substitute: disabled
-  labels:
-    grafana_dashboard: "true"

kubernetes/apps/cert-manager/cert-manager/app/prometheusrule.yaml

@@ -1,68 +0,0 @@
----
-apiVersion: monitoring.coreos.com/v1
-kind: PrometheusRule
-metadata:
-  name: cert-manager.rules
-  namespace: cert-manager
-spec:
-  groups:
-    - name: cert-manager
-      rules:
-        - alert: CertManagerAbsent
-          expr: |
-            absent(up{job="cert-manager"})
-          for: 15m
-          labels:
-            severity: critical
-          annotations:
-            description:
-              "New certificates will not be able to be minted, and existing
-              ones can't be renewed until cert-manager is back."
-            runbook_url: https://gitlab.com/uneeq-oss/cert-manager-mixin/-/blob/master/RUNBOOK.md#certmanagerabsent
-            summary: "Cert Manager has dissapeared from Prometheus service discovery."
-    - name: certificates
-      rules:
-        - alert: CertManagerCertExpirySoon
-          expr: |
-            avg by (exported_namespace, namespace, name) (
-            certmanager_certificate_expiration_timestamp_seconds - time())
-              < (21 * 24 * 3600)
-          for: 15m
-          labels:
-            severity: warning
-          annotations:
-            description:
-              "The domain that this cert covers will be unavailable after
-              {{ $value | humanizeDuration }}. Clients using endpoints that this cert
-              protects will start to fail in {{ $value | humanizeDuration }}."
-            runbook_url: https://gitlab.com/uneeq-oss/cert-manager-mixin/-/blob/master/RUNBOOK.md#certmanagercertexpirysoon
-            summary:
-              "The cert {{ $labels.name }} is {{ $value | humanizeDuration }}
-              from expiry, it should have renewed over a week ago."
-        - alert: CertManagerCertNotReady
-          expr: |
-            max by (name, exported_namespace, namespace, condition) (
-            certmanager_certificate_ready_status{condition!="True"} == 1)
-          for: 15m
-          labels:
-            severity: critical
-          annotations:
-            description:
-              "This certificate has not been ready to serve traffic for at least
-              10m. If the cert is being renewed or there is another valid cert, the ingress
-              controller _may_ be able to serve that instead."
-            runbook_url: https://gitlab.com/uneeq-oss/cert-manager-mixin/-/blob/master/RUNBOOK.md#certmanagercertnotready
-            summary: "The cert {{ $labels.name }} is not ready to serve traffic."
-        - alert: CertManagerHittingRateLimits
-          expr: |
-            sum by (host) (rate(certmanager_http_acme_client_request_count{status="429"}[5m]))
-              > 0
-          for: 15m
-          labels:
-            severity: critical
-          annotations:
-            description:
-              "Depending on the rate limit, cert-manager may be unable to generate
-              certificates for up to a week."
-            runbook_url: https://gitlab.com/uneeq-oss/cert-manager-mixin/-/blob/master/RUNBOOK.md#certmanagerhittingratelimits
-            summary: "Cert manager hitting LetsEncrypt rate limits."

kubernetes/apps/cert-manager/cert-manager/issuers/issuers.yaml

@@ -1,41 +0,0 @@
-apiVersion: cert-manager.io/v1
-kind: ClusterIssuer
-metadata:
-  name: letsencrypt-production
-spec:
-  acme:
-    server: https://acme-v02.api.letsencrypt.org/directory
-    email: "${SECRET_CLOUDFLARE_EMAIL}"
-    privateKeySecretRef:
-      name: letsencrypt-production
-    solvers:
-      - dns01:
-          cloudflare:
-            email: "${SECRET_CLOUDFLARE_EMAIL}"
-            apiKeySecretRef:
-              name: cert-manager-secret
-              key: api-key
-        selector:
-          dnsZones:
-            - "${SECRET_DOMAIN}"
----
-apiVersion: cert-manager.io/v1
-kind: ClusterIssuer
-metadata:
-  name: letsencrypt-staging
-spec:
-  acme:
-    server: https://acme-staging-v02.api.letsencrypt.org/directory
-    email: "${SECRET_CLOUDFLARE_EMAIL}"
-    privateKeySecretRef:
-      name: letsencrypt-staging
-    solvers:
-      - dns01:
-          cloudflare:
-            email: "${SECRET_CLOUDFLARE_EMAIL}"
-            apiKeySecretRef:
-              name: cert-manager-secret
-              key: api-key
-        selector:
-          dnsZones:
-            - "${SECRET_DOMAIN}"

kubernetes/apps/cert-manager/cert-manager/ks.yaml

@@ -1,41 +0,0 @@
----
-apiVersion: kustomize.toolkit.fluxcd.io/v1beta2
-kind: Kustomization
-metadata:
-  name: cluster-apps-cert-manager
-  namespace: flux-system
-  labels:
-    substitution.flux.home.arpa/enabled: "true"
-spec:
-  path: ./kubernetes/apps/cert-manager/cert-manager/app
-  prune: true
-  sourceRef:
-    kind: GitRepository
-    name: home-kubernetes
-  healthChecks:
-    - apiVersion: helm.toolkit.fluxcd.io/v2beta1
-      kind: HelmRelease
-      name: cert-manager
-      namespace: cert-manager
-  interval: 30m
-  retryInterval: 1m
-  timeout: 3m
----
-apiVersion: kustomize.toolkit.fluxcd.io/v1beta2
-kind: Kustomization
-metadata:
-  name: cluster-apps-cert-manager-issuers
-  namespace: flux-system
-  labels:
-    substitution.flux.home.arpa/enabled: "true"
-spec:
-  dependsOn:
-    - name: cluster-apps-cert-manager
-  path: ./kubernetes/apps/cert-manager/cert-manager/issuers
-  prune: true
-  sourceRef:
-    kind: GitRepository
-    name: home-kubernetes
-  interval: 30m
-  retryInterval: 1m
-  timeout: 3m

kubernetes/apps/default/echo-server/app/helmrelease.yaml

@@ -1,75 +0,0 @@
----
-apiVersion: helm.toolkit.fluxcd.io/v2beta1
-kind: HelmRelease
-metadata:
-  name: echo-server
-  namespace: default
-spec:
-  interval: 15m
-  chart:
-    spec:
-      chart: app-template
-      version: 1.2.1
-      sourceRef:
-        kind: HelmRepository
-        name: bjw-s
-        namespace: flux-system
-  maxHistory: 3
-  install:
-    createNamespace: true
-    remediation:
-      retries: 3
-  upgrade:
-    cleanupOnFail: true
-    remediation:
-      retries: 3
-  uninstall:
-    keepHistory: false
-  values:
-    controller:
-      strategy: RollingUpdate
-    image:
-      repository: docker.io/jmalloc/echo-server
-      tag: 0.3.4
-    service:
-      main:
-        ports:
-          http:
-            port: &port 8080
-    probes:
-      liveness: &probes
-        enabled: true
-        custom: true
-        spec:
-          httpGet:
-            path: /health
-            port: *port
-          initialDelaySeconds: 0
-          periodSeconds: 10
-          timeoutSeconds: 1
-          failureThreshold: 3
-      readiness: *probes
-      startup:
-        enabled: false
-    ingress:
-      main:
-        enabled: true
-        ingressClassName: nginx
-        annotations:
-          external-dns.alpha.kubernetes.io/target: "ipv4.${SECRET_DOMAIN}"
-          external-dns.home.arpa/enabled: "true"
-          hajimari.io/icon: video-input-antenna
-        hosts:
-          - host: &host "{{ .Release.Name }}.${SECRET_DOMAIN}"
-            paths:
-              - path: /
-                pathType: Prefix
-        tls:
-          - hosts:
-              - *host
-    resources:
-      requests:
-        cpu: 5m
-        memory: 10Mi
-      limits:
-        memory: 50Mi

kubernetes/apps/default/echo-server/ks.yaml

@@ -1,22 +0,0 @@
----
-apiVersion: kustomize.toolkit.fluxcd.io/v1beta2
-kind: Kustomization
-metadata:
-  name: cluster-apps-echo-server
-  namespace: flux-system
-  labels:
-    substitution.flux.home.arpa/enabled: "true"
-spec:
-  path: ./kubernetes/apps/default/echo-server/app
-  prune: true
-  sourceRef:
-    kind: GitRepository
-    name: home-kubernetes
-  healthChecks:
-    - apiVersion: helm.toolkit.fluxcd.io/v2beta1
-      kind: HelmRelease
-      name: echo-server
-      namespace: default
-  interval: 30m
-  retryInterval: 1m
-  timeout: 3m

kubernetes/apps/default/hajimari/app/helmrelease.yaml

@@ -1,68 +0,0 @@
----
-apiVersion: helm.toolkit.fluxcd.io/v2beta1
-kind: HelmRelease
-metadata:
-  name: hajimari
-  namespace: default
-spec:
-  interval: 15m
-  chart:
-    spec:
-      chart: hajimari
-      version: 2.0.2
-      sourceRef:
-        kind: HelmRepository
-        name: hajimari
-        namespace: flux-system
-  maxHistory: 3
-  install:
-    createNamespace: true
-    remediation:
-      retries: 3
-  upgrade:
-    cleanupOnFail: true
-    remediation:
-      retries: 3
-  uninstall:
-    keepHistory: false
-  values:
-    hajimari:
-      title: Apps
-      darkTheme: espresso
-      alwaysTargetBlank: true
-      showGreeting: false
-      showAppGroups: false
-      showAppStatus: false
-      showBookmarkGroups: false
-      showGlobalBookmarks: false
-      showAppUrls: false
-      defaultEnable: true
-      namespaceSelector:
-        matchNames:
-          - default
-    ingress:
-      main:
-        enabled: true
-        ingressClassName: nginx
-        annotations:
-          nginx.ingress.kubernetes.io/whitelist-source-range: |
-            10.0.0.0/8,172.16.0.0/12,192.168.0.0/16
-          hajimari.io/enable: "false"
-        hosts:
-          - host: &host "hajimari.${SECRET_DOMAIN}"
-            paths:
-              - path: /
-                pathType: Prefix
-        tls:
-          - hosts:
-              - *host
-    podAnnotations:
-      configmap.reloader.stakater.com/reload: hajimari-settings
-    persistence:
-      data:
-        enabled: true
-        type: emptyDir
-    resources:
-      requests:
-        cpu: 100m
-        memory: 128M

kubernetes/apps/default/hajimari/ks.yaml

@@ -1,22 +0,0 @@
----
-apiVersion: kustomize.toolkit.fluxcd.io/v1beta2
-kind: Kustomization
-metadata:
-  name: cluster-apps-hajimari
-  namespace: flux-system
-  labels:
-    substitution.flux.home.arpa/enabled: "true"
-spec:
-  path: ./kubernetes/apps/default/hajimari/app
-  prune: true
-  sourceRef:
-    kind: GitRepository
-    name: home-kubernetes
-  healthChecks:
-    - apiVersion: helm.toolkit.fluxcd.io/v2beta1
-      kind: HelmRelease
-      name: hajimari
-      namespace: default
-  interval: 30m
-  retryInterval: 1m
-  timeout: 3m

kubernetes/apps/default/kustomization.yaml

@@ -1,7 +0,0 @@
----
-apiVersion: kustomize.config.k8s.io/v1beta1
-kind: Kustomization
-resources:
-  - ./namespace.yaml
-  - ./echo-server/ks.yaml
-  - ./hajimari/ks.yaml

kubernetes/apps/flux-system/addons/ks.yaml

@@ -1,18 +0,0 @@
----
-apiVersion: kustomize.toolkit.fluxcd.io/v1beta2
-kind: Kustomization
-metadata:
-  name: cluster-apps-flux-webhooks
-  namespace: flux-system
-  labels:
-    substitution.flux.home.arpa/enabled: "true"
-spec:
-  path: ./kubernetes/apps/flux-system/addons/webhooks
-  prune: true
-  sourceRef:
-    kind: GitRepository
-    name: home-kubernetes
-  wait: true
-  interval: 30m
-  retryInterval: 1m
-  timeout: 3m

kubernetes/apps/flux-system/addons/webhooks/github/ingress.yaml

@@ -1,26 +0,0 @@
----
-apiVersion: networking.k8s.io/v1
-kind: Ingress
-metadata:
-  name: flux-webhook
-  namespace: flux-system
-  annotations:
-    external-dns.alpha.kubernetes.io/target: "ipv4.${SECRET_DOMAIN}"
-    external-dns.home.arpa/enabled: "true"
-    hajimari.io/enable: "false"
-spec:
-  ingressClassName: nginx
-  rules:
-    - host: &host "flux-webhook.${SECRET_DOMAIN}"
-      http:
-        paths:
-          - path: /hook/
-            pathType: Prefix
-            backend:
-              service:
-                name: webhook-receiver
-                port:
-                  number: 80
-  tls:
-    - hosts:
-        - *host

kubernetes/apps/flux-system/addons/webhooks/github/receiver.yaml

@@ -1,26 +0,0 @@
----
-apiVersion: notification.toolkit.fluxcd.io/v1beta1
-kind: Receiver
-metadata:
-  name: github-receiver
-  namespace: flux-system
-spec:
-  type: github
-  events:
-    - ping
-    - push
-  secretRef:
-    name: github-webhook-token-secret
-  resources:
-    - apiVersion: source.toolkit.fluxcd.io/v1beta2
-      kind: GitRepository
-      name: home-kubernetes
-      namespace: flux-system
-    - apiVersion: kustomize.toolkit.fluxcd.io/v1beta2
-      kind: Kustomization
-      name: cluster
-      namespace: flux-system
-    - apiVersion: kustomize.toolkit.fluxcd.io/v1beta2
-      kind: Kustomization
-      name: cluster-apps
-      namespace: flux-system

kubernetes/apps/flux-system/addons/webhooks/kustomization.yaml

@@ -1,5 +0,0 @@
----
-apiVersion: kustomize.config.k8s.io/v1beta1
-kind: Kustomization
-resources:
-  - ./github

kubernetes/apps/flux-system/weave-gitops/app/helmrelease.yaml

@@ -1,60 +0,0 @@
----
-apiVersion: helm.toolkit.fluxcd.io/v2beta1
-kind: HelmRelease
-metadata:
-  name: weave-gitops
-  namespace: flux-system
-spec:
-  interval: 15m
-  chart:
-    spec:
-      chart: weave-gitops
-      version: 4.0.12
-      sourceRef:
-        kind: HelmRepository
-        name: weave-gitops
-        namespace: flux-system
-  maxHistory: 3
-  install:
-    createNamespace: true
-    remediation:
-      retries: 3
-  upgrade:
-    cleanupOnFail: true
-    remediation:
-      retries: 3
-  uninstall:
-    keepHistory: false
-  values:
-    adminUser:
-      create: true
-      username: admin
-    ingress:
-      enabled: true
-      className: nginx
-      annotations:
-        nginx.ingress.kubernetes.io/whitelist-source-range: |
-          10.0.0.0/8,172.16.0.0/12,192.168.0.0/16
-        hajimari.io/icon: sawtooth-wave
-      hosts:
-        - host: &host "gitops.${SECRET_DOMAIN}"
-          paths:
-            - path: /
-              pathType: Prefix
-      tls:
-        - hosts:
-            - *host
-    networkPolicy:
-      create: false
-    metrics:
-      enabled: true
-    rbac:
-      create: true
-      impersonationResourceNames: ["admin"]
-    podAnnotations:
-      secret.reloader.stakater.com/reload: weave-gitops-secret
-  valuesFrom:
-    - kind: Secret
-      name: weave-gitops-secret
-      valuesKey: adminPassword
-      targetPath: adminUser.passwordHash

kubernetes/apps/flux-system/weave-gitops/ks.yaml

@@ -1,22 +0,0 @@
----
-apiVersion: kustomize.toolkit.fluxcd.io/v1beta2
-kind: Kustomization
-metadata:
-  name: cluster-apps-weave-gitops
-  namespace: flux-system
-  labels:
-    substitution.flux.home.arpa/enabled: "true"
-spec:
-  path: ./kubernetes/apps/flux-system/weave-gitops/app
-  prune: true
-  sourceRef:
-    kind: GitRepository
-    name: home-kubernetes
-  healthChecks:
-    - apiVersion: helm.toolkit.fluxcd.io/v2beta1
-      kind: HelmRelease
-      name: weave-gitops
-      namespace: flux-system
-  interval: 30m
-  retryInterval: 1m
-  timeout: 3m

kubernetes/apps/kube-system/kube-vip/app/daemonset.yaml

@@ -1,72 +0,0 @@
----
-apiVersion: apps/v1
-kind: DaemonSet
-metadata:
-  name: kube-vip
-  namespace: kube-system
-  labels:
-    app.kubernetes.io/instance: kube-vip
-    app.kubernetes.io/name: kube-vip
-spec:
-  selector:
-    matchLabels:
-      app.kubernetes.io/instance: kube-vip
-      app.kubernetes.io/name: kube-vip
-  template:
-    metadata:
-      labels:
-        app.kubernetes.io/instance: kube-vip
-        app.kubernetes.io/name: kube-vip
-    spec:
-      containers:
-        - name: kube-vip
-          image: ghcr.io/kube-vip/kube-vip:v0.5.8
-          imagePullPolicy: IfNotPresent
-          args: ["manager"]
-          env:
-            - name: vip_arp
-              value: "true"
-            - name: port
-              value: "6443"
-            - name: vip_cidr
-              value: "32"
-            - name: cp_enable
-              value: "true"
-            - name: cp_namespace
-              value: kube-system
-            - name: svc_enable
-              value: "false"
-            - name: vip_leaderelection
-              value: "true"
-            - name: vip_leaseduration
-              value: "15"
-            - name: vip_renewdeadline
-              value: "10"
-            - name: vip_retryperiod
-              value: "2"
-            - name: address
-              value: "${KUBE_VIP_ADDR}"
-          securityContext:
-            capabilities:
-              add: ["NET_ADMIN", "NET_RAW"]
-      hostAliases:
-        - hostnames:
-            - kubernetes
-          ip: 127.0.0.1
-      hostNetwork: true
-      serviceAccountName: kube-vip
-      affinity:
-        nodeAffinity:
-          requiredDuringSchedulingIgnoredDuringExecution:
-            nodeSelectorTerms:
-              - matchExpressions:
-                  - key: node-role.kubernetes.io/master
-                    operator: Exists
-              - matchExpressions:
-                  - key: node-role.kubernetes.io/control-plane
-                    operator: Exists
-      tolerations:
-        - effect: NoSchedule
-          operator: Exists
-        - effect: NoExecute
-          operator: Exists

kubernetes/apps/kube-system/kube-vip/app/kustomization.yaml

@@ -1,10 +0,0 @@
----
-apiVersion: kustomize.config.k8s.io/v1beta1
-kind: Kustomization
-namespace: kube-system
-resources:
-  - ./rbac.yaml
-  - ./daemonset.yaml
-labels:
-  - pairs:
-      kustomize.toolkit.fluxcd.io/prune: disabled

kubernetes/apps/kube-system/kube-vip/app/rbac.yaml

@@ -1,44 +0,0 @@
----
-apiVersion: v1
-kind: ServiceAccount
-metadata:
-  name: kube-vip
-  namespace: kube-system
-secrets:
-  - name: kube-vip
----
-apiVersion: v1
-kind: Secret
-type: kubernetes.io/service-account-token
-metadata:
-  name: kube-vip
-  namespace: kube-system
-  annotations:
-    kubernetes.io/service-account.name: kube-vip
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
-  annotations:
-    rbac.authorization.kubernetes.io/autoupdate: "true"
-  name: system:kube-vip-role
-rules:
-  - apiGroups: [""]
-    resources: ["services", "services/status", "nodes"]
-    verbs: ["list", "get", "watch", "update"]
-  - apiGroups: ["coordination.k8s.io"]
-    resources: ["leases"]
-    verbs: ["list", "get", "watch", "update", "create"]
----
-kind: ClusterRoleBinding
-apiVersion: rbac.authorization.k8s.io/v1
-metadata:
-  name: system:kube-vip-binding
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
-  name: system:kube-vip-role
-subjects:
-  - kind: ServiceAccount
-    name: kube-vip
-    namespace: kube-system

kubernetes/apps/kube-system/kube-vip/ks.yaml

@@ -1,22 +0,0 @@
----
-apiVersion: kustomize.toolkit.fluxcd.io/v1beta2
-kind: Kustomization
-metadata:
-  name: cluster-apps-kube-vip
-  namespace: flux-system
-  labels:
-    substitution.flux.home.arpa/enabled: "true"
-spec:
-  path: ./kubernetes/apps/kube-system/kube-vip/app
-  prune: true
-  sourceRef:
-    kind: GitRepository
-    name: home-kubernetes
-  healthChecks:
-    - apiVersion: apps/v1
-      kind: DaemonSet
-      name: kube-vip
-      namespace: kube-system
-  interval: 30m
-  retryInterval: 1m
-  timeout: 3m

kubernetes/apps/kube-system/kustomization.yaml

@@ -1,9 +0,0 @@
----
-apiVersion: kustomize.config.k8s.io/v1beta1
-kind: Kustomization
-resources:
-  - ./namespace.yaml
-  - ./kube-vip/ks.yaml
-  - ./local-path-provisioner/ks.yaml
-  - ./metrics-server/ks.yaml
-  - ./reloader/ks.yaml

kubernetes/apps/kube-system/local-path-provisioner/app/helmrelease.yaml

@@ -1,71 +0,0 @@
----
-apiVersion: helm.toolkit.fluxcd.io/v2beta1
-kind: HelmRelease
-metadata:
-  name: local-path-provisioner
-  namespace: kube-system
-spec:
-  interval: 15m
-  chart:
-    spec:
-      chart: ./deploy/chart/local-path-provisioner
-      sourceRef:
-        kind: GitRepository
-        name: local-path-provisioner
-        namespace: flux-system
-  maxHistory: 3
-  install:
-    createNamespace: true
-    remediation:
-      retries: 3
-  upgrade:
-    cleanupOnFail: true
-    remediation:
-      retries: 3
-  uninstall:
-    keepHistory: false
-  values:
-    helperImage:
-      repository: public.ecr.aws/docker/library/busybox
-      tag: latest
-    storageClass:
-      defaultClass: false
-    nodePathMap:
-      - node: DEFAULT_PATH_FOR_NON_LISTED_NODES
-        paths: ["/var/lib/rancher/k3s/storage"]
-    configmap:
-      setup: |-
-        #!/bin/sh
-        while getopts "m:s:p:" opt
-        do
-            case $opt in
-                p)
-                absolutePath=$OPTARG
-                ;;
-                s)
-                sizeInBytes=$OPTARG
-                ;;
-                m)
-                volMode=$OPTARG
-                ;;
-            esac
-        done
-        mkdir -m 0777 -p $${absolutePath}
-        chmod 701 $${absolutePath}/..
-      teardown: |-
-        #!/bin/sh
-        while getopts "m:s:p:" opt
-        do
-            case $opt in
-                p)
-                absolutePath=$OPTARG
-                ;;
-                s)
-                sizeInBytes=$OPTARG
-                ;;
-                m)
-                volMode=$OPTARG
-                ;;
-            esac
-        done
-        rm -rf $${absolutePath}

kubernetes/apps/kube-system/local-path-provisioner/ks.yaml

@@ -1,22 +0,0 @@
----
-apiVersion: kustomize.toolkit.fluxcd.io/v1beta2
-kind: Kustomization
-metadata:
-  name: cluster-apps-local-path-provisioner
-  namespace: flux-system
-  labels:
-    substitution.flux.home.arpa/enabled: "true"
-spec:
-  path: ./kubernetes/apps/kube-system/local-path-provisioner/app
-  prune: true
-  sourceRef:
-    kind: GitRepository
-    name: home-kubernetes
-  healthChecks:
-    - apiVersion: helm.toolkit.fluxcd.io/v2beta1
-      kind: HelmRelease
-      name: local-path-provisioner
-      namespace: kube-system
-  interval: 30m
-  retryInterval: 1m
-  timeout: 3m

kubernetes/apps/kube-system/metrics-server/app/helmrelease.yaml

@@ -1,37 +0,0 @@
----
-apiVersion: helm.toolkit.fluxcd.io/v2beta1
-kind: HelmRelease
-metadata:
-  name: metrics-server
-  namespace: kube-system
-spec:
-  interval: 15m
-  chart:
-    spec:
-      chart: metrics-server
-      version: 3.8.3
-      sourceRef:
-        kind: HelmRepository
-        name: metrics-server
-        namespace: flux-system
-  maxHistory: 3
-  install:
-    createNamespace: true
-    remediation:
-      retries: 3
-  upgrade:
-    cleanupOnFail: true
-    remediation:
-      retries: 3
-  uninstall:
-    keepHistory: false
-  values:
-    args:
-      - --kubelet-insecure-tls
-      - --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname
-      - --kubelet-use-node-status-port
-      - --metric-resolution=15s
-    metrics:
-      enabled: true
-    serviceMonitor:
-      enabled: true

kubernetes/apps/kube-system/metrics-server/ks.yaml

@@ -1,22 +0,0 @@
----
-apiVersion: kustomize.toolkit.fluxcd.io/v1beta2
-kind: Kustomization
-metadata:
-  name: cluster-apps-metrics-server
-  namespace: flux-system
-  labels:
-    substitution.flux.home.arpa/enabled: "true"
-spec:
-  path: ./kubernetes/apps/kube-system/metrics-server/app
-  prune: true
-  sourceRef:
-    kind: GitRepository
-    name: home-kubernetes
-  healthChecks:
-    - apiVersion: helm.toolkit.fluxcd.io/v2beta1
-      kind: HelmRelease
-      name: metrics-server
-      namespace: kube-system
-  interval: 30m
-  retryInterval: 1m
-  timeout: 3m

kubernetes/apps/kube-system/reloader/app/helmrelease.yaml

@@ -1,34 +0,0 @@
----
-apiVersion: helm.toolkit.fluxcd.io/v2beta1
-kind: HelmRelease
-metadata:
-  name: reloader
-  namespace: &namespace kube-system
-spec:
-  interval: 15m
-  chart:
-    spec:
-      chart: reloader
-      version: v1.0.2
-      sourceRef:
-        kind: HelmRepository
-        name: stakater
-        namespace: flux-system
-  maxHistory: 3
-  install:
-    createNamespace: true
-    remediation:
-      retries: 3
-  upgrade:
-    cleanupOnFail: true
-    remediation:
-      retries: 3
-  uninstall:
-    keepHistory: false
-  values:
-    fullnameOverride: reloader
-    reloader:
-      reloadStrategy: annotations
-      podMonitor:
-        enabled: true
-        namespace: *namespace

kubernetes/apps/kube-system/reloader/app/kustomization.yaml

@@ -1,6 +0,0 @@
----
-apiVersion: kustomize.config.k8s.io/v1beta1
-kind: Kustomization
-namespace: kube-system
-resources:
-  - ./helmrelease.yaml

kubernetes/apps/kube-system/reloader/ks.yaml

@@ -1,22 +0,0 @@
----
-apiVersion: kustomize.toolkit.fluxcd.io/v1beta2
-kind: Kustomization
-metadata:
-  name: cluster-apps-reloader
-  namespace: flux-system
-  labels:
-    substitution.flux.home.arpa/enabled: "true"
-spec:
-  path: ./kubernetes/apps/kube-system/reloader/app
-  prune: true
-  sourceRef:
-    kind: GitRepository
-    name: home-kubernetes
-  healthChecks:
-    - apiVersion: helm.toolkit.fluxcd.io/v2beta1
-      kind: HelmRelease
-      name: reloader
-      namespace: kube-system
-  interval: 30m
-  retryInterval: 1m
-  timeout: 3m

kubernetes/apps/monitoring/kubernetes-dashboard/app/helmrelease.yaml

@@ -1,51 +0,0 @@
----
-apiVersion: helm.toolkit.fluxcd.io/v2beta1
-kind: HelmRelease
-metadata:
-  name: kubernetes-dashboard
-  namespace: monitoring
-spec:
-  interval: 15m
-  chart:
-    spec:
-      chart: kubernetes-dashboard
-      version: 6.0.0
-      sourceRef:
-        kind: HelmRepository
-        name: kubernetes-dashboard
-        namespace: flux-system
-  maxHistory: 3
-  install:
-    createNamespace: true
-    remediation:
-      retries: 3
-  upgrade:
-    cleanupOnFail: true
-    remediation:
-      retries: 3
-  uninstall:
-    keepHistory: false
-  values:
-    env:
-      TZ: "${TIMEZONE}"
-    extraArgs:
-      - --enable-skip-login
-      - --disable-settings-authorizer
-      - --enable-insecure-login
-      - --token-ttl=43200
-    ingress:
-      enabled: true
-      className: nginx
-      annotations:
-        cert-manager.io/cluster-issuer: letsencrypt-staging
-        hajimari.io/icon: mdi:kubernetes
-      hosts:
-        - &host "kubernetes.${SECRET_DOMAIN}"
-      tls:
-        - hosts:
-            - *host
-          secretName: kubernetes-dashboard-tls
-    metricsScraper:
-      enabled: true
-    serviceMonitor:
-      enabled: false

kubernetes/apps/monitoring/kubernetes-dashboard/app/kustomization.yaml

@@ -1,7 +0,0 @@
----
-apiVersion: kustomize.config.k8s.io/v1beta1
-kind: Kustomization
-namespace: monitoring
-resources:
-  - ./rbac.yaml
-  - ./helmrelease.yaml

kubernetes/apps/monitoring/kubernetes-dashboard/app/rbac.yaml

@@ -1,41 +0,0 @@
-# For dashboard sign in token:
-# kubectl -n monitoring get secret kubernetes-dashboard -o jsonpath='{.data.token}' | base64 -d
----
-apiVersion: v1
-kind: ServiceAccount
-metadata:
-  name: kubernetes-dashboard
-  namespace: monitoring
-  labels:
-    app.kubernetes.io/managed-by: Helm
-  annotations:
-    meta.helm.sh/release-name: kubernetes-dashboard
-    meta.helm.sh/release-namespace: monitoring
-secrets:
-  - name: kubernetes-dashboard
----
-apiVersion: v1
-kind: Secret
-type: kubernetes.io/service-account-token
-metadata:
-  name: kubernetes-dashboard
-  namespace: monitoring
-  labels:
-    app.kubernetes.io/managed-by: Helm
-  annotations:
-    meta.helm.sh/release-name: kubernetes-dashboard
-    meta.helm.sh/release-namespace: monitoring
-    kubernetes.io/service-account.name: kubernetes-dashboard
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
-  name: system:kubernetes-dashboard
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
-  name: cluster-admin
-subjects:
-  - kind: ServiceAccount
-    name: kubernetes-dashboard
-    namespace: monitoring

kubernetes/apps/monitoring/kubernetes-dashboard/ks.yaml

@@ -1,22 +0,0 @@
----
-apiVersion: kustomize.toolkit.fluxcd.io/v1beta2
-kind: Kustomization
-metadata:
-  name: cluster-apps-kubernetes-dashboard
-  namespace: flux-system
-  labels:
-    substitution.flux.home.arpa/enabled: "true"
-spec:
-  path: ./kubernetes/apps/monitoring/kubernetes-dashboard/app
-  prune: true
-  sourceRef:
-    kind: GitRepository
-    name: home-kubernetes
-  healthChecks:
-    - apiVersion: helm.toolkit.fluxcd.io/v2beta1
-      kind: HelmRelease
-      name: kubernetes-dashboard
-      namespace: monitoring
-  interval: 30m
-  retryInterval: 1m
-  timeout: 3m

kubernetes/apps/monitoring/kustomization.yaml

@@ -1,6 +0,0 @@
----
-apiVersion: kustomize.config.k8s.io/v1beta1
-kind: Kustomization
-resources:
-  - ./namespace.yaml
-  - ./kubernetes-dashboard/ks.yaml

kubernetes/apps/monitoring/namespace.yaml

@@ -1,7 +0,0 @@
----
-apiVersion: v1
-kind: Namespace
-metadata:
-  name: monitoring
-  labels:
-    kustomize.toolkit.fluxcd.io/prune: disabled

kubernetes/apps/networking/cloudflare-ddns/app/cloudflare-ddns.sh

@@ -1,39 +0,0 @@
-#!/usr/bin/env bash
-
-set -o nounset
-set -o errexit
-
-current_ipv4="$(curl -s https://ipv4.icanhazip.com/)"
-zone_id=$(curl -s -X GET \
-    "https://api.cloudflare.com/client/v4/zones?name=${CLOUDFLARE_RECORD_NAME#*.}&status=active" \
-    -H "X-Auth-Email: ${CLOUDFLARE_EMAIL}" \
-    -H "X-Auth-Key: ${CLOUDFLARE_APIKEY}" \
-    -H "Content-Type: application/json" \
-        | jq --raw-output ".result[0] | .id"
-)
-record_ipv4=$(curl -s -X GET \
-    "https://api.cloudflare.com/client/v4/zones/${zone_id}/dns_records?name=${CLOUDFLARE_RECORD_NAME}&type=A" \
-    -H "X-Auth-Email: ${CLOUDFLARE_EMAIL}" \
-    -H "X-Auth-Key: ${CLOUDFLARE_APIKEY}" \
-    -H "Content-Type: application/json" \
-)
-old_ip4=$(echo "$record_ipv4" | jq --raw-output '.result[0] | .content')
-if [[ "${current_ipv4}" == "${old_ip4}" ]]; then
-    printf "%s - IP Address '%s' has not changed" "$(date -u)" "${current_ipv4}"
-    exit 0
-fi
-record_ipv4_identifier="$(echo "$record_ipv4" | jq --raw-output '.result[0] | .id')"
-update_ipv4=$(curl -s -X PUT \
-    "https://api.cloudflare.com/client/v4/zones/${zone_id}/dns_records/${record_ipv4_identifier}" \
-    -H "X-Auth-Email: ${CLOUDFLARE_EMAIL}" \
-    -H "X-Auth-Key: ${CLOUDFLARE_APIKEY}" \
-    -H "Content-Type: application/json" \
-    --data "{\"id\":\"${zone_id}\",\"type\":\"A\",\"proxied\":true,\"name\":\"${CLOUDFLARE_RECORD_NAME}\",\"content\":\"${current_ipv4}\"}" \
-)
-if [[ "$(echo "$update_ipv4" | jq --raw-output '.success')" == "true" ]]; then
-    printf "%s - Success - IP Address '%s' has been updated" "$(date -u)" "${current_ipv4}"
-    exit 0
-else
-    printf "%s - Yikes - Updating IP Address '%s' has failed" "$(date -u)" "${current_ipv4}"
-    exit 1
-fi

kubernetes/apps/networking/cloudflare-ddns/app/helmrelease.yaml

@@ -1,53 +0,0 @@
----
-apiVersion: helm.toolkit.fluxcd.io/v2beta1
-kind: HelmRelease
-metadata:
-  name: cloudflare-ddns
-  namespace: networking
-spec:
-  interval: 15m
-  chart:
-    spec:
-      chart: app-template
-      version: 1.2.1
-      sourceRef:
-        kind: HelmRepository
-        name: bjw-s
-        namespace: flux-system
-  maxHistory: 3
-  install:
-    createNamespace: true
-    remediation:
-      retries: 3
-  upgrade:
-    cleanupOnFail: true
-    remediation:
-      retries: 3
-  uninstall:
-    keepHistory: false
-  values:
-    controller:
-      type: cronjob
-      cronjob:
-        concurrencyPolicy: Forbid
-        schedule: "@hourly"
-    restartPolicy: OnFailure
-    image:
-      repository: ghcr.io/onedr0p/kubernetes-kubectl
-      tag: 1.26.1@sha256:c85224928b2e384e63bd8c9ba89753dd3d1cd9c178350d83efa3182b480c31a0
-    command: ["/bin/bash", "/app/cloudflare-ddns.sh"]
-    envFrom:
-      - secretRef:
-          name: cloudflare-ddns-secret
-    service:
-      main:
-        enabled: false
-    persistence:
-      config:
-        enabled: true
-        type: configMap
-        name: cloudflare-ddns-configmap
-        subPath: cloudflare-ddns.sh
-        mountPath: /app/cloudflare-ddns.sh
-        defaultMode: 0775
-        readOnly: true

kubernetes/apps/networking/cloudflare-ddns/app/kustomization.yaml

@@ -1,15 +0,0 @@
----
-apiVersion: kustomize.config.k8s.io/v1beta1
-kind: Kustomization
-namespace: networking
-resources:
-  - ./secret.sops.yaml
-  - ./helmrelease.yaml
-configMapGenerator:
-  - name: cloudflare-ddns-configmap
-    files:
-      - ./cloudflare-ddns.sh
-generatorOptions:
-  disableNameSuffixHash: true
-  annotations:
-    kustomize.toolkit.fluxcd.io/substitute: disabled

kubernetes/apps/networking/cloudflare-ddns/ks.yaml

@@ -1,21 +0,0 @@
----
-apiVersion: kustomize.toolkit.fluxcd.io/v1beta2
-kind: Kustomization
-metadata:
-  name: cluster-apps-cloudflare-ddns
-  namespace: flux-system
-  labels:
-    substitution.flux.home.arpa/enabled: "true"
-spec:
-  path: ./kubernetes/apps/networking/cloudflare-ddns/app
-  prune: true
-  sourceRef:
-    kind: GitRepository
-    name: home-kubernetes
-  healthChecks:
-    - apiVersion: helm.toolkit.fluxcd.io/v2beta1
-      kind: HelmRelease
-      name: cloudflare-ddns
-      namespace: networking
-  interval: 30m
-  timeout: 5m