michael/IaC
1
0
Fork 0
Code Packages Activity

Compare commits

base: michael:f068c9710be46e3ab883bc8b9284a154981fe257
Branches Tags
michael:main
...
compare: michael:main
Branches Tags
michael:main

44 Commits
f068c9710b ... main

Author SHA1 Message Date
=
230d830612 enable nginx dev 2025-04-05 02:38:17 -04:00
=
f843c7eaa3 certbot for dev 2025-04-05 02:12:24 -04:00
=
076757e1f8 troubleshoot build 2025-04-05 01:08:32 -04:00
=
0b1c18a3a0 troubleshoot build 2025-04-05 00:15:34 -04:00
=
f47ad625da troubleshoot build 2025-04-05 00:13:16 -04:00
=
2b56d30666 aur builder become changes 2025-04-05 00:07:14 -04:00
=
c12dfc18ce no become for delegated task 2025-04-04 23:43:36 -04:00
=
814a642cc0 delegate secret lookup 2025-04-04 23:42:51 -04:00
=
8cad395e34 aur repo host secret lookup 2025-04-04 23:41:35 -04:00
=
eb360951a1 aur repo host vars 2025-04-04 23:24:58 -04:00
=
9601aa4937 hashi vault lookups 2025-04-04 23:08:01 -04:00
=
81319370b1 wip 2025-03-13 08:59:00 -04:00
=
76f6f78112 add backup, readarr 2025-01-20 16:31:17 -05:00
=
9b0edab903 add jellyfin to media compose 2025-01-14 14:18:24 -05:00
=
c377f1a7d1 add prowlarr and sonarr 2025-01-12 14:18:23 -05:00
=
7f5a35d936 add radarr service 2025-01-12 00:03:26 -05:00
=
7b9f0e0ca5 add gallery cname 2025-01-04 01:20:36 -05:00
=
a490e4ad92 unifi nearly done 2024-12-30 22:35:25 -05:00
=
6734d78bef adjust nginx cert 2024-12-30 20:09:09 -05:00
=
6722ab4138 Syncthing working on truenas 2024-12-30 20:08:30 -05:00
=
e76d1a1f88 more apps 2024-12-30 01:18:40 -05:00
=
c090cc9cbe add minio to truenas 2024-12-25 01:04:30 -05:00
=
8ab3783a2b Add sops config 2024-12-23 23:52:05 -05:00
=
cdf20ba9ef Add sops kms keys 2024-12-23 18:35:04 -05:00
=
f0b3388e8d aws kms 2024-12-21 01:26:55 -05:00
=
27e2fc6058 truenas 2024-12-21 00:17:04 -05:00
=
b622bb29df matrix dns 2024-12-20 00:58:24 -05:00
=
bde6a5f208 dns and talos 2024-12-18 15:42:45 -05:00
michael
85d6fe5056 Merge remote-tracking branch 'refs/remotes/origin/main' 2024-12-09 23:36:16 -05:00
=
098f63fa5b talos 2024-12-09 23:34:13 -05:00
=
43fc89a966 mayastor 2024-12-09 02:08:04 -05:00
=
7aa2992228 talos wip 2024-12-08 01:36:48 -05:00
michael
1775e24a45 add more dns records 2024-11-29 01:35:04 -05:00
michael
d6983b4744 add syanpse mgmt playbooks 2024-10-30 01:52:00 -04:00
=
29cb12a2d1 tf dns wip 2024-10-26 16:48:20 +13:00
=
9464737fe9 cred test 2024-10-24 18:43:21 +13:00
=
14fc10a10a Cloudflare DNS via TF 2024-10-24 18:39:30 +13:00
michael
fe38bebbd5 cloudflare dns 2024-10-23 00:22:32 -04:00
michael
bad78681c6 Merge remote-tracking branch 'refs/remotes/origin/main' 2024-05-16 21:52:18 +12:00
michael
c8ab4633ca change qbittorrent data dir 2024-05-16 21:50:48 +12:00
michael
627343b50f add nuc playbook 2024-05-16 21:35:45 +12:00
michael
2d31a5524f resolve merge 2024-05-12 21:58:05 +12:00
michael
2981bdb22f Merge remote-tracking branch 'refs/remotes/origin/main' 2024-05-12 21:57:52 +12:00
michael
84930795b6 temp comment out roles 2024-05-12 21:55:37 +12:00
60 changed files with 2814 additions and 83 deletions
Expand all files Collapse all files

11
.gitignore vendored
View File

@ -2,6 +2,14 @@
**/.terraform/*
**/.terraform
.ansible/
.vscode/
ansible/collections/**
# registry password file
distribution/htpasswd
# .tfstate files
*.tfstate
*.tfstate.*
@ -9,6 +17,9 @@
# Terraform lock file
**/.terraform.lock.hcl
# Terraform secrets file
**/secrets.auto.tfvars
# Crash log files
crash.log
crash.*.log

10
.sops.yaml Normal file
View File

@ -0,0 +1,10 @@
creation_rules:
- path_regex: (secret|secrets)\.(yml|yaml)$
unencrypted_regex: ^(apiVersion|kind|name|namespace|type)$
kms: 'arn:aws:kms:us-east-1:140023401248:key/c51c2cc5-4e8e-484d-b2f0-4d4ec2039938'
# kms:
# - arn: 'arn:aws:kms:us-east-1:140023401248:key/c51c2cc5-4e8e-484d-b2f0-4d4ec2039938'
# aws_profile: home
age: 'age1k5y5gj5fzpwtjgzqd4n93h4h9ek9jz8898rva5zsgj7zjet97ytq4dtzjs'
hc_vault_transit_uri: 'https://vault.balsillie.net:443/v1/sops/keys/krds'

2
.vscode/settings.json vendored
View File

@ -23,5 +23,5 @@
"checkForMinikubeUpgrade": true,
"imageBuildTool": "Docker"
},
"ansible.python.interpreterPath": "/usr/bin/python3"
"ansible.python.interpreterPath": "/usr/bin/python"
}

23
ansible/inventory/group_vars/aur_repo_hosts/aur_repo_host.yml Normal file
View File

@ -0,0 +1,23 @@
# code: language=ansible
aur_repo_packager_name: "Balsillie Family"
aur_repo_packager_email: "admin@balsillie.net"
aur_repo_dir: "/aur"
aur_repo_build_account: "aur-builder"
aur_repo_host_packages:
- pikaur
- jellyfin-media-player # If you get errors relating to icu, check 'icu' package version and perform a system update
- git-credential-keepassxc
- docker-credential-secretservice-bin
- ventoy-bin
- debtap
- aurutils
- ipmiview
- powershell-bin
- visual-studio-code-bin
- ttf-ms-fonts
- brave-bin
- teamviewer
- vmware-horizon-client

17
ansible/inventory/host_vars/dev.balsillie.house/ansible_connection.yml Normal file
View File

@ -0,0 +1,17 @@
# code: language=ansible
# Connection (SSH)
ansible_connection: ansible.builtin.ssh
ansible_ssh_host: dev.balsillie.house
ansible_ssh_port: 22
ansible_ssh_host_key_checking: false
ansible_ssh_pipelining: false
ansible_ssh_user: ladmin
ansible_ssh_private_key_file: ~/.ssh/conf.d/home/dev.balsillie.house.key
# Become (sudo)
ansible_become_method: ansible.builtin.sudo
ansible_become_user: root
ansible_become_password: "{{ lookup('community.hashi_vault.vault_kv1_get', 'ansible/host_vars/dev.balsillie.house/ansible_connection').secret.ansible_become_password }}" # noqa yaml[line-length]

17
ansible/inventory/host_vars/dev.balsillie.house/certbot.yaml Normal file
View File

@ -0,0 +1,17 @@
# code: language=ansible
certbot_rfc2136_server: '10.208.240.1'
certbot_rfc2136_key_name: 'rndc-house'
certbot_rfc2136_key_algorithm: 'hmac-sha256'
certbot_cloudflare_api_token: "{{ lookup('community.hashi_vault.vault_kv1_get', 'cloudflare/balsillie.house/dns').secret.api_token }}" # noqa yaml[line-length]
certbot_dns_propagation_seconds: 15
certbot_webserver_type: 'nginx' # 'nginx' or 'apache'
certbot_dns_plugin: 'cloudflare'
certbot_email: "certbot.dev@balsillie.email"
certbot_acme_server: "acme-v02.api.letsencrypt.org"
certbot_domains:
- repo.balsillie.house

9
ansible/inventory/host_vars/dev.balsillie.house/nginx.yaml Normal file
View File

@ -0,0 +1,9 @@
# code: language=ansible
nginx_sites:
- name: repo.balsillie.house
type: site
autoindex: 'on'
root: /var/www/aur
nginx_user: "http"

45
ansible/inventory/host_vars/hv00.balsillie.house/aur_repo_host.yaml
View File

@ -1,45 +0,0 @@
aur_repo_packager_name: "Balsillie Family"
aur_repo_packager_email: "admin@balsillie.net"
aur_repo_dir: "/aur"
aur_repo_build_account: "aur-builder"
aur_repo_host_packages:
- kodi-addon-game-libretro-desmume # Nintendo DS
- kodi-addon-game-libretro-gambatte # Gameboy / Gameboy Colour
- kodi-addon-game-libretro-mgba # Gameboy Advance
- kodi-addon-game-libretro-nestopia # Nintendo
- kodi-addon-game-libretro-scummvm # ScummVM
- kodi-addon-game-libretro-snes9x # Super Nintendo
- kodi-addon-game-libretro-parallel-n64 # Nintendo 64
- kodi-addon-vfs-sftp
- kodi-standalone-service
- proton-ge-custom-bin
- pikaur
- sonarr
- radarr
- lidarr
- prowlarr
- bazarr
- jellyfin-media-player
- moonlight-qt-bin
- git-credential-keepassxc
- docker-credential-secretservice-bin
- obs-backgroundremoval
- ventoy-bin
- debtap
- aurutils
- pikaur
- kdocker
- ipmiview
- protonvpn
- protonmail-bridge
- powershell-bin
- azure-cli-bin
- microsoft-edge-stable-bin
- teams-for-linux-bin
- visual-studio-code-bin
- ttf-ms-fonts
- brave-bin
- teamviewer
- vmware-horizon-client

4
ansible/inventory/host_vars/kodi00.balsillie.house/docker.yaml
View File

@ -23,7 +23,7 @@ docker_volumes:
driver: local
driver_options:
type: none
device: /media/nvme/downloads
device: /downloads
o: bind
- name: torrent-config
driver: local
@ -78,4 +78,4 @@ docker_containers:
net.ipv6.conf.all.disable_ipv6: 1
volumes:
- torrent-config:/config:rw
- torrent-data:/data:rw
- torrent-data:/downloads:rw

3
ansible/inventory/host_vars/kodi00.balsillie.house/sonarr.yaml Normal file
View File

@ -0,0 +1,3 @@
---
sonarr_var: "sonarr_value"

2
ansible/inventory/host_vars/kodi00.balsillie.house/torrent.yaml
View File

@ -1,5 +1,5 @@
torrent_user: kodi
torrent_downloads_dir: /media/nvme/downloads
torrent_downloads_dir: /downloads
torrent_wireguard_address: 10.2.0.2
torrent_wireguard_dns: 10.2.0.1

1
ansible/inventory/host_vars/localhost/synapse.yaml Normal file
View File

@ -0,0 +1 @@
synapse_host_address: matrix.balsillie.net

4
ansible/inventory/host_vars/nuc.balsillie.house/ansible_connection.yaml Normal file
View File

@ -0,0 +1,4 @@
ansible_connection: local
ansible_user: ladmin
ansible_become_user: root
ansible_become_method: sudo

11
ansible/inventory/host_vars/nuc.balsillie.house/certbot.yaml Normal file
View File

@ -0,0 +1,11 @@
certbot_rfc2136_server: '10.208.240.1'
certbot_rfc2136_key_name: 'rndc-house'
certbot_rfc2136_key_algorithm: 'hmac-sha256'
certbot_webserver_type: 'nginx' # 'nginx' or 'apache'
certbot_dns_plugin: 'rfc2136'
certbot_email: "certbot.kodi00@balsillie.email"
certbot_acme_server: "acme-v02.api.letsencrypt.org"
certbot_domains:
- xmr.balsillie.house

9
ansible/inventory/inventory.yaml
View File

@ -1,5 +1,8 @@
all:
children:
aur_repo_hosts:
hosts:
dev.balsillie.house:
firewalls:
children:
opnsense:
@ -23,6 +26,7 @@ all:
kube00.balsillie.house:
lat5420.balsillie.house:
lat7490.balsillie.house:
nuc.balsillie.house:
servers:
children:
hypervisors:
@ -46,6 +50,9 @@ all:
hosts:
hv00.balsillie.house:
kube00.balsillie.house:
nas:
hosts:
nas.balsillie.house:
workstations:
children:
arch:
@ -53,6 +60,7 @@ all:
lat5420.balsillie.house:
sff.balsillie.house:
kodi00.balsillie.house:
nuc.balsillie.house:
windows:
hosts:
lat7490.balsillie.house:
@ -66,6 +74,7 @@ all:
sff.balsillie.house:
mp00.balsillie.house:
kodi00.balsillie.house:
nuc.balsillie.house:
kodi:
hosts:
kodi00.balsillie.house:

10
ansible/playbooks/home.yml Normal file
View File

@ -0,0 +1,10 @@
# code: language=ansible
- name: AUR Repo
hosts: aur_repo_hosts
become: true
gather_facts: true
roles:
# - certbot
- nginx
# - aur_repo_host

2
ansible/playbooks/infra/hv00.yaml
View File

@ -6,5 +6,5 @@
gather_facts: true
become: true
roles:
- role: aur_repo_host
# - role: aur_repo_host
- role: nginx

1
ansible/playbooks/infra/kodi.yaml
View File

@ -12,3 +12,4 @@
# - role: aur_repo_client
# - role: arr
- role: torrent
# - role: sonarr

9
ansible/playbooks/infra/nuc.yaml Normal file
View File

@ -0,0 +1,9 @@
---
- name: Setup NUC
hosts:
- nuc.balsillie.house
gather_facts: true
become: true
roles:
- role: certbot

1
ansible/playbooks/roles Symbolic link
View File

@ -0,0 +1 @@
../roles

44
ansible/playbooks/synapse_delete_empty_rooms.yaml Normal file
View File

@ -0,0 +1,44 @@
# code: language=ansible
- name: Clean Synapse
hosts: localhost
connection: local
become: false
gather_facts: false
tasks:
- name: Get room list
ansible.builtin.uri:
url: "https://{{ synapse_host_address }}/_synapse/admin/v1/rooms?limit=1000"
headers:
Authorization: "Bearer {{ synapse_admin_token }}"
register: room_list
- name: Set empty_rooms fact
ansible.builtin.set_fact:
empty_rooms: "{{ room_list.json.rooms | selectattr('joined_local_members', '==', 0) | list }}"
- name: Debug empty room count
ansible.builtin.debug:
msg: "Total empty rooms to delete: {{ empty_rooms | length }}"
- name: Delete empty rooms
when: empty_rooms | length > 0
ansible.builtin.uri:
url: "https://{{ synapse_host_address }}/_synapse/admin/v2/rooms/{{ room.room_id }}"
method: DELETE
headers:
Authorization: "Bearer {{ synapse_admin_token }}"
body_format: json
body: {}
loop: "{{ empty_rooms }}"
loop_control:
loop_var: room
label: "{{ room.room_id }}"
register: purge_ids
- name: Write purge_ids to file
ansible.builtin.copy:
dest: "{{ playbook_dir }}/purge_ids_{{ now(utc=false, fmt='%Y-%m-%d_%H-%M-%S') }}.json"
content: "{{ purge_ids.results | map(attribute='json.delete_id') | list | to_nice_json }}"
mode: "0664"

28
ansible/playbooks/synapse_delete_room.yaml Normal file
View File

@ -0,0 +1,28 @@
# code: language=ansible
- name: Clean Synapse
hosts: localhost
connection: local
become: false
gather_facts: false
vars_prompt:
- name: room_id
prompt: "Enter the room ID to delete"
private: false
tasks:
- name: Delete room
ansible.builtin.uri:
url: "https://{{ synapse_host_address }}/_synapse/admin/v2/rooms/{{ room_id }}"
method: DELETE
headers:
Authorization: "Bearer {{ synapse_admin_token }}"
body_format: json
body: {}
register: purge_id
- name: Wait for purge to complete
ansible.builtin.uri:
url: "https://{{ synapse_host_address }}/_synapse/admin/v2/rooms/delete_status/{{ item }}"
headers:
Authorization: "Bearer {{ synapse_admin_token }}"

19
ansible/playbooks/synapse_get_all_rooms.yaml Normal file
View File

@ -0,0 +1,19 @@
# code: language=ansible
- name: Clean Synapse
hosts: localhost
connection: local
become: false
gather_facts: false
tasks:
- name: Get room details
ansible.builtin.uri:
url: "https://{{ synapse_host_address }}/_synapse/admin/v1/rooms?limit=1000"
headers:
Authorization: "Bearer {{ synapse_admin_token }}"
register: result
- name: Print result
ansible.builtin.debug:
var: result.json.rooms | map(attribute='room_id') | list

19
ansible/playbooks/synapse_get_large_rooms.yaml Normal file
View File

@ -0,0 +1,19 @@
# code: language=ansible
- name: Clean Synapse
hosts: localhost
connection: local
become: false
gather_facts: false
tasks:
- name: Get large rooms
ansible.builtin.uri:
url: "https://{{ synapse_host_address }}/_synapse/admin/v1/statistics/database/rooms"
headers:
Authorization: "Bearer {{ synapse_admin_token }}"
register: result
- name: Print result
ansible.builtin.debug:
var: result.json

44
ansible/playbooks/synapse_get_purge_status.yaml Normal file
View File

@ -0,0 +1,44 @@
# code: language=ansible
- name: Clean Synapse
hosts: localhost
connection: local
become: false
gather_facts: false
vars_prompt:
- name: "purge_ids_file"
prompt: "Enter the file name containing the purge ids"
private: false
tasks:
- name: Load purge ids
ansible.builtin.slurp:
src: "{{ playbook_dir }}/{{ purge_ids_file }}"
register: purge_ids
- name: Set purge_ids_list fact
ansible.builtin.set_fact:
purge_ids_list: "{{ purge_ids.content | b64decode | from_json }}"
- name: Get purge status
ansible.builtin.uri:
url: "https://{{ synapse_host_address }}/_synapse/admin/v2/rooms/delete_status/{{ item }}"
headers:
Authorization: "Bearer {{ synapse_admin_token }}"
loop: "{{ purge_ids_list }}"
register: purge_status
- name: Set purge_satus_totals
ansible.builtin.set_fact:
purge_status_shutting_down: "{{ purge_status.results | selectattr('json.status', '==', 'shutting_down') | list | length }}"
purge_status_purging: "{{ purge_status.results | selectattr('json.status', '==', 'purging') | list | length }}"
purge_status_complete: "{{ purge_status.results | selectattr('json.status', '==', 'complete') | list | length }}"
purge_status_failed: "{{ purge_status.results | selectattr('json.status', '==', 'failed') | list | length }}"
- name: Print status
ansible.builtin.debug:
msg: |
Shutting down: {{ purge_status_shutting_down }}
Purging: {{ purge_status_purging }}
Complete: {{ purge_status_complete }}
Failed: {{ purge_status_failed }}"

23
ansible/playbooks/synapse_get_room_details.yaml Normal file
View File

@ -0,0 +1,23 @@
# code: language=ansible
- name: Clean Synapse
hosts: localhost
connection: local
become: false
gather_facts: false
vars_prompt:
- name: room_id
prompt: "Enter the room ID to fetch"
private: false
tasks:
- name: Get room details
ansible.builtin.uri:
url: "https://{{ synapse_host_address }}/_synapse/admin/v1/rooms/{{ room_id }}"
headers:
Authorization: "Bearer {{ synapse_admin_token }}"
register: result
- name: Print result
ansible.builtin.debug:
var: result.json

23
ansible/playbooks/synapse_get_room_members.yaml Normal file
View File

@ -0,0 +1,23 @@
# code: language=ansible
- name: Room members
hosts: localhost
connection: local
become: false
gather_facts: false
vars_prompt:
- name: room_id
prompt: "Enter the room ID to fetch"
private: false
tasks:
- name: Get room details
ansible.builtin.uri:
url: "https://{{ synapse_host_address }}/_synapse/admin/v1/rooms/{{ room_id }}/members"
headers:
Authorization: "Bearer {{ synapse_admin_token }}"
register: result
- name: Print result
ansible.builtin.debug:
var: result.json

17
ansible/playbooks/truenas.yml Normal file
View File

@ -0,0 +1,17 @@
---
- name: Configure Truenas
hosts: truenas
become: false
tasks:
- name: Install required packages
package:
name: "{{ item }}"
state: present
with_items:
- py37-ansible
- py37-pip
- py37-netifaces
- py37-netaddr
- py37-requests
- py37-yaml

54
ansible/roles/aur_repo_host/tasks/main.yaml
View File

@ -1,5 +1,17 @@
---
- name: Lookup aur_repo_host secret
delegate_to: localhost
become: false
community.hashi_vault.vault_kv1_get:
path: ansible/group_vars/aur_repo_hosts
register: aur_repo_host_secret
- name: Set aur_repo facts
ansible.builtin.set_fact:
aur_repo_private_key: "{{ aur_repo_host_secret.secret.aur_repo_private_key }}"
aur_repo_key_thumbprint: "{{ aur_repo_host_secret.secret.aur_repo_key_thumbprint }}"
- name: Create the makepkg drop-in config file
ansible.builtin.template:
dest: /etc/makepkg.conf.d/makepkg.conf
@ -50,13 +62,13 @@
- /tmp/build
- name: Check if the signing key is in build user's keyring
become: true
become_user: "{{ aur_repo_build_account }}"
ansible.builtin.command:
cmd: gpg2 --list-secret-key --with-colons {{ aur_repo_key_thumbprint }}
failed_when: key_result.rc not in [0, 2]
changed_when: false
register: key_result
vars:
ansible_become_user: "{{ aur_repo_build_account }}"
- name: GPG key import block
when: key_result.rc == 2
@ -71,11 +83,11 @@
mode: "0600"
- name: Import the signing key
become: true
become_user: "{{ aur_repo_build_account }}"
ansible.builtin.command:
cmd: gpg2 --import /tmp/build/signing_key.asc
changed_when: true
vars:
ansible_become_user: "{{ aur_repo_build_account }}"
- name: Delete the signing key
ansible.builtin.file:
@ -128,16 +140,14 @@
update_cache: false
- name: Build aurutils
become: true
become_user: "{{ aur_repo_build_account }}"
ansible.builtin.command:
cmd: makepkg
chdir: /tmp/aurutils
creates: "{{ aur_repo_dir }}/packages/aurutils-{{ aurutils_pkgver }}-{{ aurutils_pkgrel }}-{{ aurutils_arch }}.pkg.tar"
vars:
ansible_become_user: "{{ aur_repo_build_account }}"
- name: Update repo database
become: true
become_user: "{{ aur_repo_build_account }}"
ansible.builtin.command:
argv:
- repo-add
@ -150,6 +160,8 @@
- aurutils-{{ aurutils_pkgver }}-{{ aurutils_pkgrel }}-{{ aurutils_arch }}.pkg.tar
chdir: "{{ aur_repo_dir }}/packages"
changed_when: true
vars:
ansible_become_user: "{{ aur_repo_build_account }}"
- name: Check if the signing key is in pacman keyring
ansible.builtin.command:
@ -200,28 +212,28 @@
state: present
update_cache: true
- name: Enable the multilib repository
ansible.builtin.replace:
path: /etc/pacman.conf
backup: true
regexp: '^[#]?\[multilib\]\n[#]?Include = \/etc\/pacman.d\/mirrorlist$'
replace: '[multilib]\nInclude = /etc/pacman.d/mirrorlist'
register: multilib_enable
# - name: Enable the multilib repository
# ansible.builtin.replace:
# path: /etc/pacman.conf
# backup: true
# regexp: '^[#]?\[multilib\]\n[#]?Include = \/etc\/pacman.d\/mirrorlist$'
# replace: '[multilib]\nInclude = /etc/pacman.d/mirrorlist'
# register: multilib_enable
- name: Update the package database # noqa: no-handler
when: multilib_enable.changed
community.general.pacman:
update_cache: true
# - name: Update the package database if multilib was enabled # noqa: no-handler
# when: multilib_enable.changed | default(false)
# community.general.pacman:
# update_cache: true
- name: Sync AUR packages
become: true
become_user: "{{ aur_repo_build_account }}"
ansible.builtin.command:
cmd: aur sync --no-view -CnrS {{ item }}
loop: "{{ aur_repo_host_packages }}"
register: aur_sync_result
changed_when: (aur_sync_result.stderr_lines | last | replace(':','')) != "sync there is nothing to do"
failed_when: aur_sync_result.rc != 0
vars:
ansible_become_user: "{{ aur_repo_build_account }}"
- name: Add the root www folder if it doesn't exist
ansible.builtin.file:

0
ansible/roles/aur_repo_host/vars/main.yml Normal file
View File

15
ansible/roles/certbot/tasks/main.yaml
View File

@ -26,6 +26,15 @@
group: root
mode: '0600'
- name: Template out cloudflare credentials file
when: certbot_dns_plugin == 'cloudflare'
ansible.builtin.template:
src: "{{ certbot_dns_plugin }}.conf.j2"
dest: "/etc/letsencrypt/{{ certbot_dns_plugin }}.conf"
owner: root
group: root
mode: '0600'
- name: Template out the certbot default config
ansible.builtin.template:
src: cli.ini.j2
@ -43,13 +52,13 @@
- --dns-{{ certbot_dns_plugin }}
- --dns-{{ certbot_dns_plugin }}-credentials
- /etc/letsencrypt/{{ certbot_dns_plugin }}.conf
- --dns-rfc2136-propagation-seconds
- "{{ certbot_rfc2136_propagation_seconds | default(5) }}"
- --dns-{{ certbot_dns_plugin }}-propagation-seconds
- "{{ certbot_dns_propagation_seconds | default(10) }}"
- -d
- "{{ item }}"
creates: /etc/letsencrypt/live/{{ item }}/fullchain.pem
loop: "{{ certbot_domains }}"
notify: "{{ certbot_notify }}"
notify: "{{ certbot_notify | default(omit) }}"
- name: Enable certbot renewal
ansible.builtin.service:

1
ansible/roles/certbot/templates/cloudflare.conf.j2 Normal file
View File

@ -0,0 +1 @@
dns_cloudflare_api_token = {{ certbot_cloudflare_api_token }}

2
ansible/roles/docker/tasks/main.yaml
View File

@ -41,7 +41,7 @@
- docker_volumes | length > 0
community.general.docker_volume:
driver: "{{ item.driver | default('local') }}"
# driver_options: "{{ item.driver_options | default({}) }}"
driver_options: "{{ item.driver_options | default({}) }}"
recreate: "never"
state: "present"
volume_name: "{{ item.name }}"

16
ansible/roles/nginx/tasks/main.yaml
View File

@ -69,6 +69,7 @@
notify: Restart nginx
- name: Template out nginx reverse proxy configs
when: item.type == "proxy"
ansible.builtin.template:
src: nginx-proxy.conf.j2
dest: /etc/nginx/sites-available/{{ item.name }}.conf
@ -76,10 +77,10 @@
group: root
mode: "0644"
loop: "{{ nginx_sites }}"
when: item.type == "proxy"
notify: Restart nginx
- name: Template out nginx site configs
when: item.type == "site"
ansible.builtin.template:
src: nginx-site.conf.j2
dest: /etc/nginx/sites-available/{{ item.name }}.conf
@ -87,7 +88,6 @@
group: root
mode: "0644"
loop: "{{ nginx_sites }}"
when: item.type == "site"
notify: Restart nginx
- name: Enable site configs
@ -98,12 +98,12 @@
loop: "{{ nginx_sites }}"
notify: Restart nginx
- name: Run certbot role to install certificates
ansible.builtin.include_role:
name: certbot
vars:
certbot_domains: "{{ nginx_sites | map(attribute='name') }}"
certbot_notify: "Restart nginx"
# - name: Run certbot role to install certificates
# ansible.builtin.include_role:
# name: certbot
# vars:
# certbot_domains: "{{ nginx_sites | map(attribute='name') }}"
# certbot_notify: "Restart nginx"
- name: Start and enable nginx
ansible.builtin.service:

72
compose/backup.yaml Normal file
View File

@ -0,0 +1,72 @@
name: backup
networks:
backup:
attachable: true
driver: macvlan
driver_opts:
macvlan_mode: bridge
parent: enp1s0
enable_ipv6: false
external: false
internal: false
ipam:
config:
- subnet: "10.96.30.0/24"
ip_range: "10.96.30.224/28"
gateway: "10.96.30.254"
name: backup
services:
certbot:
container_name: certbot
image: certbot/dns-cloudflare
pull_policy: always
restart: "no"
networks:
backup:
ipv4_address: 10.96.30.11
link_local_ips: []
command: >-
certonly --dns-cloudflare
--dns-cloudflare-credentials /etc/letsencrypt/credentials.ini
--dns-cloudflare-propagation-seconds 20
--email certbot-backup@balsillie.email
--non-interactive
--expand
--no-eff-email
--agree-tos
-d backup.balsillie.house
volumes:
- /mnt/md/backup/letsencrypt/etc:/etc/letsencrypt
- /mnt/md/backup/letsencrypt/var:/var/lib/letsencrypt
backup:
container_name: backup
image: restic/rest-server:latest
pull_policy: always
depends_on:
certbot:
condition: service_completed_successfully
required: true
restart: true
hostname: backup
domainname: balsillie.house
restart: unless-stopped
networks:
backup:
ipv4_address: 10.96.30.12
link_local_ips: []
entrypoint: /usr/bin/rest-server
command:
- --htpasswd-file "/htpasswd"
- --path "/backup"
- --listen "10.96.30.12:443"
- --tls
- --tls-cert "/etc/letsencrypt/live/backup.balsillie.house/fullchain.pem"
- --tls-key "/etc/letsencrypt/live/backup.balsillie.house/privkey.pem"
volumes:
- /mnt/md/backup/letsencrypt/etc:/etc/letsencrypt
- /mnt/md/backup/restic:/backup
- /mnt/md/backup/restic.htpasswd:/htpasswd

209
compose/truenas-apps.yaml Normal file
View File

@ -0,0 +1,209 @@
# Docker compose file for truenas apps
name: "apps"
# Network
networks:
apps:
attachable: true
driver: macvlan
driver_opts:
macvlan_mode: bridge
parent: eno1
enable_ipv6: false
external: false
internal: false
ipam:
config:
- subnet: "10.96.10.0/24"
ip_range: "10.96.10.224/28"
gateway: "10.96.10.254"
name: apps
services:
certbot:
container_name: certbot
image: certbot/dns-cloudflare
pull_policy: always
restart: "no"
command: >-
certonly --dns-cloudflare
--dns-cloudflare-credentials /etc/letsencrypt/credentials.ini
--dns-cloudflare-propagation-seconds 40
--email certbot-apps@balsillie.email
--non-interactive
--expand
--no-eff-email
--agree-tos
-d adguard.balsillie.house
-d unifi.balsillie.house
-d s3.balsillie.house
-d registry.balsillie.house
-d sync-admin.balsillie.house
-d jellyfin.balsillie.house
-d torrent.balsillie.house
-d tv.balsillie.house
-d movies.balsillie.house
-d music.balsillie.house
-d books.balsillie.house
-d subs.balsillie.house
-d index.balsillie.house
-d books.balsillie.house
-d library.balsillie.house
dns:
- 1.1.1.1
- 9.9.9.9
networks:
apps:
ipv4_address: 10.96.10.11
link_local_ips: []
volumes:
- /mnt/hdd/apps/certbot/etc:/etc/letsencrypt
- /mnt/hdd/apps/certbot/var:/var/lib/letsencrypt
adguard:
container_name: adguard
image: adguard/adguardhome
pull_policy: always
hostname: adguard
domainname: balsillie.house
restart: unless-stopped
depends_on:
certbot:
condition: service_completed_successfully
required: true
restart: true
networks:
apps:
ipv4_address: 10.96.10.53
link_local_ips: []
volumes:
- /mnt/hdd/apps/adguard/work:/opt/adguardhome/work
- /mnt/hdd/apps/adguard/conf:/opt/adguardhome/conf
- /mnt/hdd/apps/certbot/etc:/etc/letsencrypt
minio:
container_name: minio
image: minio/minio
pull_policy: always
hostname: s3
domainname: balsillie.house
command:
- "server"
- "--address"
- "s3.balsillie.house:9000"
- "--console-address"
- "s3.balsillie.house:443"
- "--certs-dir"
- "/etc/letsencrypt/live/adguard.balsillie.house-0002"
- "/data"
restart: unless-stopped
depends_on:
certbot:
condition: service_completed_successfully
required: true
restart: true
networks:
apps:
ipv4_address: 10.96.10.12
link_local_ips: []
volumes:
- /mnt/hdd/s3:/data
- /mnt/hdd/apps/certbot/etc:/etc/letsencrypt
registry:
container_name: registry
image: distribution/distribution:edge
pull_policy: always
hostname: registry
domainname: balsillie.house
restart: unless-stopped
depends_on:
certbot:
condition: service_completed_successfully
required: true
restart: true
environment:
REGISTRY_HTTP_SECRET: VfOVfkMqoeZGpfTJqe82rz4clqrR6Wid
networks:
apps:
ipv4_address: 10.96.10.13
link_local_ips: []
volumes:
- /mnt/hdd/apps/registry:/etc/distribution
- /mnt/hdd/registry:/var/lib/registry
- /mnt/hdd/apps/certbot/etc:/etc/letsencrypt
nginx:
container_name: nginx
image: nginx
pull_policy: always
depends_on:
certbot:
condition: service_completed_successfully
required: true
restart: true
restart: unless-stopped
networks:
apps:
ipv4_address: 10.96.10.16
link_local_ips: []
volumes:
- /mnt/hdd/apps/nginx/default.conf:/etc/nginx/conf.d/default.conf
- /mnt/hdd/apps/certbot/etc:/etc/letsencrypt
sync:
container_name: sync
image: code.balsillie.net/michael/containers/syncthing:latest
pull_policy: always
hostname: sync
domainname: balsillie.house
restart: unless-stopped
command:
- serve
- --home=/config
- --gui-address=http://10.96.10.15:8080
networks:
apps:
ipv4_address: 10.96.10.15
link_local_ips: []
volumes:
- /mnt/hdd/apps/syncthing:/config
- /mnt/hdd/gallery/sync:/sync
unifi:
container_name: unifi
image: goofball222/unifi:8.6.9
pull_policy: always
hostname: unifi
domainname: balsillie.house
environment:
READENV: 'true'
DB_MONGO_LOCAL: 'false'
TZ: America/New_York
RUN_CHOWN: 'false'
DEBIAN_FRONTEND: noninteractive
DB_MONGO_URI: mongodb://10.96.10.18:27017/unifi
STATDB_MONGO_URI: mongodb://10.96.10.18:27017/unifi_stat
UNIFI_DB_NAME: unifi
restart: unless-stopped
networks:
apps:
ipv4_address: 10.96.10.17
link_local_ips: []
volumes:
- /mnt/hdd/apps/unifi:/usr/lib/unifi/data
mongodb:
image: mongo:5.0
container_name: mongodb
restart: unless-stopped
networks:
apps:
ipv4_address: 10.96.10.18
link_local_ips: []
volumes:
- /mnt/hdd/apps/mongodb:/data/db

161
compose/truenas-media.yaml Normal file
View File

@ -0,0 +1,161 @@
# Docker compose file for truenas apps
name: "media"
# Network
networks:
apps:
external: true
name: apps
services:
cert-sorter:
container_name: cert-sorter
image: code.balsillie.net/michael/containers/cert-sorter:latest
pull_policy: always
restart: 'no'
volumes:
- /mnt/hdd/apps/certbot/etc:/etc/letsencrypt
- /mnt/hdd/apps/cert-1000:/dest/1000
network_mode: none
jellyfin:
container_name: jellyfin
image: code.balsillie.net/michael/containers/jellyfin:latest
pull_policy: always
user: jellyfin:jellyfin
depends_on:
cert-sorter:
condition: service_completed_successfully
required: true
restart: true
restart: unless-stopped
hostname: jellyfin
domainname: balsillie.house
devices:
- /dev/dri/card0:/dev/dri/card0
- /dev/dri/renderD128:/dev/dri/renderD128
environment:
- JELLYFIN_PublishedServerUrl=https://jellyfin.balsillie.house
networks:
apps:
ipv4_address: 10.96.10.101
link_local_ips: []
volumes:
- /mnt/hdd/apps/jellyfin/config:/config
- /mnt/hdd/apps/jellyfin/cache:/cache
- /mnt/hdd/media:/media
- /mnt/hdd/apps/cert-1000:/cert
qbittorrent:
container_name: torrent
image: code.balsillie.net/michael/containers/qbittorrent:latest
pull_policy: always
depends_on:
cert-sorter:
condition: service_completed_successfully
required: true
restart: true
restart: unless-stopped
hostname: torrent
domainname: balsillie.house
dns: 10.2.0.1
user: ubuntu
networks:
apps:
ipv4_address: 10.96.10.102
link_local_ips: []
volumes:
- /mnt/hdd/apps/torrent:/config
- /mnt/hdd/media:/media
- /mnt/hdd/apps/cert-1000:/cert
sonarr:
container_name: sonarr
image: code.balsillie.net/michael/containers/sonarr:latest
pull_policy: always
depends_on:
cert-sorter:
condition: service_completed_successfully
required: true
restart: true
restart: unless-stopped
hostname: tv
domainname: balsillie.house
user: ubuntu
networks:
apps:
ipv4_address: 10.96.10.103
link_local_ips: []
volumes:
- /mnt/hdd/apps/sonarr:/config
- /mnt/hdd/media:/media
- /mnt/hdd/apps/cert-1000:/cert
radarr:
container_name: radarr
image: code.balsillie.net/michael/containers/radarr:latest
pull_policy: always
depends_on:
cert-sorter:
condition: service_completed_successfully
required: true
restart: true
restart: unless-stopped
hostname: movies
domainname: balsillie.house
user: ubuntu
networks:
apps:
ipv4_address: 10.96.10.104
link_local_ips: []
volumes:
- /mnt/hdd/apps/radarr:/config
- /mnt/hdd/media:/media
- /mnt/hdd/apps/cert-1000:/cert
prowlarr:
container_name: prowlarr
image: code.balsillie.net/michael/containers/prowlarr:latest
pull_policy: always
depends_on:
cert-sorter:
condition: service_completed_successfully
required: true
restart: true
restart: unless-stopped
hostname: index
domainname: balsillie.house
user: ubuntu
networks:
apps:
ipv4_address: 10.96.10.105
link_local_ips: []
volumes:
- /mnt/hdd/apps/prowlarr:/config
- /mnt/hdd/media:/media
- /mnt/hdd/apps/cert-1000:/cert
readarr:
container_name: readarr
image: code.balsillie.net/michael/containers/readarr:latest
pull_policy: always
depends_on:
cert-sorter:
condition: service_completed_successfully
required: true
restart: true
restart: unless-stopped
hostname: books
domainname: balsillie.house
user: ubuntu
networks:
apps:
ipv4_address: 10.96.10.106
link_local_ips: []
volumes:
- /mnt/hdd/apps/readarr:/config
- /mnt/hdd/media:/media
- /mnt/hdd/apps/cert-1000:/cert

52
distribution/config.yml Normal file
View File

@ -0,0 +1,52 @@
version: 0.1
log:
accesslog:
disabled: false
level: info
formatter: text
fields: {}
storage:
cache:
blobdescriptor: inmemory
blobdescriptorsize: 5000
delete:
enabled: true
filesystem:
rootdirectory: /var/lib/registry
maintenance:
uploadpurging:
enabled: true
age: 168h
interval: 24h
dryrun: false
readonly:
enabled: false
tag:
concurrencylimit: 8
http:
http2:
disabled: false
h2c:
enabled: false
addr: 10.96.10.13:443
net: tcp
host: https://registry.balsillie.house
prefix: ''
headers:
X-Content-Type-Options:
- nosniff
relativeurls: false
draintimeout: 30s
tls:
certificate: /etc/letsencrypt/live/adguard.balsillie.house-0002/fullchain.pem
key: /etc/letsencrypt/live/adguard.balsillie.house-0002/privkey.pem
minimumtls: tls1.2
prometheus:
enabled: false
# auth:
# htpasswd:
# realm: BALSILLIE
# path: /etc/distribution/htpasswd
health:
storagedriver:
enabled: false

46
nginx/truenas.conf Normal file
View File

@ -0,0 +1,46 @@
server {
listen 80 default_server;
server_name _;
return 301 https://$host$request_uri;
}
ssl_certificate /etc/letsencrypt/live/adguard.balsillie.house-0002/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/adguard.balsillie.house-0002/privkey.pem;
server {
listen 443 ssl;
server_name sync-admin.balsillie.house;
http2 on;
location / {
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_pass http://10.96.10.15:8080/;
proxy_read_timeout 600s;
proxy_send_timeout 600s;
}
}
server {
listen 443 ssl;
server_name unifi.balsillie.house;
http2 on;
proxy_ssl_verify off;
location /wss/ {
proxy_pass https://10.96.10.17:8443;
proxy_http_version 1.1;
proxy_buffering off;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "Upgrade";
proxy_read_timeout 86400;
}
location / {
proxy_pass https://10.96.10.17:8443/; # The Unifi Controller Port
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forward-For $proxy_add_x_forwarded_for;
}
}

11
talos/calico/BGPConfiguration.yml Normal file
View File

@ -0,0 +1,11 @@
# For pfsense check 'Disable eBGP Require Policy' under BGP advanved
# https://geek-cookbook.funkypenguin.co.nz/kubernetes/loadbalancer/metallb/pfsense/#configure-frr-bgp-advanced
apiVersion: crd.projectcalico.org/v1
kind: BGPConfiguration
metadata:
name: default
spec:
asNumber: 64624
serviceClusterIPs:
- cidr: 10.80.0.0/12

7
talos/calico/BGPPeers.yml Normal file
View File

@ -0,0 +1,7 @@
apiVersion: crd.projectcalico.org/v1
kind: BGPPeer
metadata:
name: router-balsillie-house
spec:
asNumber: 64625
peerIP: 192.168.1.11:179

7
talos/calico/apiserver.yml Normal file
View File

@ -0,0 +1,7 @@
# This section configures the Calico API server.
# For more information, see: https://docs.tigera.io/calico/latest/reference/installation/api#operator.tigera.io/v1.APIServer
apiVersion: operator.tigera.io/v1
kind: APIServer
metadata:
name: default
spec: {}

11
talos/calico/calicoNodeStatus.yml Normal file
View File

@ -0,0 +1,11 @@
apiVersion: projectcalico.org/v3
kind: CalicoNodeStatus
metadata:
name: node00
spec:
classes:
- Agent
- BGP
- Routes
node: node00
updatePeriodSeconds: 10

8
talos/calico/configMap.yml Normal file
View File

@ -0,0 +1,8 @@
kind: ConfigMap
apiVersion: v1
metadata:
name: kubernetes-services-endpoint
namespace: tigera-operator
data:
KUBERNETES_SERVICE_HOST: "192.168.1.15"
KUBERNETES_SERVICE_PORT: '6443'

6
talos/calico/felixConfiguration.yml Normal file
View File

@ -0,0 +1,6 @@
apiVersion: crd.projectcalico.org/v1
kind: FelixConfiguration
metadata:
name: default
spec:
CgroupV2Path: /sys/fs/cgroup

25
talos/calico/installation.yml Normal file
View File

@ -0,0 +1,25 @@
# This section includes base Calico installation configuration.
# For more information, see: https://docs.tigera.io/calico/latest/reference/installation/api#operator.tigera.io/v1.Installation
apiVersion: operator.tigera.io/v1
kind: Installation
metadata:
name: default
spec:
variant: Calico
cni:
type: Calico
ipam:
type: Calico
serviceCIDRs:
- 10.80.0.0/12
calicoNetwork:
bgp: Enabled
linuxDataplane: Nftables
hostPorts: Enabled
ipPools:
- name: default-ipv4-ippool
blockSize: 24
cidr: 10.64.0.0/12
encapsulation: None
natOutgoing: Disabled
nodeSelector: all()

16
talos/gen-config.sh Executable file
View File

@ -0,0 +1,16 @@
#!/bin/bash
talosctl gen config \
cluster00 https://cp00.balsillie.house:6443 \
--with-secrets secrets.yaml \
--config-patch @patches/talos-cluster.yml \
--config-patch @patches/mc-all.yml \
--config-patch @patches/mc-node00.yml \
--output rendered/ \
--force
mkdir -p ~/.talos
cp rendered/talosconfig ~/.talos/config
talosctl config endpoint 192.168.1.15
talosctl config node 192.168.1.15

32
talos/patches/mc-all.yml Normal file
View File

@ -0,0 +1,32 @@
machine:
features:
hostDNS:
enabled: true
forwardKubeDNSToHost: false
kubePrism:
enabled: false
install:
wipe: true
legacyBIOSSupport: false
diskSelector:
type: ssd
kubelet:
extraArgs:
rotate-server-certificates: true
extraMounts:
- destination: /var/local/openebs
type: bind
source: /var/local/openebs
options:
- bind
- rshared
- rw
nodeLabels:
openebs.io/engine: mayastor
sysctls:
vm.nr_hugepages: "1024"
time:
disabled: false
servers:
- 192.168.1.11
- 10.96.10.254

19
talos/patches/mc-node00.yml Normal file
View File

@ -0,0 +1,19 @@
---
machine:
network:
hostname: node00.balsillie.house
nameservers:
- 192.168.1.11
- 10.96.10.254
interfaces:
- deviceSelector:
hardwareAddr: 'f4:4d:30:6e:62:a7'
dhcp: false
routes:
- network: 0.0.0.0/0
gateway: 192.168.1.11
- network: 0.0.0.0/0
gateway: 10.96.10.254
addresses:
- 192.168.1.15/24
- 10.96.10.30/24

88
talos/patches/talos-cluster.yml Normal file
View File

@ -0,0 +1,88 @@
---
cluster:
allowSchedulingOnControlPlanes: true
apiServer:
admissionControl:
- name: PodSecurity
configuration:
apiVersion: pod-security.admission.config.k8s.io/v1beta1
kind: PodSecurityConfiguration
exemptions:
namespaces:
- openebs
- democratic-csi
controlPlane:
endpoint: https://cp00.balsillie.house:6443
localAPIServerPort: 6443
clusterName: cluster00.balsillie.house
extraManifests:
- https://raw.githubusercontent.com/alex1989hu/kubelet-serving-cert-approver/main/deploy/standalone-install.yaml
- https://github.com/kubernetes-sigs/metrics-server/releases/latest/download/components.yaml
- https://raw.githubusercontent.com/kubernetes/ingress-nginx/refs/tags/controller-v1.11.3/deploy/static/provider/baremetal/deploy.yaml
inlineManifests:
- name: calico-installation
contents: |
apiVersion: operator.tigera.io/v1
kind: Installation
metadata:
name: default
spec:
variant: Calico
cni:
type: Calico
ipam:
type: Calico
serviceCIDRs:
- 10.80.0.0/12
calicoNetwork:
bgp: Enabled
linuxDataplane: Nftables
hostPorts: Enabled
ipPools:
- name: default-ipv4-ippool
blockSize: 24
cidr: 10.64.0.0/12
encapsulation: None
natOutgoing: Disabled
nodeSelector: all()
- name: calico-apiserver
contents: |
apiVersion: operator.tigera.io/v1
kind: APIServer
metadata:
name: default
spec: {}
- name: calico-bgpconfig
contents: |
apiVersion: crd.projectcalico.org/v1
kind: BGPConfiguration
metadata:
name: default
spec:
asNumber: 64624
serviceClusterIPs:
- cidr: 10.80.0.0/12
- name: calico-bgppeer
contents: |
apiVersion: crd.projectcalico.org/v1
kind: BGPPeer
metadata:
name: router-balsillie-house
spec:
asNumber: 64625
peerIP: 192.168.1.11:179
network:
cni:
name: custom
urls:
- https://raw.githubusercontent.com/projectcalico/calico/v3.29.1/manifests/tigera-operator.yaml
dnsDomain: cluster00.balsillie.house
podSubnets:
- 10.64.0.0/12
serviceSubnets:
- 10.80.0.0/12
proxy:
mode: nftables
disabled: false
extraArgs:
proxy-mode: nftables

583
talos/rendered/controlplane.yaml Normal file
View File

@ -0,0 +1,583 @@
version: v1alpha1 # Indicates the schema used to decode the contents.
debug: false # Enable verbose logging to the console.
persist: true
# Provides machine specific configuration options.
machine:
type: controlplane # Defines the role of the machine within the cluster.
token: ubp3st.gmb0565erkwo722t # The `token` is used by a machine to join the PKI of the cluster.
# The root certificate authority of the PKI.
ca:
crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUJQekNCOHFBREFnRUNBaEVBc3QvY3BtNEliZnhzS3d3VGxHMFNtREFGQmdNclpYQXdFREVPTUF3R0ExVUUKQ2hNRmRHRnNiM013SGhjTk1qUXhNakEwTVRneU1qQTFXaGNOTXpReE1qQXlNVGd5TWpBMVdqQVFNUTR3REFZRApWUVFLRXdWMFlXeHZjekFxTUFVR0F5dGxjQU1oQU9aVVU3Vzh3OXcwR0l4cmVxVitNQ3JrUENmQS9keWdJMGtVCkJDQTkyTjhNbzJFd1h6QU9CZ05WSFE4QkFmOEVCQU1DQW9Rd0hRWURWUjBsQkJZd0ZBWUlLd1lCQlFVSEF3RUcKQ0NzR0FRVUZCd01DTUE4R0ExVWRFd0VCL3dRRk1BTUJBZjh3SFFZRFZSME9CQllFRksvei83WWVqamt0VFAwcgppcFFNa2hxK3hNU1pNQVVHQXl0bGNBTkJBTDNJTDk4b3NkeDVPTGpQeEZFcXRTK0NOeWhPS2RFMGU5S3ZnQi9VCmpaT3VEMWE3Zmx3Q1grTVVrdk1qMnBEUER1eTN1Tko5Ym41ZFdPMldmdWFwdEFrPQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg==
key: LS0tLS1CRUdJTiBFRDI1NTE5IFBSSVZBVEUgS0VZLS0tLS0KTUM0Q0FRQXdCUVlESzJWd0JDSUVJR1NncnJIR3JZSThYeGlRa0dxOUtJd3hzWkdha1BTb21GczJSQlV4Y2hRRgotLS0tLUVORCBFRDI1NTE5IFBSSVZBVEUgS0VZLS0tLS0K
# Extra certificate subject alternative names for the machine's certificate.
certSANs: []
# # Uncomment this to enable SANs.
# - 10.0.0.10
# - 172.16.0.10
# - 192.168.0.10
# Used to provide additional options to the kubelet.
kubelet:
image: ghcr.io/siderolabs/kubelet:v1.31.2 # The `image` field is an optional reference to an alternative kubelet image.
# The `extraArgs` field is used to provide additional flags to the kubelet.
extraArgs:
rotate-server-certificates: "true"
# The `extraMounts` field is used to add additional mounts to the kubelet container.
extraMounts:
- destination: /var/local/openebs # Destination is the absolute path where the mount will be placed in the container.
type: bind # Type specifies the mount kind.
source: /var/local/openebs # Source specifies the source path of the mount.
# Options are fstab style mount options.
options:
- bind
- rshared
- rw
defaultRuntimeSeccompProfileEnabled: true # Enable container runtime default Seccomp profile.
disableManifestsDirectory: true # The `disableManifestsDirectory` field configures the kubelet to get static pod manifests from the /etc/kubernetes/manifests directory.
# # The `ClusterDNS` field is an optional reference to an alternative kubelet clusterDNS ip list.
# clusterDNS:
# - 10.96.0.10
# - 169.254.2.53
# # The `extraConfig` field is used to provide kubelet configuration overrides.
# extraConfig:
# serverTLSBootstrap: true
# # The `KubeletCredentialProviderConfig` field is used to provide kubelet credential configuration.
# credentialProviderConfig:
# apiVersion: kubelet.config.k8s.io/v1
# kind: CredentialProviderConfig
# providers:
# - apiVersion: credentialprovider.kubelet.k8s.io/v1
# defaultCacheDuration: 12h
# matchImages:
# - '*.dkr.ecr.*.amazonaws.com'
# - '*.dkr.ecr.*.amazonaws.com.cn'
# - '*.dkr.ecr-fips.*.amazonaws.com'
# - '*.dkr.ecr.us-iso-east-1.c2s.ic.gov'
# - '*.dkr.ecr.us-isob-east-1.sc2s.sgov.gov'
# name: ecr-credential-provider
# # The `nodeIP` field is used to configure `--node-ip` flag for the kubelet.
# nodeIP:
# # The `validSubnets` field configures the networks to pick kubelet node IP from.
# validSubnets:
# - 10.0.0.0/8
# - '!10.0.0.3/32'
# - fdc7::/16
# Provides machine specific network configuration options.
network:
hostname: node00.balsillie.house # Used to statically set the hostname for the machine.
# `interfaces` is used to define the network interface configuration.
interfaces:
- # Picks a network device using the selector.
deviceSelector:
hardwareAddr: f4:4d:30:6e:62:a7 # Device hardware address, supports matching by wildcard.
# Assigns static IP addresses to the interface.
addresses:
- 192.168.1.15/24
# A list of routes associated with the interface.
routes:
- network: 0.0.0.0/0 # The route's network (destination).
gateway: 192.168.1.11 # The route's gateway (if empty, creates link scope route).
dhcp: false # Indicates if DHCP should be used to configure the interface.
# # The interface name.
# interface: enp0s3
# # Bond specific options.
# bond:
# # The interfaces that make up the bond.
# interfaces:
# - enp2s0
# - enp2s1
# # Picks a network device using the selector.
# deviceSelectors:
# - busPath: 00:* # PCI, USB bus prefix, supports matching by wildcard.
# - hardwareAddr: '*:f0:ab' # Device hardware address, supports matching by wildcard.
# driver: virtio # Kernel driver, supports matching by wildcard.
# mode: 802.3ad # A bond option.
# lacpRate: fast # A bond option.
# # Bridge specific options.
# bridge:
# # The interfaces that make up the bridge.
# interfaces:
# - enxda4042ca9a51
# - enxae2a6774c259
# # A bridge option.
# stp:
# enabled: true # Whether Spanning Tree Protocol (STP) is enabled.
# # DHCP specific options.
# dhcpOptions:
# routeMetric: 1024 # The priority of all routes received via DHCP.
# # Wireguard specific configuration.
# # wireguard server example
# wireguard:
# privateKey: ABCDEF... # Specifies a private key configuration (base64 encoded).
# listenPort: 51111 # Specifies a device's listening port.
# # Specifies a list of peer configurations to apply to a device.
# peers:
# - publicKey: ABCDEF... # Specifies the public key of this peer.
# endpoint: 192.168.1.3 # Specifies the endpoint of this peer entry.
# # AllowedIPs specifies a list of allowed IP addresses in CIDR notation for this peer.
# allowedIPs:
# - 192.168.1.0/24
# # wireguard peer example
# wireguard:
# privateKey: ABCDEF... # Specifies a private key configuration (base64 encoded).
# # Specifies a list of peer configurations to apply to a device.
# peers:
# - publicKey: ABCDEF... # Specifies the public key of this peer.
# endpoint: 192.168.1.2:51822 # Specifies the endpoint of this peer entry.
# persistentKeepaliveInterval: 10s # Specifies the persistent keepalive interval for this peer.
# # AllowedIPs specifies a list of allowed IP addresses in CIDR notation for this peer.
# allowedIPs:
# - 192.168.1.0/24
# # Virtual (shared) IP address configuration.
# # layer2 vip example
# vip:
# ip: 172.16.199.55 # Specifies the IP address to be used.
# Used to statically set the nameservers for the machine.
nameservers:
- 192.168.1.11
# # Allows for extra entries to be added to the `/etc/hosts` file
# extraHostEntries:
# - ip: 192.168.1.100 # The IP of the host.
# # The host alias.
# aliases:
# - example
# - example.domain.tld
# # Configures KubeSpan feature.
# kubespan:
# enabled: true # Enable the KubeSpan feature.
# Used to provide instructions for installations.
install:
disk: /dev/sda # The disk used for installations.
# Look up disk using disk attributes like model, size, serial and others.
diskSelector:
type: ssd # Disk Type.
# # Disk size.
# # Select a disk which size is equal to 4GB.
# size: 4GB
# # Select a disk which size is greater than 1TB.
# size: '> 1TB'
# # Select a disk which size is less or equal than 2TB.
# size: <= 2TB
# # Disk bus path.
# busPath: /pci0000:00/0000:00:17.0/ata1/host0/target0:0:0/0:0:0:0
# busPath: /pci0000:00/*
image: ghcr.io/siderolabs/installer:v1.8.3 # Allows for supplying the image used to perform the installation.
wipe: true # Indicates if the installation disk should be wiped at installation time.
legacyBIOSSupport: false # Indicates if MBR partition should be marked as bootable (active).
# # Allows for supplying extra kernel args via the bootloader.
# extraKernelArgs:
# - talos.platform=metal
# - reboot=k
# # Allows for supplying additional system extension images to install on top of base Talos image.
# extensions:
# - image: ghcr.io/siderolabs/gvisor:20220117.0-v1.0.0 # System extension image.
# Used to configure the machine's time settings.
time:
disabled: false # Indicates if the time service is disabled for the machine.
# description: |
servers:
- 192.168.1.11
# Used to configure the machine's sysctls.
sysctls:
vm.nr_hugepages: "1024"
# Used to configure the machine's container image registry mirrors.
registries: {}
# # Specifies mirror configuration for each registry host namespace.
# mirrors:
# ghcr.io:
# # List of endpoints (URLs) for registry mirrors to use.
# endpoints:
# - https://registry.insecure
# - https://ghcr.io/v2/
# # Specifies TLS & auth configuration for HTTPS image registries.
# config:
# registry.insecure:
# # The TLS configuration for the registry.
# tls:
# insecureSkipVerify: true # Skip TLS server certificate verification (not recommended).
#
# # # Enable mutual TLS authentication with the registry.
# # clientIdentity:
# # crt: LS0tIEVYQU1QTEUgQ0VSVElGSUNBVEUgLS0t
# # key: LS0tIEVYQU1QTEUgS0VZIC0tLQ==
#
# # # The auth configuration for this registry.
# # auth:
# # username: username # Optional registry authentication.
# # password: password # Optional registry authentication.
# Features describe individual Talos features that can be switched on or off.
features:
rbac: true # Enable role-based access control (RBAC).
stableHostname: true # Enable stable default hostname.
apidCheckExtKeyUsage: true # Enable checks for extended key usage of client certificates in apid.
diskQuotaSupport: true # Enable XFS project quota support for EPHEMERAL partition and user disks.
# KubePrism - local proxy/load balancer on defined port that will distribute
kubePrism:
enabled: false # Enable KubePrism support - will start local load balancing proxy.
port: 7445 # KubePrism port.
# Configures host DNS caching resolver.
hostDNS:
enabled: true # Enable host DNS caching resolver.
forwardKubeDNSToHost: false # Use the host DNS resolver as upstream for Kubernetes CoreDNS pods.
# # Configure Talos API access from Kubernetes pods.
# kubernetesTalosAPIAccess:
# enabled: true # Enable Talos API access from Kubernetes pods.
# # The list of Talos API roles which can be granted for access from Kubernetes pods.
# allowedRoles:
# - os:reader
# # The list of Kubernetes namespaces Talos API access is available from.
# allowedKubernetesNamespaces:
# - kube-system
# Configures the node labels for the machine.
nodeLabels:
node.kubernetes.io/exclude-from-external-load-balancers: ""
openebs.io/engine: mayastor
# # Provides machine specific control plane configuration options.
# # ControlPlane definition example.
# controlPlane:
# # Controller manager machine specific configuration options.
# controllerManager:
# disabled: false # Disable kube-controller-manager on the node.
# # Scheduler machine specific configuration options.
# scheduler:
# disabled: true # Disable kube-scheduler on the node.
# # Used to provide static pod definitions to be run by the kubelet directly bypassing the kube-apiserver.
# # nginx static pod.
# pods:
# - apiVersion: v1
# kind: pod
# metadata:
# name: nginx
# spec:
# containers:
# - image: nginx
# name: nginx
# # Used to partition, format and mount additional disks.
# # MachineDisks list example.
# disks:
# - device: /dev/sdb # The name of the disk to use.
# # A list of partitions to create on the disk.
# partitions:
# - mountpoint: /var/mnt/extra # Where to mount the partition.
#
# # # The size of partition: either bytes or human readable representation. If `size:` is omitted, the partition is sized to occupy the full disk.
# # # Human readable representation.
# # size: 100 MB
# # # Precise value in bytes.
# # size: 1073741824
# # Allows the addition of user specified files.
# # MachineFiles usage example.
# files:
# - content: '...' # The contents of the file.
# permissions: 0o666 # The file's permissions in octal.
# path: /tmp/file.txt # The path of the file.
# op: append # The operation to use
# # The `env` field allows for the addition of environment variables.
# # Environment variables definition examples.
# env:
# GRPC_GO_LOG_SEVERITY_LEVEL: info
# GRPC_GO_LOG_VERBOSITY_LEVEL: "99"
# https_proxy: http://SERVER:PORT/
# env:
# GRPC_GO_LOG_SEVERITY_LEVEL: error
# https_proxy: https://USERNAME:PASSWORD@SERVER:PORT/
# env:
# https_proxy: http://DOMAIN\USERNAME:PASSWORD@SERVER:PORT/
# # Used to configure the machine's sysfs.
# # MachineSysfs usage example.
# sysfs:
# devices.system.cpu.cpu0.cpufreq.scaling_governor: performance
# # Machine system disk encryption configuration.
# systemDiskEncryption:
# # Ephemeral partition encryption.
# ephemeral:
# provider: luks2 # Encryption provider to use for the encryption.
# # Defines the encryption keys generation and storage method.
# keys:
# - # Deterministically generated key from the node UUID and PartitionLabel.
# nodeID: {}
# slot: 0 # Key slot number for LUKS2 encryption.
#
# # # KMS managed encryption key.
# # kms:
# # endpoint: https://192.168.88.21:4443 # KMS endpoint to Seal/Unseal the key.
#
# # # Cipher kind to use for the encryption. Depends on the encryption provider.
# # cipher: aes-xts-plain64
# # # Defines the encryption sector size.
# # blockSize: 4096
# # # Additional --perf parameters for the LUKS2 encryption.
# # options:
# # - no_read_workqueue
# # - no_write_workqueue
# # Configures the udev system.
# udev:
# # List of udev rules to apply to the udev system
# rules:
# - SUBSYSTEM=="drm", KERNEL=="renderD*", GROUP="44", MODE="0660"
# # Configures the logging system.
# logging:
# # Logging destination.
# destinations:
# - endpoint: tcp://1.2.3.4:12345 # Where to send logs. Supported protocols are "tcp" and "udp".
# format: json_lines # Logs format.
# # Configures the kernel.
# kernel:
# # Kernel modules to load.
# modules:
# - name: brtfs # Module name.
# # Configures the seccomp profiles for the machine.
# seccompProfiles:
# - name: audit.json # The `name` field is used to provide the file name of the seccomp profile.
# # The `value` field is used to provide the seccomp profile.
# value:
# defaultAction: SCMP_ACT_LOG
# # Configures the node annotations for the machine.
# # node annotations example.
# nodeAnnotations:
# customer.io/rack: r13a25
# # Configures the node taints for the machine. Effect is optional.
# # node taints example.
# nodeTaints:
# exampleTaint: exampleTaintValue:NoSchedule
# Provides cluster specific configuration options.
cluster:
id: OmdWk7fWVxSMf_1pjy_vG3LD_LpzBcJJ4gfyg7Du-1A= # Globally unique identifier for this cluster (base64 encoded random 32 bytes).
secret: XVz/kRfKSE9ID7nb2QLW+DafhGHaLj+cXs9DlADVUQc= # Shared secret of cluster (base64 encoded random 32 bytes).
# Provides control plane specific configuration options.
controlPlane:
endpoint: https://cp00.balsillie.house:6443 # Endpoint is the canonical controlplane endpoint, which can be an IP address or a DNS hostname.
localAPIServerPort: 6443 # The port that the API server listens on internally.
clusterName: cluster00.balsillie.house # Configures the cluster's name.
# Provides cluster specific network configuration options.
network:
# The CNI used.
cni:
name: custom # Name of CNI to use.
# URLs containing manifests to apply for the CNI.
urls:
- https://raw.githubusercontent.com/projectcalico/calico/v3.29.1/manifests/tigera-operator.yaml
dnsDomain: cluster00.balsillie.house # The domain used by Kubernetes DNS.
# The pod subnet CIDR.
podSubnets:
- 10.64.0.0/12
# The service subnet CIDR.
serviceSubnets:
- 10.80.0.0/12
token: cpn9u3.wyqt1zpotvuczv27 # The [bootstrap token](https://kubernetes.io/docs/reference/access-authn-authz/bootstrap-tokens/) used to join the cluster.
secretboxEncryptionSecret: jDt8ma1yKNwghesliMWeVUvMKfbd8B6P5F7n5sogO4k= # A key used for the [encryption of secret data at rest](https://kubernetes.io/docs/tasks/administer-cluster/encrypt-data/).
# The base64 encoded root certificate authority used by Kubernetes.
ca:
crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUJpekNDQVRDZ0F3SUJBZ0lSQVBoRnFMK05xZ3JWSnprWkJUOUliSUl3Q2dZSUtvWkl6ajBFQXdJd0ZURVQKTUJFR0ExVUVDaE1LYTNWaVpYSnVaWFJsY3pBZUZ3MHlOREV5TURReE9ESXlNRFZhRncwek5ERXlNREl4T0RJeQpNRFZhTUJVeEV6QVJCZ05WQkFvVENtdDFZbVZ5Ym1WMFpYTXdXVEFUQmdjcWhrak9QUUlCQmdncWhrak9QUU1CCkJ3TkNBQVFMbS8vMjJTVWp5elFFMVhzSEY3dGpWR1plME9UQnNTWUE1VjdxSkFEaWlNZEhRL1pnZTlpMGY4SzkKbzI2UmFxazBXaXdaMmVxUWo2bzhOMWN6Mmdwd28yRXdYekFPQmdOVkhROEJBZjhFQkFNQ0FvUXdIUVlEVlIwbApCQll3RkFZSUt3WUJCUVVIQXdFR0NDc0dBUVVGQndNQ01BOEdBMVVkRXdFQi93UUZNQU1CQWY4d0hRWURWUjBPCkJCWUVGQkgvbkVibWgwWFg4aGhaSWI4L0JLRjZYMUN6TUFvR0NDcUdTTTQ5QkFNQ0Ewa0FNRVlDSVFEcGdrQkoKN2wzMlpjQmZXYlNzMEd3UU1FSWtjQjBlSXhOMDVtbjZVYlFHUEFJaEFJZlY1MG43Qi9nT1dtYjFVSExPNUMwTgpwaTFwS0lGU0p3aWFwYkxFeGYzOAotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg==
key: LS0tLS1CRUdJTiBFQyBQUklWQVRFIEtFWS0tLS0tCk1IY0NBUUVFSURwelhDRFhkWERTZHdHN2Jpb3h1Q3RWK1FmK09XSE40RmtOckg0eUpjOUxvQW9HQ0NxR1NNNDkKQXdFSG9VUURRZ0FFQzV2Lzl0a2xJOHMwQk5WN0J4ZTdZMVJtWHREa3diRW1BT1ZlNmlRQTRvakhSMFAyWUh2WQp0SC9DdmFOdWtXcXBORm9zR2RucWtJK3FQRGRYTTlvS2NBPT0KLS0tLS1FTkQgRUMgUFJJVkFURSBLRVktLS0tLQo=
# The base64 encoded aggregator certificate authority used by Kubernetes for front-proxy certificate generation.
aggregatorCA:
crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUJYekNDQVFhZ0F3SUJBZ0lSQUppZ1ZCUXNkN3ZTdVJYWVgyWHExQW93Q2dZSUtvWkl6ajBFQXdJd0FEQWUKRncweU5ERXlNRFF4T0RJeU1EVmFGdzB6TkRFeU1ESXhPREl5TURWYU1BQXdXVEFUQmdjcWhrak9QUUlCQmdncQpoa2pPUFFNQkJ3TkNBQVRvQWg5ckl6cDRjdiszc2RGOStTUlo0RnJJMFRXU3dOTlZFZXNsUUhTQ01PZElYNDFpCnYwRWtVVUJpeEhNS29ENUowcWJWNlpxbmVQblYvdG14SWpiYm8yRXdYekFPQmdOVkhROEJBZjhFQkFNQ0FvUXcKSFFZRFZSMGxCQll3RkFZSUt3WUJCUVVIQXdFR0NDc0dBUVVGQndNQ01BOEdBMVVkRXdFQi93UUZNQU1CQWY4dwpIUVlEVlIwT0JCWUVGSW84M1ZlODlWQVk0aVVXbUs3cE95WGdJa25LTUFvR0NDcUdTTTQ5QkFNQ0EwY0FNRVFDCklIV092bnNTREpnY1pMaitZdmkrdUM1MGk2N1RPWnl0VzQ2bDZvaHUyMVJCQWlCUGdLZDh1a0N0NWpVdmdnSmMKaXcwQmVmVGxDTEZNeGQ5cnBGSGRhUVhtMXc9PQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg==
key: LS0tLS1CRUdJTiBFQyBQUklWQVRFIEtFWS0tLS0tCk1IY0NBUUVFSUttT0p3eG8rbnUyWEZGaGUvQUVxUXJrcjRtKy9ZMFB6Wkl5YXRvOE1XbTlvQW9HQ0NxR1NNNDkKQXdFSG9VUURRZ0FFNkFJZmF5TTZlSEwvdDdIUmZma2tXZUJheU5FMWtzRFRWUkhySlVCMGdqRG5TRitOWXI5QgpKRkZBWXNSekNxQStTZEttMWVtYXAzajUxZjdac1NJMjJ3PT0KLS0tLS1FTkQgRUMgUFJJVkFURSBLRVktLS0tLQo=
# The base64 encoded private key for service account token generation.
serviceAccount:
key: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlKS1FJQkFBS0NBZ0VBenFEcnFHbk54RHhENTRTRk5PcEpGYy9qaGszSHBsUUkweEg3SDdFdkV5WjZFRUowCkYzQWZJRVo5MkdCSHRPK0QvNk9WZEFabEdBaTFSYTZNU2k1V3lhNFZHUVFwNHBxbG1zZFc1TFJmQXVRdmQyUk4KVVAxMUhVTG5TZ3RHeThYLzFnR25Td2gyVGVDbmJwYWI3NUMxNlBZSnBYQ1pROXFqYjhLM2FHREpXZXhBS1NCQQpGUXNjM3ZUc0JKTlQ0MlRyYmI1TGpKMWhKbDJQbWxEYWM1OGtxUXQxNHlLdnZ5L1J5ekNpQkN3bXRmUldWWkxBCjBubGFSMVZsWlZWZUQ1YnlvN0IrejRQMS9BVUQ2L3pMMUdWWjVzMTU2NGRVNDhNV0VFZHNpaUdrK2tlSityU2UKTjg3OWdaOXQvNlUrcTRWRjVneWpLcHNPMkkxdHk0N3JZcjUySEFGNXBjNWZDRXdJN1VlVWFRbmNIRmFrM09MSApuVzRuNWVmYjlmWWJTT0RkMG1qNjV0anRwTVYxRWoveWhHOFZBd0RQeDlSRUJhbTZ3V25EZkhoR1U5OTQ0Mm5DCnJPaDUwcUVPbE40aTdxWkRlVzNjazNCNGdBR1dnSEY4eFBnTGpVWGZnV1J0RWJacitRU0xKZ0JVcmhYM2FvS3UKaEJObDBMWmd3bHg2Nm5MeHF4UFRrazNnaWQ4OVlzaUhpaURUbDRBZER6b2ZKY2Znc095RmRuYm5MbHRxTmg5RwpRUFhZVEoyWFdkTlRveEhZditsRDRDYmVyUU1wdm9VUkQxOThkdDJaVTlLQ0s2MFh2enhwa3g3WURmVm5UUWM0CjlaMGtmeUd2ZkpJUzF1M3RFYWI2enJZYlltR2ErZUVXRFBPalZYUDg4UVFkMEFGQTdhamRablliejNFQ0F3RUEKQVFLQ0FnRUF4eTU2WElzNWJrd0Z6VHlDeCtKOGQwbEI4Nm93cGRabDkwbGpBVWJrc1JvckdsZGszMThXc2g4aAptcDRkSVg2dGlKVmhNVW9rMDRrNWJLVjQyTjFZamV1QXJPL0ZqSW8wejBJUE1rSHBRTGxFUkZ2czZBQ2JqNHg1CnRuZXVWQ3BXbHk1YTNNcVllRFB5VW5sZWNnM1dQVzVIR0RLMW02SThZRFNjWmtLK2RpOTJIZTdYdHpGU01GNTYKMFdKUHdHajlSWG5tQy9OOXZlVDgwKzNTMXhmMjEvbVROMU90aEtnTkhVaVJOV0oySW5vWmF6NGZJQVVaRUtCeQpNTCtjLzN3c0E3elVVU2ZNekpidEUrUkpmRUlDNnFqeU9TZm9uZkhsNStWaDdMbkg5ZmRXTzlVMm0yZXVHZkRjCnNVM1NYcmNIRFY3clB0dmY4TUpNcjZmaW9mb2xrTllPNDFnYmIyUTZBSzg5TGRmZTF4bGRwYzJhMTBYcm12b3QKK0wzODNWcWFaamVnc1FXNmpzc3BFWWtRWjBVbCs3Rzd0dkVMUVpMMjhiUmRXK0JPcTlBOXYyd3d6RHhiNFFESApuc0k5MWpEMUt5czBtZjFBcXpqdU1yMWRGMEx5czhBcXR2N2ZGTjlhbS9DWjhFY2ROUXBMSkdLVTRNNjhGRE5xCmVwVUZUSW9PWFdMaytieVBCYi9sU3lVVW04MSs4aXJmQXFuTEFka3NpYytDZHRxYU8vZnBXRzlwdzJVVi8rN3cKTjAwbjJrVTRLdEUyd1pLVmlQUnlQNkgvUjFKY2pEejJBbVMxZ3NXdGRvcmxXbm51OXdWL0s5Z0ZCTXMwRUh4VQpnSzdGeGRFdlhFYVdKZExsTk9QaEZtSldwU0o1Q2tlT0R2UDBDaDY0cWNhWVJ0cTgySkVDZ2dFQkFOQndYU21ZCm9yWmJlMEFQVHQrZzNVVElSR3BueFV3YWNmVkRQY3FUYmkxZzh6ZzBtbWVwNVY0YkJTZkR3RDhUNmNDNVl6ZFkKUlJHekdkNGphZEs0Yk94ZWlIL2JPTmlNRFVRTVRnS2c5a3VqbXZMcGM3OVVMZFVmNUFIQzQrNWNvamQ5OTMwegp0eWNLY04zODNSbTF5RG94M3poNVY0VGVaMnlGMUNmMU1NVzlkcUl6aVozdjUyTm9OSk1VUWRDUXdhRFk0WUhmCnFlbHppaDlaendrNk8rQi9VTkUyRkhOR1F3S1EzTHlRbTBDdXFhS2d1T1d3b3N3S29tMW8wdGNFcTY2MzFzS0oKeXY0SFFES2FnMlBDbDcvb2l6Z1lQc01Sd0xLWU9MelJ4MmhtMWdFV2p5THNpZHlxdHhNYUJqWlhPNFhJSGE4bAo2QVdJNjNzeWpLY2toeDBDZ2dFQkFQM0d6eXQzMktRa2RMWUNmNUZpN1EwN0pFUnNEKy8waTFOcnYzNGF6SlRNCkVjaFhPM2RHbXo4cm5CWE41R3F4R1p1cm56bTV0WER6dkNwK01PMGxvU2lIaHh5V3JhMGdjRXJFYXM4NENoVlgKaWtvYzh6OWttSHRLTGYyUElCeFlEa0VpSlJUS2hyRHpxWkdNSjE1UFEwR2w3eFRUbURucUtBdWxoYU9sdGh6OApPSzk4TDIvSElXVmlGOEQ3WVorVW40SVJkM3pIV1VNVUN2KzFlaWtlbHY4TUs5amtXSDFVVGtFM0RMWDNLQ0lpCmFHclJRYWxoOVlJckNQOU51R3BhTFhHWWg5ZXNRemdpYVFpQklxeUFpY2lQNmJDL3JSYlFFTXRHZGhpSkhvQzcKMytmV0FkS2U0UG5ZZWpGaXZaQk4rWFFXT0pHaFlPVVZlS2dYNC83bnRXVUNnZ0VCQUpnN3lMOE5uS0VsTldJMwpDL3NtYVJUSVU3ZUhMTUVGZTMrTzZiMWZhaE80Z0Vybm1ISG4wdjZsSzJHOGhWZE1ldWZvUG45NGQ1R1N4bXpJClhveXBaOXhHdXRqdXlwalZ5UWFQR2hhdmF0TVpuWnlXUnBSUnJkdS9tKzV4WWJtQWJIV3RDYW1tc0xqUjFsYzcKVEZ4dnVOcFAvR0VwdG5MellJUVJSajhjdzg5WUxpSVBGQTZHM2U5cmR5S0lvL3pwREpJbWRLVS9Mc0N6UXdqYwp0ZXBlWHNiN0ZaS0hOZTV2UFpmTkozcU0vdWNCNmlFOTAyem1VakJHQUJWNmZxck4zWG9SQ01neWpWQjFDVDBzClBwUUkxbjR5SUNRTENTTzlmb2l4eHBhWmZGTlM4REFCUXU5VjVPYUd4SWt0ODZXU2xvV0IvN1FoTWxHQWk4UUIKeWxwMHdqMENnZ0VBSFRWZnJOb2JaakVIK2RicHhkc0QrNnpkN0w0ZlMzZnkvVVArZzA0a1U4LzFFQUR5U0RVcApNeWtheXV1cXFaaitvSXN0UldDWmdJbWRFNnI0aUtMM0hJb1V3L2FYd01CbURFVDFJaXFLQnBEUHl0M3dKVkMzCnVDRCtrQnVFRDU4VzdPbzRLRjl6QnpUVVJIdEVJTGV3dndLUk5PMXhyT0RGZ1NtbzZ2L3NxUU5pcHRmOVFibEMKbjcrZGlrbWtuOUJrVjMwWktwUnJNcXhBNDlPSVh1azFhZCtGd0czdnZXVVJxTEhrVmFFL3prWDFqSzNQQitiTgpjaER2OVNxRjJqL00wVEZFR1UrcllPK2M5U3lmeUFqM1VzMDFrWEZPUTd6bzRleVhOUlc3SEFnRHFsUllXMXlMCitsV3ZJcllCcVhWQUM5dHU0VndZb2VWSndOY1hGOFNsZlFLQ0FRQTcyS2lJc3AySkNLVEVMU1oyVVRqWkVjaXEKWEp1Q0VJTE0yNTlZalh1MVJXYlMvQkFaTWc5ZVRiUnQ3ZGpCYTRIWVRBQ2ZybzI0RjRjWjluM1FYQXRnWUIxOAp5Q0NnRzFIbUxadkRyUmlrWXpPTXRNaTFReGp6L3lGOUc5ZVJHeUxlYzRNNnR5TUhVVEpMRnA1TnhLODZPYnpZClV3VTRlYlJwK1I2aVg4dVFyY1RxOHFCYzA5Yk1NN1R5cmx5bk1lZXZoNFBZdXorNGpIWnBUZG1aMHY2UGxXN2MKSkthUjQxc0QrWVBIM24zU085MXMvVGdwQXJ1OG9QQklkVzVaMHN5VVViRWpTYytzbGRGSUQxejBUNDJ6bTdNWApHZGF6bUZaU0Y3REphL3NNU1lZTVhlR0NHMWdMTUhUb3g1NldiMHF0UzluR3dYaEkrNGFYUTFJWnpIS1EKLS0tLS1FTkQgUlNBIFBSSVZBVEUgS0VZLS0tLS0K
# API server specific configuration options.
apiServer:
image: registry.k8s.io/kube-apiserver:v1.31.2 # The container image used in the API server manifest.
# Extra certificate subject alternative names for the API server's certificate.
certSANs:
- cp00.balsillie.house
disablePodSecurityPolicy: true # Disable PodSecurityPolicy in the API server and default manifests.
# Configure the API server admission plugins.
admissionControl:
- name: PodSecurity # Name is the name of the admission controller.
# Configuration is an embedded configuration object to be used as the plugin's
configuration:
apiVersion: pod-security.admission.config.k8s.io/v1beta1
defaults:
audit: restricted
audit-version: latest
enforce: baseline
enforce-version: latest
warn: restricted
warn-version: latest
exemptions:
namespaces:
- kube-system
- openebs
- democratic-csi
runtimeClasses: []
usernames: []
kind: PodSecurityConfiguration
# Configure the API server audit policy.
auditPolicy:
apiVersion: audit.k8s.io/v1
kind: Policy
rules:
- level: Metadata
# Controller manager server specific configuration options.
controllerManager:
image: registry.k8s.io/kube-controller-manager:v1.31.2 # The container image used in the controller manager manifest.
# Kube-proxy server-specific configuration options
proxy:
disabled: false # Disable kube-proxy deployment on cluster bootstrap.
image: registry.k8s.io/kube-proxy:v1.31.2 # The container image used in the kube-proxy manifest.
mode: nftables # proxy mode of kube-proxy.
# Extra arguments to supply to kube-proxy.
extraArgs:
proxy-mode: nftables
# Scheduler server specific configuration options.
scheduler:
image: registry.k8s.io/kube-scheduler:v1.31.2 # The container image used in the scheduler manifest.
# Configures cluster member discovery.
discovery:
enabled: true # Enable the cluster membership discovery feature.
# Configure registries used for cluster member discovery.
registries:
# Kubernetes registry uses Kubernetes API server to discover cluster members and stores additional information
kubernetes:
disabled: true # Disable Kubernetes discovery registry.
# Service registry is using an external service to push and pull information about cluster members.
service: {}
# # External service endpoint.
# endpoint: https://discovery.talos.dev/
# Etcd specific configuration options.
etcd:
# The `ca` is the root certificate authority of the PKI.
ca:
crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUJmakNDQVNPZ0F3SUJBZ0lRQWVTcWJmNXNDa2QrdHA0OXJpdktVVEFLQmdncWhrak9QUVFEQWpBUE1RMHcKQ3dZRFZRUUtFd1JsZEdOa01CNFhEVEkwTVRJd05ERTRNakl3TlZvWERUTTBNVEl3TWpFNE1qSXdOVm93RHpFTgpNQXNHQTFVRUNoTUVaWFJqWkRCWk1CTUdCeXFHU000OUFnRUdDQ3FHU000OUF3RUhBMElBQkcrZXJpaCtQNGNvCjhqZTJqcjZRUDcrVW5xb1lPaTcxNkZaVXViNU5TVlFnTDlON0tPc3J2d3RTY0hPV0JYV1RjUTRQc2krV1lRbEYKRWRGTFFSMTR2NkdqWVRCZk1BNEdBMVVkRHdFQi93UUVBd0lDaERBZEJnTlZIU1VFRmpBVUJnZ3JCZ0VGQlFjRApBUVlJS3dZQkJRVUhBd0l3RHdZRFZSMFRBUUgvQkFVd0F3RUIvekFkQmdOVkhRNEVGZ1FVTU0rS251d1FHN2ZUCnE5c2VKQVhBdlBEaDNKd3dDZ1lJS29aSXpqMEVBd0lEU1FBd1JnSWhBSXdyQWlxd05sRy9ZNjludk52cmUrcW4KVDR1Zzl2WTZrLzF6K1RiTC85a01BaUVBMGxaK21obWVDTHlDU2hKUitUUjAwQUVRdkliQmxJUXRxVjMwSS9jdQoyN3c9Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K
key: LS0tLS1CRUdJTiBFQyBQUklWQVRFIEtFWS0tLS0tCk1IY0NBUUVFSUY2cUdkQy9kc2wxRStYSnllVTBPazZrUTY4a3pWeERoQ0tHWFN4QjNMSDFvQW9HQ0NxR1NNNDkKQXdFSG9VUURRZ0FFYjU2dUtINC9oeWp5TjdhT3ZwQS92NVNlcWhnNkx2WG9WbFM1dmsxSlZDQXYwM3NvNnl1LwpDMUp3YzVZRmRaTnhEZyt5TDVaaENVVVIwVXRCSFhpL29RPT0KLS0tLS1FTkQgRUMgUFJJVkFURSBLRVktLS0tLQo=
# # The container image used to create the etcd service.
# image: gcr.io/etcd-development/etcd:v3.5.16
# # The `advertisedSubnets` field configures the networks to pick etcd advertised IP from.
# advertisedSubnets:
# - 10.0.0.0/8
# A list of urls that point to additional manifests.
extraManifests:
- https://raw.githubusercontent.com/alex1989hu/kubelet-serving-cert-approver/main/deploy/standalone-install.yaml
- https://github.com/kubernetes-sigs/metrics-server/releases/latest/download/components.yaml
- https://raw.githubusercontent.com/kubernetes/ingress-nginx/refs/tags/controller-v1.11.3/deploy/static/provider/baremetal/deploy.yaml
# A list of inline Kubernetes manifests.
inlineManifests:
- name: calico-installation # Name of the manifest.
contents: | # Manifest contents as a string.
apiVersion: operator.tigera.io/v1
kind: Installation
metadata:
name: default
spec:
variant: Calico
cni:
type: Calico
ipam:
type: Calico
serviceCIDRs:
- 10.80.0.0/12
calicoNetwork:
bgp: Enabled
linuxDataplane: Nftables
hostPorts: Enabled
ipPools:
- name: default-ipv4-ippool
blockSize: 24
cidr: 10.64.0.0/12
encapsulation: None
natOutgoing: Disabled
nodeSelector: all()
- name: calico-apiserver # Name of the manifest.
contents: | # Manifest contents as a string.
apiVersion: operator.tigera.io/v1
kind: APIServer
metadata:
name: default
spec: {}
- name: calico-bgpconfig # Name of the manifest.
contents: | # Manifest contents as a string.
apiVersion: crd.projectcalico.org/v1
kind: BGPConfiguration
metadata:
name: default
spec:
asNumber: 64624
serviceClusterIPs:
- cidr: 10.80.0.0/12
- name: calico-bgppeer # Name of the manifest.
contents: | # Manifest contents as a string.
apiVersion: crd.projectcalico.org/v1
kind: BGPPeer
metadata:
name: router-balsillie-house
spec:
asNumber: 64625
peerIP: 192.168.1.11:179
allowSchedulingOnControlPlanes: true # Allows running workload on control-plane nodes.
# # A key used for the [encryption of secret data at rest](https://kubernetes.io/docs/tasks/administer-cluster/encrypt-data/).
# # Decryption secret example (do not use in production!).
# aescbcEncryptionSecret: z01mye6j16bspJYtTB/5SFX8j7Ph4JXxM2Xuu4vsBPM=
# # Core DNS specific configuration options.
# coreDNS:
# image: registry.k8s.io/coredns/coredns:v1.11.3 # The `image` field is an override to the default coredns image.
# # External cloud provider configuration.
# externalCloudProvider:
# enabled: true # Enable external cloud provider.
# # A list of urls that point to additional manifests for an external cloud provider.
# manifests:
# - https://raw.githubusercontent.com/kubernetes/cloud-provider-aws/v1.20.0-alpha.0/manifests/rbac.yaml
# - https://raw.githubusercontent.com/kubernetes/cloud-provider-aws/v1.20.0-alpha.0/manifests/aws-cloud-controller-manager-daemonset.yaml
# # A map of key value pairs that will be added while fetching the extraManifests.
# extraManifestHeaders:
# Token: "1234567"
# X-ExtraInfo: info
# # Settings for admin kubeconfig generation.
# adminKubeconfig:
# certLifetime: 1h0m0s # Admin kubeconfig certificate lifetime (default is 1 year).

7
talos/rendered/talosconfig Normal file
View File

@ -0,0 +1,7 @@
context: cluster00
contexts:
cluster00:
endpoints: []
ca: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUJQekNCOHFBREFnRUNBaEVBc3QvY3BtNEliZnhzS3d3VGxHMFNtREFGQmdNclpYQXdFREVPTUF3R0ExVUUKQ2hNRmRHRnNiM013SGhjTk1qUXhNakEwTVRneU1qQTFXaGNOTXpReE1qQXlNVGd5TWpBMVdqQVFNUTR3REFZRApWUVFLRXdWMFlXeHZjekFxTUFVR0F5dGxjQU1oQU9aVVU3Vzh3OXcwR0l4cmVxVitNQ3JrUENmQS9keWdJMGtVCkJDQTkyTjhNbzJFd1h6QU9CZ05WSFE4QkFmOEVCQU1DQW9Rd0hRWURWUjBsQkJZd0ZBWUlLd1lCQlFVSEF3RUcKQ0NzR0FRVUZCd01DTUE4R0ExVWRFd0VCL3dRRk1BTUJBZjh3SFFZRFZSME9CQllFRksvei83WWVqamt0VFAwcgppcFFNa2hxK3hNU1pNQVVHQXl0bGNBTkJBTDNJTDk4b3NkeDVPTGpQeEZFcXRTK0NOeWhPS2RFMGU5S3ZnQi9VCmpaT3VEMWE3Zmx3Q1grTVVrdk1qMnBEUER1eTN1Tko5Ym41ZFdPMldmdWFwdEFrPQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg==
crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUJLVENCM0tBREFnRUNBaEVBMytSdmZzZW5qSDk2cldNSUJsRFhQREFGQmdNclpYQXdFREVPTUF3R0ExVUUKQ2hNRmRHRnNiM013SGhjTk1qUXhNakE1TWpJd056TTBXaGNOTWpVeE1qQTVNakl3TnpNMFdqQVRNUkV3RHdZRApWUVFLRXdodmN6cGhaRzFwYmpBcU1BVUdBeXRsY0FNaEFNZXVSaHNsRHhRMVpHTmNRQmlldWVRQmhJNG8vNkFOClIxQW1tSm80MVlwZm8wZ3dSakFPQmdOVkhROEJBZjhFQkFNQ0I0QXdFd1lEVlIwbEJBd3dDZ1lJS3dZQkJRVUgKQXdJd0h3WURWUjBqQkJnd0ZvQVVyL1AvdGg2T09TMU0vU3VLbEF5U0dyN0V4Smt3QlFZREsyVndBMEVBaHVSRwp4VzJOSmlaMVJidG1RY0hVY3dWYW5BOUtETzV4aGZObHFpRXZRSWl3UmdlblJBRjFobkp2ejZ0d2lXT2tXZFF0CjNNTWprMDVVQ3BXV2g3NUJDdz09Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K
key: LS0tLS1CRUdJTiBFRDI1NTE5IFBSSVZBVEUgS0VZLS0tLS0KTUM0Q0FRQXdCUVlESzJWd0JDSUVJTVBtcWV2cnBuZm1hVGNMM3JhRU8rK0JDdGNkTFhoMmRMdy9ZSGVqY0xBSAotLS0tLUVORCBFRDI1NTE5IFBSSVZBVEUgS0VZLS0tLS0K

592
talos/rendered/worker.yaml Normal file
View File

@ -0,0 +1,592 @@
version: v1alpha1 # Indicates the schema used to decode the contents.
debug: false # Enable verbose logging to the console.
persist: true
# Provides machine specific configuration options.
machine:
type: worker # Defines the role of the machine within the cluster.
token: ubp3st.gmb0565erkwo722t # The `token` is used by a machine to join the PKI of the cluster.
# The root certificate authority of the PKI.
ca:
crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUJQekNCOHFBREFnRUNBaEVBc3QvY3BtNEliZnhzS3d3VGxHMFNtREFGQmdNclpYQXdFREVPTUF3R0ExVUUKQ2hNRmRHRnNiM013SGhjTk1qUXhNakEwTVRneU1qQTFXaGNOTXpReE1qQXlNVGd5TWpBMVdqQVFNUTR3REFZRApWUVFLRXdWMFlXeHZjekFxTUFVR0F5dGxjQU1oQU9aVVU3Vzh3OXcwR0l4cmVxVitNQ3JrUENmQS9keWdJMGtVCkJDQTkyTjhNbzJFd1h6QU9CZ05WSFE4QkFmOEVCQU1DQW9Rd0hRWURWUjBsQkJZd0ZBWUlLd1lCQlFVSEF3RUcKQ0NzR0FRVUZCd01DTUE4R0ExVWRFd0VCL3dRRk1BTUJBZjh3SFFZRFZSME9CQllFRksvei83WWVqamt0VFAwcgppcFFNa2hxK3hNU1pNQVVHQXl0bGNBTkJBTDNJTDk4b3NkeDVPTGpQeEZFcXRTK0NOeWhPS2RFMGU5S3ZnQi9VCmpaT3VEMWE3Zmx3Q1grTVVrdk1qMnBEUER1eTN1Tko5Ym41ZFdPMldmdWFwdEFrPQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg==
key: ""
# Extra certificate subject alternative names for the machine's certificate.
certSANs: []
# # Uncomment this to enable SANs.
# - 10.0.0.10
# - 172.16.0.10
# - 192.168.0.10
# Used to provide additional options to the kubelet.
kubelet:
image: ghcr.io/siderolabs/kubelet:v1.31.2 # The `image` field is an optional reference to an alternative kubelet image.
# The `extraArgs` field is used to provide additional flags to the kubelet.
extraArgs:
rotate-server-certificates: "true"
# The `extraMounts` field is used to add additional mounts to the kubelet container.
extraMounts:
- destination: /var/local/openebs # Destination is the absolute path where the mount will be placed in the container.
type: bind # Type specifies the mount kind.
source: /var/local/openebs # Source specifies the source path of the mount.
# Options are fstab style mount options.
options:
- bind
- rshared
- rw
defaultRuntimeSeccompProfileEnabled: true # Enable container runtime default Seccomp profile.
disableManifestsDirectory: true # The `disableManifestsDirectory` field configures the kubelet to get static pod manifests from the /etc/kubernetes/manifests directory.
# # The `ClusterDNS` field is an optional reference to an alternative kubelet clusterDNS ip list.
# clusterDNS:
# - 10.96.0.10
# - 169.254.2.53
# # The `extraConfig` field is used to provide kubelet configuration overrides.
# extraConfig:
# serverTLSBootstrap: true
# # The `KubeletCredentialProviderConfig` field is used to provide kubelet credential configuration.
# credentialProviderConfig:
# apiVersion: kubelet.config.k8s.io/v1
# kind: CredentialProviderConfig
# providers:
# - apiVersion: credentialprovider.kubelet.k8s.io/v1
# defaultCacheDuration: 12h
# matchImages:
# - '*.dkr.ecr.*.amazonaws.com'
# - '*.dkr.ecr.*.amazonaws.com.cn'
# - '*.dkr.ecr-fips.*.amazonaws.com'
# - '*.dkr.ecr.us-iso-east-1.c2s.ic.gov'
# - '*.dkr.ecr.us-isob-east-1.sc2s.sgov.gov'
# name: ecr-credential-provider
# # The `nodeIP` field is used to configure `--node-ip` flag for the kubelet.
# nodeIP:
# # The `validSubnets` field configures the networks to pick kubelet node IP from.
# validSubnets:
# - 10.0.0.0/8
# - '!10.0.0.3/32'
# - fdc7::/16
# Provides machine specific network configuration options.
network:
hostname: node00.balsillie.house # Used to statically set the hostname for the machine.
# `interfaces` is used to define the network interface configuration.
interfaces:
- # Picks a network device using the selector.
deviceSelector:
hardwareAddr: f4:4d:30:6e:62:a7 # Device hardware address, supports matching by wildcard.
# Assigns static IP addresses to the interface.
addresses:
- 192.168.1.15/24
# A list of routes associated with the interface.
routes:
- network: 0.0.0.0/0 # The route's network (destination).
gateway: 192.168.1.11 # The route's gateway (if empty, creates link scope route).
dhcp: false # Indicates if DHCP should be used to configure the interface.
# # The interface name.
# interface: enp0s3
# # Bond specific options.
# bond:
# # The interfaces that make up the bond.
# interfaces:
# - enp2s0
# - enp2s1
# # Picks a network device using the selector.
# deviceSelectors:
# - busPath: 00:* # PCI, USB bus prefix, supports matching by wildcard.
# - hardwareAddr: '*:f0:ab' # Device hardware address, supports matching by wildcard.
# driver: virtio # Kernel driver, supports matching by wildcard.
# mode: 802.3ad # A bond option.
# lacpRate: fast # A bond option.
# # Bridge specific options.
# bridge:
# # The interfaces that make up the bridge.
# interfaces:
# - enxda4042ca9a51
# - enxae2a6774c259
# # A bridge option.
# stp:
# enabled: true # Whether Spanning Tree Protocol (STP) is enabled.
# # DHCP specific options.
# dhcpOptions:
# routeMetric: 1024 # The priority of all routes received via DHCP.
# # Wireguard specific configuration.
# # wireguard server example
# wireguard:
# privateKey: ABCDEF... # Specifies a private key configuration (base64 encoded).
# listenPort: 51111 # Specifies a device's listening port.
# # Specifies a list of peer configurations to apply to a device.
# peers:
# - publicKey: ABCDEF... # Specifies the public key of this peer.
# endpoint: 192.168.1.3 # Specifies the endpoint of this peer entry.
# # AllowedIPs specifies a list of allowed IP addresses in CIDR notation for this peer.
# allowedIPs:
# - 192.168.1.0/24
# # wireguard peer example
# wireguard:
# privateKey: ABCDEF... # Specifies a private key configuration (base64 encoded).
# # Specifies a list of peer configurations to apply to a device.
# peers:
# - publicKey: ABCDEF... # Specifies the public key of this peer.
# endpoint: 192.168.1.2:51822 # Specifies the endpoint of this peer entry.
# persistentKeepaliveInterval: 10s # Specifies the persistent keepalive interval for this peer.
# # AllowedIPs specifies a list of allowed IP addresses in CIDR notation for this peer.
# allowedIPs:
# - 192.168.1.0/24
# # Virtual (shared) IP address configuration.
# # layer2 vip example
# vip:
# ip: 172.16.199.55 # Specifies the IP address to be used.
# Used to statically set the nameservers for the machine.
nameservers:
- 192.168.1.11
# # Allows for extra entries to be added to the `/etc/hosts` file
# extraHostEntries:
# - ip: 192.168.1.100 # The IP of the host.
# # The host alias.
# aliases:
# - example
# - example.domain.tld
# # Configures KubeSpan feature.
# kubespan:
# enabled: true # Enable the KubeSpan feature.
# Used to provide instructions for installations.
install:
disk: /dev/sda # The disk used for installations.
# Look up disk using disk attributes like model, size, serial and others.
diskSelector:
type: ssd # Disk Type.
# # Disk size.
# # Select a disk which size is equal to 4GB.
# size: 4GB
# # Select a disk which size is greater than 1TB.
# size: '> 1TB'
# # Select a disk which size is less or equal than 2TB.
# size: <= 2TB
# # Disk bus path.
# busPath: /pci0000:00/0000:00:17.0/ata1/host0/target0:0:0/0:0:0:0
# busPath: /pci0000:00/*
image: ghcr.io/siderolabs/installer:v1.8.3 # Allows for supplying the image used to perform the installation.
wipe: true # Indicates if the installation disk should be wiped at installation time.
legacyBIOSSupport: false # Indicates if MBR partition should be marked as bootable (active).
# # Allows for supplying extra kernel args via the bootloader.
# extraKernelArgs:
# - talos.platform=metal
# - reboot=k
# # Allows for supplying additional system extension images to install on top of base Talos image.
# extensions:
# - image: ghcr.io/siderolabs/gvisor:20220117.0-v1.0.0 # System extension image.
# Used to configure the machine's time settings.
time:
disabled: false # Indicates if the time service is disabled for the machine.
# description: |
servers:
- 192.168.1.11
# Used to configure the machine's sysctls.
sysctls:
vm.nr_hugepages: "1024"
# Used to configure the machine's container image registry mirrors.
registries: {}
# # Specifies mirror configuration for each registry host namespace.
# mirrors:
# ghcr.io:
# # List of endpoints (URLs) for registry mirrors to use.
# endpoints:
# - https://registry.insecure
# - https://ghcr.io/v2/
# # Specifies TLS & auth configuration for HTTPS image registries.
# config:
# registry.insecure:
# # The TLS configuration for the registry.
# tls:
# insecureSkipVerify: true # Skip TLS server certificate verification (not recommended).
#
# # # Enable mutual TLS authentication with the registry.
# # clientIdentity:
# # crt: LS0tIEVYQU1QTEUgQ0VSVElGSUNBVEUgLS0t
# # key: LS0tIEVYQU1QTEUgS0VZIC0tLQ==
#
# # # The auth configuration for this registry.
# # auth:
# # username: username # Optional registry authentication.
# # password: password # Optional registry authentication.
# Features describe individual Talos features that can be switched on or off.
features:
rbac: true # Enable role-based access control (RBAC).
stableHostname: true # Enable stable default hostname.
apidCheckExtKeyUsage: true # Enable checks for extended key usage of client certificates in apid.
diskQuotaSupport: true # Enable XFS project quota support for EPHEMERAL partition and user disks.
# KubePrism - local proxy/load balancer on defined port that will distribute
kubePrism:
enabled: false # Enable KubePrism support - will start local load balancing proxy.
port: 7445 # KubePrism port.
# Configures host DNS caching resolver.
hostDNS:
enabled: true # Enable host DNS caching resolver.
forwardKubeDNSToHost: false # Use the host DNS resolver as upstream for Kubernetes CoreDNS pods.
# # Configure Talos API access from Kubernetes pods.
# kubernetesTalosAPIAccess:
# enabled: true # Enable Talos API access from Kubernetes pods.
# # The list of Talos API roles which can be granted for access from Kubernetes pods.
# allowedRoles:
# - os:reader
# # The list of Kubernetes namespaces Talos API access is available from.
# allowedKubernetesNamespaces:
# - kube-system
# Configures the node labels for the machine.
nodeLabels:
openebs.io/engine: mayastor
# # Provides machine specific control plane configuration options.
# # ControlPlane definition example.
# controlPlane:
# # Controller manager machine specific configuration options.
# controllerManager:
# disabled: false # Disable kube-controller-manager on the node.
# # Scheduler machine specific configuration options.
# scheduler:
# disabled: true # Disable kube-scheduler on the node.
# # Used to provide static pod definitions to be run by the kubelet directly bypassing the kube-apiserver.
# # nginx static pod.
# pods:
# - apiVersion: v1
# kind: pod
# metadata:
# name: nginx
# spec:
# containers:
# - image: nginx
# name: nginx
# # Used to partition, format and mount additional disks.
# # MachineDisks list example.
# disks:
# - device: /dev/sdb # The name of the disk to use.
# # A list of partitions to create on the disk.
# partitions:
# - mountpoint: /var/mnt/extra # Where to mount the partition.
#
# # # The size of partition: either bytes or human readable representation. If `size:` is omitted, the partition is sized to occupy the full disk.
# # # Human readable representation.
# # size: 100 MB
# # # Precise value in bytes.
# # size: 1073741824
# # Allows the addition of user specified files.
# # MachineFiles usage example.
# files:
# - content: '...' # The contents of the file.
# permissions: 0o666 # The file's permissions in octal.
# path: /tmp/file.txt # The path of the file.
# op: append # The operation to use
# # The `env` field allows for the addition of environment variables.
# # Environment variables definition examples.
# env:
# GRPC_GO_LOG_SEVERITY_LEVEL: info
# GRPC_GO_LOG_VERBOSITY_LEVEL: "99"
# https_proxy: http://SERVER:PORT/
# env:
# GRPC_GO_LOG_SEVERITY_LEVEL: error
# https_proxy: https://USERNAME:PASSWORD@SERVER:PORT/
# env:
# https_proxy: http://DOMAIN\USERNAME:PASSWORD@SERVER:PORT/
# # Used to configure the machine's sysfs.
# # MachineSysfs usage example.
# sysfs:
# devices.system.cpu.cpu0.cpufreq.scaling_governor: performance
# # Machine system disk encryption configuration.
# systemDiskEncryption:
# # Ephemeral partition encryption.
# ephemeral:
# provider: luks2 # Encryption provider to use for the encryption.
# # Defines the encryption keys generation and storage method.
# keys:
# - # Deterministically generated key from the node UUID and PartitionLabel.
# nodeID: {}
# slot: 0 # Key slot number for LUKS2 encryption.
#
# # # KMS managed encryption key.
# # kms:
# # endpoint: https://192.168.88.21:4443 # KMS endpoint to Seal/Unseal the key.
#
# # # Cipher kind to use for the encryption. Depends on the encryption provider.
# # cipher: aes-xts-plain64
# # # Defines the encryption sector size.
# # blockSize: 4096
# # # Additional --perf parameters for the LUKS2 encryption.
# # options:
# # - no_read_workqueue
# # - no_write_workqueue
# # Configures the udev system.
# udev:
# # List of udev rules to apply to the udev system
# rules:
# - SUBSYSTEM=="drm", KERNEL=="renderD*", GROUP="44", MODE="0660"
# # Configures the logging system.
# logging:
# # Logging destination.
# destinations:
# - endpoint: tcp://1.2.3.4:12345 # Where to send logs. Supported protocols are "tcp" and "udp".
# format: json_lines # Logs format.
# # Configures the kernel.
# kernel:
# # Kernel modules to load.
# modules:
# - name: brtfs # Module name.
# # Configures the seccomp profiles for the machine.
# seccompProfiles:
# - name: audit.json # The `name` field is used to provide the file name of the seccomp profile.
# # The `value` field is used to provide the seccomp profile.
# value:
# defaultAction: SCMP_ACT_LOG
# # Configures the node annotations for the machine.
# # node annotations example.
# nodeAnnotations:
# customer.io/rack: r13a25
# # Configures the node taints for the machine. Effect is optional.
# # node taints example.
# nodeTaints:
# exampleTaint: exampleTaintValue:NoSchedule
# Provides cluster specific configuration options.
cluster:
id: OmdWk7fWVxSMf_1pjy_vG3LD_LpzBcJJ4gfyg7Du-1A= # Globally unique identifier for this cluster (base64 encoded random 32 bytes).
secret: XVz/kRfKSE9ID7nb2QLW+DafhGHaLj+cXs9DlADVUQc= # Shared secret of cluster (base64 encoded random 32 bytes).
# Provides control plane specific configuration options.
controlPlane:
endpoint: https://cp00.balsillie.house:6443 # Endpoint is the canonical controlplane endpoint, which can be an IP address or a DNS hostname.
localAPIServerPort: 6443 # The port that the API server listens on internally.
clusterName: cluster00.balsillie.house # Configures the cluster's name.
# Provides cluster specific network configuration options.
network:
# The CNI used.
cni:
name: custom # Name of CNI to use.
# URLs containing manifests to apply for the CNI.
urls:
- https://raw.githubusercontent.com/projectcalico/calico/v3.29.1/manifests/tigera-operator.yaml
dnsDomain: cluster00.balsillie.house # The domain used by Kubernetes DNS.
# The pod subnet CIDR.
podSubnets:
- 10.64.0.0/12
# The service subnet CIDR.
serviceSubnets:
- 10.80.0.0/12
token: cpn9u3.wyqt1zpotvuczv27 # The [bootstrap token](https://kubernetes.io/docs/reference/access-authn-authz/bootstrap-tokens/) used to join the cluster.
# The base64 encoded root certificate authority used by Kubernetes.
ca:
crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUJpekNDQVRDZ0F3SUJBZ0lSQVBoRnFMK05xZ3JWSnprWkJUOUliSUl3Q2dZSUtvWkl6ajBFQXdJd0ZURVQKTUJFR0ExVUVDaE1LYTNWaVpYSnVaWFJsY3pBZUZ3MHlOREV5TURReE9ESXlNRFZhRncwek5ERXlNREl4T0RJeQpNRFZhTUJVeEV6QVJCZ05WQkFvVENtdDFZbVZ5Ym1WMFpYTXdXVEFUQmdjcWhrak9QUUlCQmdncWhrak9QUU1CCkJ3TkNBQVFMbS8vMjJTVWp5elFFMVhzSEY3dGpWR1plME9UQnNTWUE1VjdxSkFEaWlNZEhRL1pnZTlpMGY4SzkKbzI2UmFxazBXaXdaMmVxUWo2bzhOMWN6Mmdwd28yRXdYekFPQmdOVkhROEJBZjhFQkFNQ0FvUXdIUVlEVlIwbApCQll3RkFZSUt3WUJCUVVIQXdFR0NDc0dBUVVGQndNQ01BOEdBMVVkRXdFQi93UUZNQU1CQWY4d0hRWURWUjBPCkJCWUVGQkgvbkVibWgwWFg4aGhaSWI4L0JLRjZYMUN6TUFvR0NDcUdTTTQ5QkFNQ0Ewa0FNRVlDSVFEcGdrQkoKN2wzMlpjQmZXYlNzMEd3UU1FSWtjQjBlSXhOMDVtbjZVYlFHUEFJaEFJZlY1MG43Qi9nT1dtYjFVSExPNUMwTgpwaTFwS0lGU0p3aWFwYkxFeGYzOAotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg==
key: ""
# API server specific configuration options.
apiServer:
# Configure the API server admission plugins.
admissionControl:
- name: PodSecurity # Name is the name of the admission controller.
# Configuration is an embedded configuration object to be used as the plugin's
configuration:
apiVersion: pod-security.admission.config.k8s.io/v1beta1
exemptions:
namespaces:
- openebs
- democratic-csi
kind: PodSecurityConfiguration
# # The container image used in the API server manifest.
# image: registry.k8s.io/kube-apiserver:v1.31.2
# # Configure the API server audit policy.
# auditPolicy:
# apiVersion: audit.k8s.io/v1
# kind: Policy
# rules:
# - level: Metadata
# Kube-proxy server-specific configuration options
proxy:
disabled: false # Disable kube-proxy deployment on cluster bootstrap.
mode: nftables # proxy mode of kube-proxy.
# Extra arguments to supply to kube-proxy.
extraArgs:
proxy-mode: nftables
# # The container image used in the kube-proxy manifest.
# image: registry.k8s.io/kube-proxy:v1.31.2
# Configures cluster member discovery.
discovery:
enabled: true # Enable the cluster membership discovery feature.
# Configure registries used for cluster member discovery.
registries:
# Kubernetes registry uses Kubernetes API server to discover cluster members and stores additional information
kubernetes:
disabled: true # Disable Kubernetes discovery registry.
# Service registry is using an external service to push and pull information about cluster members.
service: {}
# # External service endpoint.
# endpoint: https://discovery.talos.dev/
# A list of urls that point to additional manifests.
extraManifests:
- https://raw.githubusercontent.com/alex1989hu/kubelet-serving-cert-approver/main/deploy/standalone-install.yaml
- https://github.com/kubernetes-sigs/metrics-server/releases/latest/download/components.yaml
- https://raw.githubusercontent.com/kubernetes/ingress-nginx/refs/tags/controller-v1.11.3/deploy/static/provider/baremetal/deploy.yaml
# A list of inline Kubernetes manifests.
inlineManifests:
- name: calico-installation # Name of the manifest.
contents: | # Manifest contents as a string.
apiVersion: operator.tigera.io/v1
kind: Installation
metadata:
name: default
spec:
variant: Calico
cni:
type: Calico
ipam:
type: Calico
serviceCIDRs:
- 10.80.0.0/12
calicoNetwork:
bgp: Enabled
linuxDataplane: Nftables
hostPorts: Enabled
ipPools:
- name: default-ipv4-ippool
blockSize: 24
cidr: 10.64.0.0/12
encapsulation: None
natOutgoing: Disabled
nodeSelector: all()
- name: calico-apiserver # Name of the manifest.
contents: | # Manifest contents as a string.
apiVersion: operator.tigera.io/v1
kind: APIServer
metadata:
name: default
spec: {}
- name: calico-bgpconfig # Name of the manifest.
contents: | # Manifest contents as a string.
apiVersion: crd.projectcalico.org/v1
kind: BGPConfiguration
metadata:
name: default
spec:
asNumber: 64624
serviceClusterIPs:
- cidr: 10.80.0.0/12
- name: calico-bgppeer # Name of the manifest.
contents: | # Manifest contents as a string.
apiVersion: crd.projectcalico.org/v1
kind: BGPPeer
metadata:
name: router-balsillie-house
spec:
asNumber: 64625
peerIP: 192.168.1.11:179
allowSchedulingOnControlPlanes: true # Allows running workload on control-plane nodes.
# # A key used for the [encryption of secret data at rest](https://kubernetes.io/docs/tasks/administer-cluster/encrypt-data/).
# # Decryption secret example (do not use in production!).
# aescbcEncryptionSecret: z01mye6j16bspJYtTB/5SFX8j7Ph4JXxM2Xuu4vsBPM=
# # A key used for the [encryption of secret data at rest](https://kubernetes.io/docs/tasks/administer-cluster/encrypt-data/).
# # Decryption secret example (do not use in production!).
# secretboxEncryptionSecret: z01mye6j16bspJYtTB/5SFX8j7Ph4JXxM2Xuu4vsBPM=
# # The base64 encoded aggregator certificate authority used by Kubernetes for front-proxy certificate generation.
# # AggregatorCA example.
# aggregatorCA:
# crt: LS0tIEVYQU1QTEUgQ0VSVElGSUNBVEUgLS0t
# key: LS0tIEVYQU1QTEUgS0VZIC0tLQ==
# # The base64 encoded private key for service account token generation.
# # AggregatorCA example.
# serviceAccount:
# key: LS0tIEVYQU1QTEUgS0VZIC0tLQ==
# # Controller manager server specific configuration options.
# controllerManager:
# image: registry.k8s.io/kube-controller-manager:v1.31.2 # The container image used in the controller manager manifest.
# # Extra arguments to supply to the controller manager.
# extraArgs:
# feature-gates: ServerSideApply=true
# # Scheduler server specific configuration options.
# scheduler:
# image: registry.k8s.io/kube-scheduler:v1.31.2 # The container image used in the scheduler manifest.
# # Extra arguments to supply to the scheduler.
# extraArgs:
# feature-gates: AllBeta=true
# # Etcd specific configuration options.
# etcd:
# image: gcr.io/etcd-development/etcd:v3.5.16 # The container image used to create the etcd service.
# # The `ca` is the root certificate authority of the PKI.
# ca:
# crt: LS0tIEVYQU1QTEUgQ0VSVElGSUNBVEUgLS0t
# key: LS0tIEVYQU1QTEUgS0VZIC0tLQ==
# # Extra arguments to supply to etcd.
# extraArgs:
# election-timeout: "5000"
# # The `advertisedSubnets` field configures the networks to pick etcd advertised IP from.
# advertisedSubnets:
# - 10.0.0.0/8
# # Core DNS specific configuration options.
# coreDNS:
# image: registry.k8s.io/coredns/coredns:v1.11.3 # The `image` field is an override to the default coredns image.
# # External cloud provider configuration.
# externalCloudProvider:
# enabled: true # Enable external cloud provider.
# # A list of urls that point to additional manifests for an external cloud provider.
# manifests:
# - https://raw.githubusercontent.com/kubernetes/cloud-provider-aws/v1.20.0-alpha.0/manifests/rbac.yaml
# - https://raw.githubusercontent.com/kubernetes/cloud-provider-aws/v1.20.0-alpha.0/manifests/aws-cloud-controller-manager-daemonset.yaml
# # A map of key value pairs that will be added while fetching the extraManifests.
# extraManifestHeaders:
# Token: "1234567"
# X-ExtraInfo: info
# # Settings for admin kubeconfig generation.
# adminKubeconfig:
# certLifetime: 1h0m0s # Admin kubeconfig certificate lifetime (default is 1 year).

136
talos/talos-patch.yaml Normal file
View File

@ -0,0 +1,136 @@
---
cluster:
allowSchedulingOnControlPlanes: true
controlPlane:
endpoint: https://cp00.balsillie.house:6443
localAPIServerPort: 6443
clusterName: cluster00.balsillie.house
extraManifests:
- https://raw.githubusercontent.com/alex1989hu/kubelet-serving-cert-approver/main/deploy/standalone-install.yaml
- https://github.com/kubernetes-sigs/metrics-server/releases/latest/download/components.yaml
# - https://github.com/kubernetes-csi/csi-driver-nfs/blob/v4.9.0/deploy/example/pv-nfs-csi.yaml # TODO follow link and add individual manifests
# - https://raw.githubusercontent.com/kubernetes/ingress-nginx/refs/tags/controller-v1.11.3/deploy/static/provider/baremetal/deploy.yaml
inlineManifests:
- name: calico-installation
contents: |
apiVersion: operator.tigera.io/v1
kind: Installation
metadata:
name: default
spec:
variant: Calico
cni:
type: Calico
ipam:
type: Calico
serviceCIDRs:
- 10.80.0.0/12
calicoNetwork:
bgp: Enabled
linuxDataplane: Nftables
hostPorts: Enabled
ipPools:
- name: default-ipv4-ippool
blockSize: 24
cidr: 10.64.0.0/12
encapsulation: None
natOutgoing: Disabled
nodeSelector: all()
- name: calico-apiserver
contents: |
apiVersion: operator.tigera.io/v1
kind: APIServer
metadata:
name: default
spec: {}
- name: calico-bgpconfig
contents: |
apiVersion: crd.projectcalico.org/v1
kind: BGPConfiguration
metadata:
name: default
spec:
asNumber: 64624
serviceClusterIPs:
- cidr: 10.80.0.0/12
serviceExternalIPs:
- cidr: 10.96.20.0/24
- name: calico-bgppeer
contents: |
apiVersion: crd.projectcalico.org/v1
kind: BGPPeer
metadata:
name: router-balsillie-house
spec:
asNumber: 64625
peerIP: 192.168.1.11:179
network:
cni:
name: custom
urls:
- https://raw.githubusercontent.com/projectcalico/calico/v3.29.1/manifests/tigera-operator.yaml
dnsDomain: cluster00.balsillie.house
podSubnets:
- 10.64.0.0/12
serviceSubnets:
- 10.80.0.0/12
proxy:
mode: nftables
disabled: false
extraArgs:
proxy-mode: nftables
machine:
disks:
- device: /dev/nvme0n1
# partitions:
# - mountpoint: /var/mnt/storage
features:
hostDNS:
enabled: true
forwardKubeDNSToHost: false
install:
wipe: true
legacyBIOSSupport: false
diskSelector:
type: ssd
kubelet:
extraArgs:
rotate-server-certificates: true
extraMounts:
- destination: /var/local/openebs
type: bind
source: /var/local/openebs
options:
- rbind
- rshared
- rw
# - destination: /var/dev/nvme0n1
# type: bind
# source: /dev/nvme0n1
# options:
# - bind
# - rshared
# - rw
network:
hostname: node00.balsillie.house
nameservers:
- 192.168.1.11
interfaces:
- deviceSelector:
hardwareAddr: 'f4:4d:30:6e:62:a7'
dhcp: false
routes:
- network: 0.0.0.0/0
gateway: 192.168.1.11
addresses:
- 192.168.1.15/24
nodeLabels:
openebs.io/engine: mayastor
sysctls:
vm.nr_hugepages: "1024"
time:
disabled: false
servers:
- 192.168.1.11

9
talos/volume-config.yaml Normal file
View File

@ -0,0 +1,9 @@
apiVersion: v1alpha1
kind: VolumeConfig
name: mayastor # Name of the volume.
# The provisioning describes how the volume is provisioned.
provisioning:
# The disk selector expression.
diskSelector:
match: disk.transport == "nvme" # The Common Expression Language (CEL) expression to match the disk.
maxSize: 501GiB

128
terraform/aws/kms/main.tf Normal file
View File

@ -0,0 +1,128 @@
terraform {
required_version = ">= 1.8.7"
required_providers {
aws = {
source = "hashicorp/aws"
version = ">= 5.82.2"
}
}
backend "local" {
# path = pathexpand("~/Backups/tfstate/cloudflare.tfstate")
}
}
provider "aws" {
region = "us-east-1"
}
resource "aws_iam_user" "vault_user" {
name = "vault-unseal-user"
}
resource "aws_iam_user" "sops_user" {
name = "sops-user"
}
resource "aws_iam_access_key" "vault_user_key" {
user = aws_iam_user.vault_user.name
}
resource "aws_iam_access_key" "sops_user_key" {
user = aws_iam_user.sops_user.name
}
resource "aws_kms_key" "vault" {
description = "Hashicorp Vault auto unseal key"
key_usage = "ENCRYPT_DECRYPT"
customer_master_key_spec = "SYMMETRIC_DEFAULT"
deletion_window_in_days = 30
is_enabled = true
multi_region = false
enable_key_rotation = false
}
resource "aws_kms_key" "sops" {
description = "SOPS operational key"
key_usage = "ENCRYPT_DECRYPT"
customer_master_key_spec = "SYMMETRIC_DEFAULT"
deletion_window_in_days = 30
is_enabled = true
multi_region = false
enable_key_rotation = false
}
resource "aws_kms_alias" "vault" {
name = "alias/hashicorp-vault-unseal"
target_key_id = aws_kms_key.vault.key_id
}
resource "aws_kms_alias" "sops" {
name = "alias/sops"
target_key_id = aws_kms_key.vault.key_id
}
resource "aws_iam_user_policy" "vault_policy" {
name = "vault-unseal-policy"
user = aws_iam_user.vault_user.name
policy = jsonencode(
{
Version = "2012-10-17"
Statement = [
{
Effect = "Allow"
Action = [
"kms:Decrypt",
"kms:DescribeKey",
"kms:Encrypt"
]
Resource = aws_kms_key.vault.arn
}
]
}
)
}
resource "aws_iam_user_policy" "sops_policy" {
name = "sops-policy"
user = aws_iam_user.sops_user.name
policy = jsonencode(
{
Version = "2012-10-17"
Statement = [
{
Effect = "Allow"
Action = [
"kms:Decrypt",
"kms:DescribeKey",
"kms:Encrypt"
]
Resource = aws_kms_key.sops.arn
}
]
}
)
}
output "vault_access_key_id" {
value = aws_iam_access_key.vault_user_key.id
}
output "vault_secret_access_key" {
value = nonsensitive(aws_iam_access_key.vault_user_key.secret)
}
output "vault_kms_key_id" {
value = aws_kms_key.vault.key_id
}
output "sops_access_key_id" {
value = aws_iam_access_key.sops_user_key.id
}
output "sops_secret_access_key" {
value = nonsensitive(aws_iam_access_key.sops_user_key.secret)
}
output "sops_kms_key_id" {
value = aws_kms_key.sops.key_id
}

86
terraform/cloudflare/main.tf Normal file
View File

@ -0,0 +1,86 @@
# terraform file to create dns resource in cloudflare
terraform {
required_version = ">= 1.8.0"
required_providers {
cloudflare = {
source = "cloudflare/cloudflare"
version = "~> 4.44"
}
}
backend "s3" {
endpoints = {
s3 = "https://s3.balsillie.house:9000"
}
region = "home"
bucket = "terraform"
use_path_style = true
key = "cloudflare/terraform.tfstate"
shared_credentials_files = ["~/.aws/credentials"]
profile = "terraform"
skip_credentials_validation = true
skip_region_validation = true
skip_requesting_account_id = true
}
}
provider "cloudflare" {
api_token = var.api_token
}
data "cloudflare_accounts" "default" {}
locals {
dns_records = {
for index, record in distinct(var.dns_records) : # 'distint' removes duplicate values from a list
tostring(index) => record
}
mx_records = {
for index, record in distinct(var.mx_records) : # 'distint' removes duplicate values from a list
tostring(index) => record
}
}
import {
to = cloudflare_zone.balsillie_net
id = var.zone_id
}
import {
to = cloudflare_zone_dnssec.balsillie_net
id = var.zone_id
}
resource "cloudflare_zone" "balsillie_net" {
account_id = data.cloudflare_accounts.default.accounts[0].id
zone = "balsillie.net"
paused = false
plan = "free"
type = "full"
}
resource "cloudflare_zone_dnssec" "balsillie_net" {
zone_id = cloudflare_zone.balsillie_net.id
}
resource "cloudflare_record" "dns_records" {
for_each = local.dns_records
zone_id = cloudflare_zone.balsillie_net.id
proxied = false
name = each.value.name
type = each.value.type
content = each.value.content
ttl = each.value.ttl
}
resource "cloudflare_record" "mx_records" {
for_each = local.mx_records
zone_id = cloudflare_zone.balsillie_net.id
proxied = false
name = each.value.name
type = each.value.type
content = each.value.content
priority = each.value.priority
ttl = each.value.ttl
}
# TODO update the SOA record when dns_records resource was changed

4
terraform/cloudflare/secrets.auto.example Normal file
View File

@ -0,0 +1,4 @@
# Rename this file to "secrets.auto.tfvars"
api_token = "CHANGE ME"
zone_id = "CHANGE ME"

48
terraform/cloudflare/variable_definitions.tf Normal file
View File

@ -0,0 +1,48 @@
variable "api_token" {
description = "Cloudflare account API token"
type = string
default = ""
sensitive = true
}
variable "zone_id" {
description = "The DNS zone id as siplayed in cloudflare dashboard."
type = string
default = ""
sensitive = false
}
variable "dns_records" {
description = "DNS A records to create"
type = list(object({
name = string
type = string
content = string
ttl = number
}))
default = []
}
variable "mx_records" {
description = "DNS MX records to create"
type = list(object({
name = string
type = string
content = string
priority = number
ttl = number
}))
default = []
}
variable "caa_records" {
description = "DNS CAA records to create"
type = list(object({
name = string
type = string
content = string
# priority = number
ttl = number
}))
default = []
}

38
terraform/cloudflare/variables.auto.tfvars Normal file
View File

@ -0,0 +1,38 @@
zone_id = "affce43bd72967adbe9ac9cc32c4532b"
dns_records = [
{ name = "@", type = "TXT", content = "\"v=spf1 +a:wan.balsillie.house -all\"", ttl = 60 },
{ name = "@", type = "TXT", content = "\"openpgp4fpr:2362b71cc210e435244d63dae81ed7810d966cd4\"", ttl = 60 },
{ name = "_dmarc", type = "TXT", content = "\"v=DMARC1; p=reject; rua=mailto:postmaster@balsillie.net; ruf=mailto:postmaster@balsillie.net; sp=reject; fo=1; aspf=s; adkim=s; ri=259200\"", ttl = 60 },
{ name = "_mta-sts", type = "TXT", content = "\"v=STSv1; id=1734552187\"", ttl = 60 },
{ name = "_smtp._tls", type = "TXT", content = "\"v=TLSRPTv1; rua=mailto:postmaster@balsillie.net\"", ttl = 60 },
{ name = "mail._domainkey", type = "TXT", content = "\"v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC+URc62p2hXgTgt+1NEo8tCm1SWYPXlnsO9vQdz3SqM6SUXyV/nuLzHQBriJwEnL7sXlmMvfu7JkY4wx/q4nZUVqJ6P8tV4qqRTlPYf9EOtzdPetvz24NVcI8Jh1qo06K/JXTPwGssSDnacfC6B14Q06JPC+1Kx28pOu8XLZSJpwIDAQAB\"", ttl = 60 },
{ name = "@", type = "CNAME", content = "wan.balsillie.house", ttl = 60 },
{ name = "account", type = "CNAME", content = "wan.balsillie.house", ttl = 60 },
{ name = "auth", type = "CNAME", content = "wan.balsillie.house", ttl = 60 },
{ name = "auth-admin", type = "CNAME", content = "wan.balsillie.house", ttl = 60 },
{ name = "autoconfig", type = "CNAME", content = "wan.balsillie.house", ttl = 60 },
{ name = "cloud", type = "CNAME", content = "wan.balsillie.house", ttl = 60 },
{ name = "code", type = "CNAME", content = "wan.balsillie.house", ttl = 60 },
{ name = "im", type = "CNAME", content = "wan.balsillie.house", ttl = 60 },
{ name = "imap", type = "CNAME", content = "wan.balsillie.house", ttl = 60 },
{ name = "matrix", type = "CNAME", content = "wan.balsillie.house", ttl = 60 },
{ name = "matrix-auth", type = "CNAME", content = "wan.balsillie.house", ttl = 60 },
{ name = "matrix-federation", type = "CNAME", content = "wan.balsillie.house", ttl = 60 },
{ name = "mta-sts", type = "CNAME", content = "wan.balsillie.house", ttl = 60 },
{ name = "notify", type = "CNAME", content = "wan.balsillie.house", ttl = 60 },
{ name = "office", type = "CNAME", content = "wan.balsillie.house", ttl = 60 },
{ name = "openpgpkey", type = "CNAME", content = "wan.balsillie.house", ttl = 60 },
{ name = "smtp", type = "CNAME", content = "wan.balsillie.house", ttl = 60 },
{ name = "social", type = "CNAME", content = "wan.balsillie.house", ttl = 60 },
{ name = "gallery", type = "CNAME", content = "wan.balsillie.house", ttl = 60 }
]
mx_records = [
{ name = "@", type = "MX", content = "smtp.balsillie.net.", priority = 0, ttl = 60 }
]
caa_records = [
{ name = "@", type = "CAA", content = "0 issuewild ';'", ttl = 60 },
{ name = "@", type = "CAA", content = "0 issue \"letsencrypt.org\"", ttl = 60 }
]