diff --git a/.github/workflows/dummy-check.yaml b/.github/workflows/dummy-check.yaml new file mode 100644 index 00000000..4e05aabd --- /dev/null +++ b/.github/workflows/dummy-check.yaml @@ -0,0 +1,11 @@ +--- +name: dummy-check +"on": + pull_request: + branches: ["main"] + +jobs: + echo: + runs-on: "ubuntu-latest" + steps: + - run: echo "dummy-check" diff --git a/.github/workflows/cron-renovate.yaml b/.github/workflows/renovate.yaml similarity index 85% rename from .github/workflows/cron-renovate.yaml rename to .github/workflows/renovate.yaml index 135ba00e..cd522ff7 100644 --- a/.github/workflows/cron-renovate.yaml +++ b/.github/workflows/renovate.yaml @@ -1,9 +1,13 @@ --- -name: cron-renovate +name: renovate "on": + workflow_dispatch: push: branches: - "main" + paths: + - "renovate.json5" + - "**/renovate.json5" schedule: - cron: "0 0 * * *" # every 08:00 UTC+8 jobs: diff --git a/amethyst/Taskfile.yaml b/amethyst/Taskfile.yaml index 7644914a..10361695 100644 --- a/amethyst/Taskfile.yaml +++ b/amethyst/Taskfile.yaml @@ -170,31 +170,43 @@ tasks: talos:apply: silent: true dir: talos + env: &talos-env + SECRET_ENV: + sh: | + export AWS_PROFILE=sso-admin@aws-homelab + aws ssm get-parameters --with-decryption \ + --names /amethyst/talos-machine /amethyst/talos-cluster |\ + jq -r '.Parameters[].Value | fromjson | to_entries[] | "\(.key)=\(.value)"' cmds: - | NODE={{.NODE}} [ -z "$NODE" ] && echo -n "Apply node: " && read NODE export IP="$(yq 'head_comment' "${NODE}.yaml" | yq '.ip')" [ -z "$IP" ] && exit 1 + export TYPE="$(yq '.machine.type' "${NODE}.yaml")" - export TYPE_CONFIG="$(sops -d "${TYPE}.sops.yaml")" - export CONFIG="$(yq '. *= env(TYPE_CONFIG)' "${NODE}.yaml")" + export CONFIG="$(yq ea '. as $item ireduce ({}; . * $item)' "${TYPE}.yaml" "${NODE}.yaml")" + export $SECRET_ENV + export CONFIG="$(echo "$CONFIG" | envsubst)" talosctl apply-config -f <(echo -n "$CONFIG") -n "$IP" {{.CLI_ARGS}} talos:upgrade: silent: true dir: talos prompt: The upgrade process will cause a reboot... continue? + env: *talos-env cmds: - | NODE={{.NODE}} [ -z "$NODE" ] && echo -n "Upgrade node: " && read NODE export IP="$(yq 'head_comment' "${NODE}.yaml" | yq '.ip')" [ -z "$IP" ] && exit 1 + export TYPE="$(yq '.machine.type' "${NODE}.yaml")" - export IMAGE="$(yq '.machine.install.image' "${TYPE}.sops.yaml")" - export TYPE_CONFIG="$(sops -d "${TYPE}.sops.yaml")" - export CONFIG="$(yq '. *= env(TYPE_CONFIG)' "${NODE}.yaml")" + export IMAGE="$(yq '.machine.install.image' "${TYPE}.yaml")" + export CONFIG="$(yq ea '. as $item ireduce ({}; . * $item)' "${TYPE}.yaml" "${NODE}.yaml")" + export $SECRET_ENV + export CONFIG="$(echo "$CONFIG" | envsubst)" echo "> Apply configuration" talosctl apply-config -f <(echo -n "$CONFIG") -n "$IP" diff --git a/amethyst/kubernetes/archive/wego/wego.yaml b/amethyst/kubernetes/archive/wego/wego.yaml index 4b092b97..c8626cec 100644 --- a/amethyst/kubernetes/archive/wego/wego.yaml +++ b/amethyst/kubernetes/archive/wego/wego.yaml @@ -21,7 +21,6 @@ spec: sourceRef: kind: HelmRepository name: wego - # renovate: packageName=ghcr.io/weaveworks/charts/weave-gitops chart: weave-gitops version: 4.0.36 interval: 1h diff --git a/amethyst/kubernetes/aws-identity-webhook/aws-identity-webhook.yaml b/amethyst/kubernetes/aws-identity-webhook/aws-identity-webhook.yaml index 61508817..f71a99d8 100644 --- a/amethyst/kubernetes/aws-identity-webhook/aws-identity-webhook.yaml +++ b/amethyst/kubernetes/aws-identity-webhook/aws-identity-webhook.yaml @@ -19,7 +19,6 @@ spec: sourceRef: kind: HelmRepository name: jkroepke - # renovate: registryUrl=https://jkroepke.github.io/helm-charts/ chart: amazon-eks-pod-identity-webhook version: 2.1.3 interval: 1h diff --git a/amethyst/kubernetes/cert-manager/cert-manager.yaml b/amethyst/kubernetes/cert-manager/cert-manager.yaml index 5498729d..7295b474 100644 --- a/amethyst/kubernetes/cert-manager/cert-manager.yaml +++ b/amethyst/kubernetes/cert-manager/cert-manager.yaml @@ -19,7 +19,6 @@ spec: sourceRef: kind: HelmRepository name: cert-manager - # renovate: registryUrl=https://charts.jetstack.io chart: cert-manager version: v1.12.2 install: diff --git a/amethyst/kubernetes/cloudflared/cloudflared.yaml b/amethyst/kubernetes/cloudflared/cloudflared.yaml index 971fd7da..5a5aae6f 100644 --- a/amethyst/kubernetes/cloudflared/cloudflared.yaml +++ b/amethyst/kubernetes/cloudflared/cloudflared.yaml @@ -19,7 +19,6 @@ spec: sourceRef: kind: HelmRepository name: bjw-s - # renovate: registryUrl=https://bjw-s.github.io/helm-charts chart: app-template version: 1.5.1 interval: 1h @@ -31,7 +30,6 @@ spec: rollingUpdate: unavailable: 1 image: - # renovate: repository: cloudflare/cloudflared tag: 2024.2.1 args: diff --git a/amethyst/kubernetes/cnpg/cnpg.yaml b/amethyst/kubernetes/cnpg/cnpg.yaml index bd11ba57..86e108a5 100644 --- a/amethyst/kubernetes/cnpg/cnpg.yaml +++ b/amethyst/kubernetes/cnpg/cnpg.yaml @@ -21,7 +21,6 @@ spec: kind: HelmRepository namespace: cnpg name: cnpg - # renovate: registryUrl=https://cloudnative-pg.github.io/charts chart: cloudnative-pg version: 0.18.1 install: diff --git a/amethyst/kubernetes/flux-system/flux2.yaml b/amethyst/kubernetes/flux-system/flux2.yaml index 9b92183c..47427d67 100644 --- a/amethyst/kubernetes/flux-system/flux2.yaml +++ b/amethyst/kubernetes/flux-system/flux2.yaml @@ -9,7 +9,6 @@ spec: interval: 1m url: https://github.com/fluxcd/flux2 ref: - # renovate: github-repo=fluxcd/flux2 tag: v2.2.3 ignore: | /* diff --git a/amethyst/kubernetes/grafana/app/grafana.yaml b/amethyst/kubernetes/grafana/app/grafana.yaml index c40d1df5..543e7fa0 100644 --- a/amethyst/kubernetes/grafana/app/grafana.yaml +++ b/amethyst/kubernetes/grafana/app/grafana.yaml @@ -20,7 +20,6 @@ spec: kind: HelmRepository namespace: grafana name: grafana - # renovate: registryUrl=https://grafana.github.io/helm-charts chart: grafana version: 7.3.7 interval: 1h diff --git a/amethyst/kubernetes/ingress-nginx/ingress-nginx.yaml b/amethyst/kubernetes/ingress-nginx/ingress-nginx.yaml index b6c50760..04cef1b9 100644 --- a/amethyst/kubernetes/ingress-nginx/ingress-nginx.yaml +++ b/amethyst/kubernetes/ingress-nginx/ingress-nginx.yaml @@ -19,7 +19,6 @@ spec: sourceRef: kind: HelmRepository name: ingress-nginx - # renovate: registryUrl=https://kubernetes.github.io/ingress-nginx chart: ingress-nginx version: 4.7.0 interval: 1h diff --git a/amethyst/kubernetes/kube-system/metrics-server.yaml b/amethyst/kubernetes/kube-system/metrics-server.yaml index fa3608e9..3b89606c 100644 --- a/amethyst/kubernetes/kube-system/metrics-server.yaml +++ b/amethyst/kubernetes/kube-system/metrics-server.yaml @@ -19,7 +19,6 @@ spec: sourceRef: kind: HelmRepository name: metrics-server - # renovate: registryUrl=https://kubernetes-sigs.github.io/metrics-server/ chart: metrics-server version: 3.12.0 interval: 1h diff --git a/amethyst/kubernetes/kube-system/secrets-store-csi-driver-provider-aws.yaml b/amethyst/kubernetes/kube-system/secrets-store-csi-driver-provider-aws.yaml index 75495be5..82cbf253 100644 --- a/amethyst/kubernetes/kube-system/secrets-store-csi-driver-provider-aws.yaml +++ b/amethyst/kubernetes/kube-system/secrets-store-csi-driver-provider-aws.yaml @@ -19,7 +19,6 @@ spec: sourceRef: kind: HelmRepository name: aws-secrets-manager - # renovate: registryUrl=https://aws.github.io/secrets-store-csi-driver-provider-aws chart: secrets-store-csi-driver-provider-aws version: 0.3.6 interval: 1h diff --git a/amethyst/kubernetes/kube-system/secrets-store-csi-driver.yaml b/amethyst/kubernetes/kube-system/secrets-store-csi-driver.yaml index 30c64fd2..b9e3ce44 100644 --- a/amethyst/kubernetes/kube-system/secrets-store-csi-driver.yaml +++ b/amethyst/kubernetes/kube-system/secrets-store-csi-driver.yaml @@ -19,7 +19,6 @@ spec: sourceRef: kind: HelmRepository name: secrets-store-csi-driver - # renovate: registryUrl=https://kubernetes-sigs.github.io/secrets-store-csi-driver/charts chart: secrets-store-csi-driver version: 1.4.2 install: diff --git a/amethyst/kubernetes/kube-system/snapshot-controller.yaml b/amethyst/kubernetes/kube-system/snapshot-controller.yaml index 2a66a6e4..167d730c 100644 --- a/amethyst/kubernetes/kube-system/snapshot-controller.yaml +++ b/amethyst/kubernetes/kube-system/snapshot-controller.yaml @@ -10,8 +10,7 @@ spec: interval: 5m url: https://github.com/kubernetes-csi/external-snapshotter ref: - # renovate: github-repo=kubernetes-csi/external-snapshotter - tag: v6.2.2 + tag: v6.3.3 ignore: | /* # include the crd folder @@ -39,8 +38,7 @@ spec: interval: 5m url: https://github.com/kubernetes-csi/external-snapshotter ref: - # renovate: github-repo=kubernetes-csi/external-snapshotter - tag: v6.2.2 + tag: v6.3.3 ignore: | /* # include the manifest folder diff --git a/amethyst/kubernetes/kyverno/kyverno.yaml b/amethyst/kubernetes/kyverno/kyverno.yaml index 88d4c803..924c7abf 100644 --- a/amethyst/kubernetes/kyverno/kyverno.yaml +++ b/amethyst/kubernetes/kyverno/kyverno.yaml @@ -21,7 +21,6 @@ spec: kind: HelmRepository name: kyverno version: 3.0.1 - # renovate: registryUrl=https://kyverno.github.io/kyverno chart: kyverno install: crds: CreateReplace diff --git a/amethyst/kubernetes/loki/loki.yaml b/amethyst/kubernetes/loki/loki.yaml index 5b037ebf..4cfb74b6 100644 --- a/amethyst/kubernetes/loki/loki.yaml +++ b/amethyst/kubernetes/loki/loki.yaml @@ -19,7 +19,6 @@ spec: sourceRef: kind: HelmRepository name: grafana - # renovate: registryUrl=https://grafana.github.io/helm-charts chart: loki version: 5.26.0 interval: 1h diff --git a/amethyst/kubernetes/metallb-system/metallb.yaml b/amethyst/kubernetes/metallb-system/metallb.yaml index 3cd5126f..c5605bbe 100644 --- a/amethyst/kubernetes/metallb-system/metallb.yaml +++ b/amethyst/kubernetes/metallb-system/metallb.yaml @@ -21,7 +21,6 @@ spec: kind: HelmRepository name: metallb version: 0.13.10 - # renovate: registryUrl=https://metallb.github.io/metallb chart: metallb interval: 1h maxHistory: 1 diff --git a/amethyst/kubernetes/mimir/mimir.yaml b/amethyst/kubernetes/mimir/mimir.yaml index b4a297c0..4941e041 100644 --- a/amethyst/kubernetes/mimir/mimir.yaml +++ b/amethyst/kubernetes/mimir/mimir.yaml @@ -19,7 +19,6 @@ spec: sourceRef: kind: HelmRepository name: grafana - # renovate: registryUrl=https://grafana.github.io/helm-charts chart: mimir-distributed version: 5.0.0 interval: 1h diff --git a/amethyst/kubernetes/mydata/immich/app/immich.yaml b/amethyst/kubernetes/mydata/immich/app/immich.yaml index f0462aa9..b13986d1 100644 --- a/amethyst/kubernetes/mydata/immich/app/immich.yaml +++ b/amethyst/kubernetes/mydata/immich/app/immich.yaml @@ -19,7 +19,6 @@ spec: sourceRef: kind: HelmRepository name: bjw-s - # renovate: registryUrl=https://bjw-s.github.io/helm-charts chart: app-template version: 1.5.1 interval: 1h @@ -28,7 +27,6 @@ spec: controller: strategy: RollingUpdate image: - # renovate: repository: ghcr.io/immich-app/immich-server tag: v1.98.2 command: ["./start.sh", "immich"] @@ -118,7 +116,6 @@ spec: sourceRef: kind: HelmRepository name: bjw-s - # renovate: registryUrl=https://bjw-s.github.io/helm-charts chart: app-template version: 1.5.1 interval: 1h @@ -127,7 +124,6 @@ spec: controller: strategy: RollingUpdate image: - # renovate: repository: ghcr.io/immich-app/immich-server tag: v1.98.2 command: ["./start.sh", "microservices"] @@ -214,14 +210,12 @@ spec: sourceRef: kind: HelmRepository name: bjw-s - # renovate: registryUrl=https://bjw-s.github.io/helm-charts chart: app-template version: 1.5.1 interval: 1h maxHistory: 1 values: image: - # renovate: repository: ghcr.io/immich-app/immich-machine-learning tag: v1.98.2 env: diff --git a/amethyst/kubernetes/mydata/immich/deps/immich-dragonfly.yaml b/amethyst/kubernetes/mydata/immich/deps/immich-dragonfly.yaml index 333890a5..2bedb118 100644 --- a/amethyst/kubernetes/mydata/immich/deps/immich-dragonfly.yaml +++ b/amethyst/kubernetes/mydata/immich/deps/immich-dragonfly.yaml @@ -10,7 +10,6 @@ spec: sourceRef: kind: HelmRepository name: bjw-s - # renovate: registryUrl=https://bjw-s.github.io/helm-charts chart: app-template version: 1.5.1 interval: 1h @@ -20,7 +19,6 @@ spec: type: statefulset replicas: 1 image: - # renovate: repository: ghcr.io/dragonflydb/dragonfly tag: v1.6.2 args: diff --git a/amethyst/kubernetes/mydata/navidrome/navidrome.yaml b/amethyst/kubernetes/mydata/navidrome/navidrome.yaml index efac6432..f463cd75 100644 --- a/amethyst/kubernetes/mydata/navidrome/navidrome.yaml +++ b/amethyst/kubernetes/mydata/navidrome/navidrome.yaml @@ -11,14 +11,12 @@ spec: kind: HelmRepository namespace: mydata name: bjw-s - # renovate: registryUrl=https://bjw-s.github.io/helm-charts chart: app-template version: 1.5.1 interval: 1h maxHistory: 1 values: image: - # renovate: repository: deluan/navidrome tag: 0.51.1 diff --git a/amethyst/kubernetes/mydata/nextcloud/app/nextcloud.yaml b/amethyst/kubernetes/mydata/nextcloud/app/nextcloud.yaml index 44a3bc44..54b9d20f 100644 --- a/amethyst/kubernetes/mydata/nextcloud/app/nextcloud.yaml +++ b/amethyst/kubernetes/mydata/nextcloud/app/nextcloud.yaml @@ -10,7 +10,6 @@ spec: sourceRef: kind: HelmRepository name: bjw-s - # renovate: registryUrl=https://bjw-s.github.io/helm-charts chart: app-template version: 1.5.1 interval: 1h @@ -22,7 +21,6 @@ spec: rollingUpdate: unavailable: 1 image: - # renovate: repository: nextcloud tag: 28.0.3-apache serviceAccount: diff --git a/amethyst/kubernetes/mydata/nextcloud/deps/nextcloud-dragonfly.yaml b/amethyst/kubernetes/mydata/nextcloud/deps/nextcloud-dragonfly.yaml index b1a2d452..1cf06df4 100644 --- a/amethyst/kubernetes/mydata/nextcloud/deps/nextcloud-dragonfly.yaml +++ b/amethyst/kubernetes/mydata/nextcloud/deps/nextcloud-dragonfly.yaml @@ -10,7 +10,6 @@ spec: sourceRef: kind: HelmRepository name: bjw-s - # renovate: registryUrl=https://bjw-s.github.io/helm-charts chart: app-template version: 1.5.1 interval: 1h @@ -19,7 +18,6 @@ spec: type: statefulset replicas: 1 image: - # renovate: repository: ghcr.io/dragonflydb/dragonfly tag: v1.6.2 args: diff --git a/amethyst/kubernetes/node-exporter/node-exporter.yaml b/amethyst/kubernetes/node-exporter/node-exporter.yaml index bce193f6..30f52486 100644 --- a/amethyst/kubernetes/node-exporter/node-exporter.yaml +++ b/amethyst/kubernetes/node-exporter/node-exporter.yaml @@ -19,7 +19,6 @@ spec: sourceRef: kind: HelmRepository name: prometheus-community - # renovate: registryUrl=https://prometheus-community.github.io/helm-charts chart: prometheus-node-exporter version: 4.31.0 interval: 1h diff --git a/amethyst/kubernetes/prometheus/kube-prometheus-stack.yaml b/amethyst/kubernetes/prometheus/kube-prometheus-stack.yaml index f3e06bd4..6d573713 100644 --- a/amethyst/kubernetes/prometheus/kube-prometheus-stack.yaml +++ b/amethyst/kubernetes/prometheus/kube-prometheus-stack.yaml @@ -19,7 +19,6 @@ spec: sourceRef: kind: HelmRepository name: prometheus-community - # renovate: registryUrl=https://prometheus-community.github.io/helm-charts chart: kube-prometheus-stack version: 48.2.1 install: diff --git a/amethyst/kubernetes/promtail/promtail.yaml b/amethyst/kubernetes/promtail/promtail.yaml index dcdf7f22..dcf03ba7 100644 --- a/amethyst/kubernetes/promtail/promtail.yaml +++ b/amethyst/kubernetes/promtail/promtail.yaml @@ -19,7 +19,6 @@ spec: sourceRef: kind: HelmRepository name: grafana - # renovate: registryUrl=https://grafana.github.io/helm-charts chart: promtail version: 6.15.5 interval: 1h diff --git a/amethyst/kubernetes/reloader/reloader.yaml b/amethyst/kubernetes/reloader/reloader.yaml index 08f947db..8b57d2a1 100644 --- a/amethyst/kubernetes/reloader/reloader.yaml +++ b/amethyst/kubernetes/reloader/reloader.yaml @@ -19,7 +19,6 @@ spec: sourceRef: kind: HelmRepository name: stakater - # renovate: registryUrl=https://stakater.github.io/stakater-charts chart: reloader version: 1.0.67 interval: 1h diff --git a/amethyst/kubernetes/rook-ceph/rook-ceph.yaml b/amethyst/kubernetes/rook-ceph/rook-ceph.yaml index ac9eac4a..5532cc88 100644 --- a/amethyst/kubernetes/rook-ceph/rook-ceph.yaml +++ b/amethyst/kubernetes/rook-ceph/rook-ceph.yaml @@ -20,7 +20,6 @@ spec: sourceRef: kind: HelmRepository name: rook-ceph - # renovate: registryUrl=https://charts.rook.io/release chart: rook-ceph version: v1.11.8 install: diff --git a/amethyst/kubernetes/smart-exporter/smart-exporter.yaml b/amethyst/kubernetes/smart-exporter/smart-exporter.yaml index 4525d9be..5320bc72 100644 --- a/amethyst/kubernetes/smart-exporter/smart-exporter.yaml +++ b/amethyst/kubernetes/smart-exporter/smart-exporter.yaml @@ -19,7 +19,6 @@ spec: sourceRef: kind: HelmRepository name: bjw-s - # renovate: registryUrl=https://bjw-s.github.io/helm-charts chart: app-template version: 1.5.1 interval: 1h @@ -28,7 +27,6 @@ spec: controller: type: daemonset image: - # renovate: repository: matusnovak/prometheus-smartctl tag: v2.3.0 env: diff --git a/amethyst/kubernetes/snapscheduler/snapscheduler.yaml b/amethyst/kubernetes/snapscheduler/snapscheduler.yaml index d6799f6a..730af865 100644 --- a/amethyst/kubernetes/snapscheduler/snapscheduler.yaml +++ b/amethyst/kubernetes/snapscheduler/snapscheduler.yaml @@ -20,7 +20,6 @@ spec: sourceRef: kind: HelmRepository name: backube - # renovate: registryUrl=https://backube.github.io/helm-charts/ chart: snapscheduler version: 3.2.0 install: diff --git a/amethyst/kubernetes/snmp-exporter-mikrotik/snmp-exporter.yaml b/amethyst/kubernetes/snmp-exporter-mikrotik/snmp-exporter.yaml index 54af784e..4e9c76af 100644 --- a/amethyst/kubernetes/snmp-exporter-mikrotik/snmp-exporter.yaml +++ b/amethyst/kubernetes/snmp-exporter-mikrotik/snmp-exporter.yaml @@ -19,7 +19,6 @@ spec: sourceRef: kind: HelmRepository name: bjw-s - # renovate: registryUrl=https://bjw-s.github.io/helm-charts chart: app-template version: 1.5.1 interval: 1h @@ -29,7 +28,6 @@ spec: replicas: 1 strategy: RollingUpdate image: - # renovate: repository: prom/snmp-exporter tag: v0.24.1 args: diff --git a/amethyst/kubernetes/unifi-controller/unifi-controller.yaml b/amethyst/kubernetes/unifi-controller/unifi-controller.yaml index ec1a9c32..5ae09050 100644 --- a/amethyst/kubernetes/unifi-controller/unifi-controller.yaml +++ b/amethyst/kubernetes/unifi-controller/unifi-controller.yaml @@ -19,7 +19,6 @@ spec: sourceRef: kind: HelmRepository name: bjw-s - # renovate: registryUrl=https://bjw-s.github.io/helm-charts chart: app-template version: 1.5.1 interval: 1h @@ -30,7 +29,6 @@ spec: replicas: 1 strategy: Recreate image: - # renovate: repository: jacobalberty/unifi tag: v8.0 diff --git a/amethyst/kubernetes/unpoller/unpoller.yaml b/amethyst/kubernetes/unpoller/unpoller.yaml index 15693d7a..64b307ea 100644 --- a/amethyst/kubernetes/unpoller/unpoller.yaml +++ b/amethyst/kubernetes/unpoller/unpoller.yaml @@ -19,7 +19,6 @@ spec: sourceRef: kind: HelmRepository name: bjw-s - # renovate: registryUrl=https://bjw-s.github.io/helm-charts chart: app-template version: 1.5.1 interval: 1h @@ -28,7 +27,6 @@ spec: controller: replicas: 1 image: - # renovate: repository: ghcr.io/unpoller/unpoller tag: v2.10.0 command: ["unpoller", "--config", "/config/unpoller.yaml"] diff --git a/amethyst/kubernetes/vaultwarden/vaultwarden.yaml b/amethyst/kubernetes/vaultwarden/vaultwarden.yaml index 804c3b50..c181430e 100644 --- a/amethyst/kubernetes/vaultwarden/vaultwarden.yaml +++ b/amethyst/kubernetes/vaultwarden/vaultwarden.yaml @@ -19,14 +19,12 @@ spec: sourceRef: kind: HelmRepository name: bjw-s - # renovate: registryUrl=https://bjw-s.github.io/helm-charts chart: app-template version: 1.5.1 interval: 1h maxHistory: 1 values: image: - # renovate: repository: ghcr.io/dani-garcia/vaultwarden tag: 1.30.5-alpine diff --git a/amethyst/kubernetes/vector/vector.yaml b/amethyst/kubernetes/vector/vector.yaml index 46adc3b6..1dbcbf7b 100644 --- a/amethyst/kubernetes/vector/vector.yaml +++ b/amethyst/kubernetes/vector/vector.yaml @@ -19,7 +19,6 @@ spec: sourceRef: kind: HelmRepository name: bjw-s - # renovate: registryUrl=https://bjw-s.github.io/helm-charts chart: app-template version: 1.5.1 interval: 1h @@ -29,7 +28,6 @@ spec: replicas: 2 strategy: RollingUpdate image: - # renovate: repository: timberio/vector tag: 0.33.0-distroless-libc podAnnotations: diff --git a/amethyst/kubernetes/volsync/volsync.yaml b/amethyst/kubernetes/volsync/volsync.yaml index 7c14c652..b0ef0767 100644 --- a/amethyst/kubernetes/volsync/volsync.yaml +++ b/amethyst/kubernetes/volsync/volsync.yaml @@ -20,7 +20,6 @@ spec: sourceRef: kind: HelmRepository name: backube - # renovate: registryUrl=https://backube.github.io/helm-charts/ chart: volsync version: 0.7.1 install: diff --git a/amethyst/renovate.json5 b/amethyst/renovate.json5 new file mode 100644 index 00000000..f9cbebfc --- /dev/null +++ b/amethyst/renovate.json5 @@ -0,0 +1,55 @@ +{ + $schema: "https://docs.renovatebot.com/renovate-schema.json", + packageRules: [ + // Groups + { + matchDepPatterns: [ + "ghcr.io/immich-app/immich-server", + "ghcr.io/immich-app/immich-machine-learning", + ], + groupName: "immich", + }, + { + matchDepPatterns: [ + "ghcr.io/siderolabs/kubelet", + "registry.k8s.io/kube-apiserver", + "registry.k8s.io/kube-controller-manager", + "registry.k8s.io/kube-scheduler", + "gcr.io/etcd-development/etcd", + "docker.io/coredns/coredns", + ], + groupName: "kubernetes", + }, + { + matchDepPatterns: ["ghcr.io/siderolabs/installer"], + commitMessageTopic: "talos", + groupName: "talos", + }, + { + matchPackagePatterns: ["hashicorp/terraform", "hashicorp/aws"], + groupName: "terraform", + }, + // Auto merge + { + matchDepPatterns: [ + "deluan/navidrome", + "ghcr.io/dani-garcia/vaultwarden", + "ghcr.io/immich-app/immich-server", + "ghcr.io/immich-app/immich-machine-learning", + "cloudflare/cloudflared", + "matusnovak/prometheus-smartctl", + "jacobalberty/unifi", + "ghcr.io/unpoller/unpoller", + ], + matchUpdateTypes: ["patch"], + automergeType: "branch", + automerge: true, + }, + { + matchDepPatterns: ["grafana"], + matchUpdateTypes: ["minor", "patch"], + automergeType: "branch", + automerge: true, + }, + ], +} diff --git a/amethyst/talos/controlplane.sops.yaml b/amethyst/talos/controlplane.sops.yaml deleted file mode 100644 index 1ce14b09..00000000 --- a/amethyst/talos/controlplane.sops.yaml +++ /dev/null @@ -1,176 +0,0 @@ -version: v1alpha1 -debug: false -persist: true -machine: - # -- Setup - type: controlplane - token: ENC[AES256_GCM,data:g03cMkRFDL0O1Xm+WvtTJEPc2FimQR8=,iv:o4NCilgCjzT/9USoxiPBUCWGbqNYJDAlwdr5SbWtkuI=,tag:4GJmjY5sKStXlUyAf1wFug==,type:str] - # Talos CA - ca: - crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUJQakNCOGFBREFnRUNBaEJWdDdDNitxdjZJN3ZmNWVNazhoM0JNQVVHQXl0bGNEQVFNUTR3REFZRFZRUUsKRXdWMFlXeHZjekFlRncweU16QTJNVFF3TnpVMU1UQmFGdzB6TXpBMk1URXdOelUxTVRCYU1CQXhEakFNQmdOVgpCQW9UQlhSaGJHOXpNQ293QlFZREsyVndBeUVBZ2lVQ0hqelNhakpUSkFIWUhJL0tMVVJLNFBBU2Y5M3FiMEkyCjBvNTZzb3lqWVRCZk1BNEdBMVVkRHdFQi93UUVBd0lDaERBZEJnTlZIU1VFRmpBVUJnZ3JCZ0VGQlFjREFRWUkKS3dZQkJRVUhBd0l3RHdZRFZSMFRBUUgvQkFVd0F3RUIvekFkQmdOVkhRNEVGZ1FVdVFqRGMyYmxWeGszMVNidgprMXJwYlFWcWwzb3dCUVlESzJWd0EwRUFKYlRlSVhCV29iUTUvOUFNMjkwcmsvYmJNK29YS3E2VzFsY2piSGEwCmpNeWY0Zld5TjBnNHJZUWNzdVFFSUVKV2VlOC85cksvemdIZU0xK2Q0VTBFREE9PQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg== - key: ENC[AES256_GCM,data:sPOfywnHeBjo2MMexp2ulZWU80tONJAhYrhUVUZ438uX9BrWFJKP1nllc0wK0dpF0WLhD5ufd4V+lHHNXQ99YY6dQ6EcpBvLNJ7Kjwv3VomASNl6TGknZMp7PHA9w1jBDZcVOujrNdkw479gf3XUzxZyYg73pt2lTzVvIRwT1aejSy8uEtDtY7CilxiREh8FT721dxDBMJb7qF+3KL7QTY902Ya/EAt4+Uwjk6dKJpfZ5jxV,iv:MMoJHl5sTFVRtjahC5D2RwjndKuvmhjxzLPnl79qT4I=,tag:0Tb6i6lDy4jkTLWHoiJAug==,type:str] - certSANs: [] - install: - image: ghcr.io/siderolabs/installer:v1.6.4 - disk: /dev/sda - wipe: false - extraKernelArgs: - - talos.logging.kernel=tcp://192.168.253.100:3001 - # disable predictable interface naming - - net.ifnames=0 - network: - interfaces: - - interface: eth0 - dhcp: true - vip: - ip: 192.168.253.10 - logging: - destinations: - - endpoint: tcp://192.168.253.100:3002 - format: json_lines - # -- Services - kubelet: - image: ghcr.io/siderolabs/kubelet:v1.29.1 - defaultRuntimeSeccompProfileEnabled: true - disableManifestsDirectory: true - # -- Talos features - features: - rbac: true - stableHostname: true - apidCheckExtKeyUsage: true - kubePrism: - enabled: true - port: 7745 -cluster: - # -- Setup - clusterName: amethyst - controlPlane: - endpoint: https://192.168.253.10:6443 - network: - cni: - name: none - dnsDomain: cluster.local - podSubnets: - - 10.244.0.0/16 - serviceSubnets: - - 10.96.0.0/12 - # Cluster id - id: OMJ-snfRLFPqBNRJ5G5mSYxbNenZTVkio14Sp_e2jeM= - # Cluster shared secret - secret: ENC[AES256_GCM,data:/hrOvtb1WoK7BiaU1EYOfuLpy6+BonZopIaMgw8WTvABhxyrx4C7mPIkc98=,iv:x8KDptNMOg75VwyaA90aCjF+9pU/y+KxgF4SVcuqf58=,tag:UgIV0ohiNcPsZvYomKmpNw==,type:str] - # Boostrap token used to join the cluster - token: ENC[AES256_GCM,data:N+sXGXBT5iPpIlFT+pKWTdni15vF5Fs=,iv:uBBkYjVBD6BlAoYLrtmG34Dr/qBMT6ltIwkzxEv2AgM=,tag:b/AGhkps/mPhQ7T8nw9FLA==,type:str] - # Etcd encryption at rest - # A key used for the [encryption of secret data at rest](https://kubernetes.io/docs/tasks/administer-cluster/encrypt-data/). - secretboxEncryptionSecret: ENC[AES256_GCM,data:YxJwhBxLZ9gqcEIu6Zxr49RZcTdQIi404Pf6zhnou8jv2DyZNI87ixARt8I=,iv:DDVDQxjeh2A8pnUVnmehHOoCboSgRlERUHqB35P7wLA=,tag:x+gEKGG9f/HU7OJAyn77rg==,type:str] - # Kubernetes CA - ca: - crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUJpekNDQVRDZ0F3SUJBZ0lSQUk1N1d4Sk5ZYlBNRHhIWmt3RkJhQ1F3Q2dZSUtvWkl6ajBFQXdJd0ZURVQKTUJFR0ExVUVDaE1LYTNWaVpYSnVaWFJsY3pBZUZ3MHlNekEyTVRRd056VTFNVEJhRncwek16QTJNVEV3TnpVMQpNVEJhTUJVeEV6QVJCZ05WQkFvVENtdDFZbVZ5Ym1WMFpYTXdXVEFUQmdjcWhrak9QUUlCQmdncWhrak9QUU1CCkJ3TkNBQVE4bVdKTjBSQXlEaEE2WENINW5jVm9rb1R1RmVjdHR6MjlhbVliMWt2bm9VbXM1RE1iTlk2VjRsZEUKYjl1RHBjblVBNmRvaHZhUTY5czZHNHFUWEhKU28yRXdYekFPQmdOVkhROEJBZjhFQkFNQ0FvUXdIUVlEVlIwbApCQll3RkFZSUt3WUJCUVVIQXdFR0NDc0dBUVVGQndNQ01BOEdBMVVkRXdFQi93UUZNQU1CQWY4d0hRWURWUjBPCkJCWUVGT3o3NlhLYzlBck5sdUFWMXMzd2lJaDFMSHpHTUFvR0NDcUdTTTQ5QkFNQ0Ewa0FNRVlDSVFDT0hoUEwKSUNtL0c3TXFIcFBFTmJnUXlrenJJenBDOFcwQWNxR1VlNW00c2dJaEFMVSt0NjByTnNGTlp3TFI5Z2lpTGwxWgpyL2d4aHVONFZGS29aQ05uZDJNTQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg== - key: ENC[AES256_GCM,data:YdB8ap3JvwdOgThqSzFNq7/anpLWj3cpKJE8W/PPZaJIB90cNe/vEwwLNsQFegqeG64fxrPWk9XNOgWa4GXCL8ZW3MrTtb+KkRaywxJkBzYaGfTOJWSiZeqx6SjMtCM1tGf05iOKSyMBIYdipmtG0tkymeSSox7JZP8w93Zwlq5AYsL9J0ZdDYsi+c3J88dtN8krt6WVpxIypQofQkt1P+eB/W5Ps9XFi9s/JcGk+CuwW+Eracfn2exKxirMAS440eNpLhRkV3cg/ZUJck7UmFE5JxVzK89Aeq6WUhqr7gtX0l9aAIcDs7yku+tLC/pA5vnqNZQGCDOe7eMP4DqkJx5aPg7dXEMTgi/W59XsZm/RXRoYmD/r9OEU3WZvQj5LnjVObYkg/tkM5CqpmjiKoA==,iv:nRqQdhc5lo13bqN7cjDBywXooSNGajytBmkLOk6Thmw=,tag:IqKkJ9+ErJpcCknYGIqOyA==,type:str] - # Aggregator CA for generating fortned-proxy certificate - aggregatorCA: - crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUJZRENDQVFhZ0F3SUJBZ0lSQUtTTzRXVml4aG92L3BUTVhtVURRTlV3Q2dZSUtvWkl6ajBFQXdJd0FEQWUKRncweU16QTJNVFF3TnpVMU1UQmFGdzB6TXpBMk1URXdOelUxTVRCYU1BQXdXVEFUQmdjcWhrak9QUUlCQmdncQpoa2pPUFFNQkJ3TkNBQVFKb3l6N0FYNWg0SFUwM3ZKakl3Z3l5cFBraUJ4MGlFTlNYcUsxQkk1dkp2T3RSOXRLCmdVMG1YVm9Vd2ZzWTNnc3JHQ2I4R3hJb2tXSTR2MkRCRUxacW8yRXdYekFPQmdOVkhROEJBZjhFQkFNQ0FvUXcKSFFZRFZSMGxCQll3RkFZSUt3WUJCUVVIQXdFR0NDc0dBUVVGQndNQ01BOEdBMVVkRXdFQi93UUZNQU1CQWY4dwpIUVlEVlIwT0JCWUVGUGZ6WFNwL3hKRmV1QTNtMlZUeTdzaU9RRzd1TUFvR0NDcUdTTTQ5QkFNQ0EwZ0FNRVVDCklCOHVYKzNMNy8yY0EvSlVXUWJIclR6YU0rWWRFVlZTdW9DSERMMVJ2L0FzQWlFQWhDeHNkUTY0R3ZFNXBuU0oKd0lyQnpmSDAzNFovT1UzMTN5dWFIeWRaalFRPQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg== - key: ENC[AES256_GCM,data:WrkDmrkPfEkTxr0iutUQlBkpOGDR7hIB6pcF5qGxhTBbskA+lqsGc3zwb8fROJzlr8B3YpkrSLMB2NhpgLTGPu7+IzwoLjKcovLH27MIJABanEz18ia9/0MVQM5PZgjB0MMEEM/Wnij3E7iWKhiljQJLSLEQ4TGfE+sdPdFXq1uYti2+bxHBRf/LmtwmIZ3CkMuc45ff1pF8C7bvXQgb7+hRiK9UZEJe19kDDZWTKLqWLaqiSKOVjttvNAmqsORJOsu86UNyXQR0Wsp6MNKXmp3zFEVsVun8UO14VlTwPP6e3puezN/J8zSymyeLJvenrvuhnyUyk3GvG+3ZgwfCxG0sTjx2taaYmjlcW6z6RZBj8cRozcvuAmRxruu+guLL6iOT4al/6Lsk4nfSBruGMQ==,iv:bm8RnvxKWhAwDGIXynjp481eERcSS+ryUa9GL78KEgk=,tag:QynUjLarhqCC1W6DSyiOSg==,type:str] - # Private key for generating serviceAccount token (JWT) - # Talos generates ECDSA key by default - # Change to RSA for AWS IAM identity provider - serviceAccount: - key: ENC[AES256_GCM,data:TRXNLveq3JV5Q68L3rSW/r/FTGa31hjtabIEwxh5VfR504MvLWorYtz49l78tYw60DDySnyybAELHgGN6uUPVtJ4bj26CM+zHLYj2eml0r2jxJvVIlO9I8tdlND+5K8Lfx2gtCWgWAgnQN5cqoYj0sR8C0BDGPY1f6eY9oRh9ECiqqo6NOyrsWOBUKab3EYYJUTC7GPqbVYyDPUYMTOs9cQmdAI/oHvi4PUUJ6WM7DuzcpQwzCfSELumbc8HQuD+bzJETwKuxxocu+yjoo5j/FWD7j86yhE3f5lDcI0++07uiZBur+CPPYNb4NHlZo4oAT6g2Vw39o5+OncZkPPPOzA/5kUXITmYRuzGjnJ+pD7ftWxVcOUMf6cCZbc3mQQg5Sx8mMnjw6v95JGDFqz8bBcIGjY8H3h6KDGRk/Jkzg3KfJPoDJU6gekgTTjBVFQmOOHFK2hN3FkHPmLWz+zLNToylSdT9NPTVuJ/PLLVIWiKRTUnYbeWvC8ROIyODPYoHs3bp8wLlWBV3QuGT72sh+h0VfFWn6ZS82fvVURvteK/bZHdl71R3g/vxlIgv/mM9JtSjFtj7ySx2mH2fJjaSmNFcBsp9JxKLa+ES9px8PmOu+HgQjcOjDA0zr+WJVccJDnY+aQ5FaHR5bVUMfCZyrL8QPzzGRG6J83TcuijLIBfW8v/iWrRJvTWegQXmUjBAKR3xlhiaamgrhS3C+QcXRdd+eFK0OrU9y09t+3XUxysST41qAqWDY02cAdWXX15lVnL3rQOl+bZlJ24R11qpOuJ136W2Z+2mEvDm/TxR/MO+lENQcxQfFV4x128PB2algfKf+w1rEcYQO7jXtbrQMXnlPy6IcwXNxZLaCvifTVSMtxAFwQ6JUIsnD9gG9Ko2e9IhRGZsmOHwKC/ly9UphAot5gODhdizUwS2kiJNm4vlzsMFHBRc6RgUjt4gKNkuQxxtoeGX5MvS5lZCH1ibRr6yNVeBAoN3bN4U5sE47jhMb9JKHQWghFAYjdmSSl5wIRA4H5tudrMnmJKDdKAS4q0Fba//0w2SO1K1J6JQsdxiVqcNp5nhJnnwYpdK35wt8HchzDQ0YvFrtrv4TCgv/9VqK0tFMNXQcnzbvhwL1mH5Xd+lhXh1y57V6ZqMH3kWWMJcBaA0+E0peuo/60g26f2psRS576PPCDjUmb+W37w159tyCo1OfgF7W+zRy9krhRf8iZo1OkH9fXrWhuIY9lsohtYKs99r+CkuYuqvnK0rp9Y5y59HupDdqCXa/qDzyLenk8CexdUXyJ9B0Oa0GHEfbqGTBTm0Kn6wS3O1AwG1JfEimf7VaRYcPCAWtWpY081pC+jgDsAi9yr+97ptrIOhIYu2emVbVAXm0UCDKItCLYrXsnMWnAj9btm9I3mHhj/1HS0h44KDFxDwQHJjXo9Uhzb7AyhybOFuNPUEfQGU/V8R4E/lcRXHAviAktCQQ8VjkZ/2vYOeFYQ4LzO8NQgf168fGKoHn00gVBciuCZNdYbzOBptZdd9rgC/9XTYJ5Nri2HAEI4Jelg/p8r++DnRvn2vO1/97DbEuwAZx8GxLk+Xg8Ynb/aB/dmTUAT1wPh8l17et6GImD9tj+ioCedgJRLvbJdg0oz6mao7vr3Upx/65OuSDCGMT557dtdsEVbcb9+bKnJwQmj2OCevqZJKxuCKzIF87EYv0hARp30ceOLXPplx2OGcvoEVB/gK6h9F2U736/kD7eLb92YSBWRmla+Ovw4sph6cLNLD/WmcqS6E+N4TSagoY2am2oEXtlCcsIwn8eQJ4E3oEO63XWOlS3D2O7GFWFR44wyHNd0qOZsb+vlMAPXHVWNKdwejwEIRjq0BxOPGBRJfTdZYYo9isns3ByOOZEql7P+/GW3hjAUDC6SgF6fLuiRloKueFckyW3rNB/VQi3hLTm2GEUXtwpDUdvIAwdtJV2z4M827NE5zUog+ygboertgCwqG3v8S3zOGgUwa8IhdS5yCu7O1wpNA1n+LVYGaXzsjS17peIXAFuKrdI6Bsyprz1nXRW/Wj5nc9XIWGMHKm9I/+bvi67F0Yns+/A7Y/7R9jP/DDTAaseOfUknHSw5wDrOgd1gLSQsB3CFPUDH03501gVqX0LVWCrs3wT5GHKX9RA7sSOZ2D7DOl/CHEhqWufWHNZwjD2TySM4t24SGupmJ4dVftq717uw4VkVLNLS8Ijdd5abJrvn7GDD0asJuX//iRopq5BSOAz/2aBYsPty29Iy8Jzgy647BnFTCchsqioRRn8WYi6WZwW1Qlq/B2nFVn9Zo3qgxp3w7eTiCoKit4OHRQcWCCGB40/nEUmsuLEKoIRzLeePPmaq2RCorkEzHG3YKCvFuNR4B5ASO16tJGXauiU+msvobdfvcSiFGCOgBtJMJSOZ1tFqkDnrNu0GaExNKxIAOeLPz5zcFpMROdk91RMvcerURKY+QjOPHA2aS3A8ixdDD1X8dHPlTWdQ+ZRcUEf19PJfddGzZ/dK1nurMD8OUHGYyXjzjH1xpEgp396YL3/wOxumOWkZCHewYw9gMqEKR9TX1cDUqA08AX1JX+Oc70+Lcgf+GVHitg0jJ9JQCIzdzmrPiMBgUDvDk53Le5C4KHbrvpLJ69ff4UQC1lU1Z+588409Yr0lnujMlMAnH4svZxAR69IuF0E07rtLbDQosZ7WpJNPseeJpBjKCOcfCzzYzCXRM4RWNaDi1PlfPywuYwLDq/EqoswGjE+l/5uoO4QQFSV6ddoa+CApo93E9yO7zJ4JgFVWPYwYlNViqcPodxHdRI1MLupqbB8q5duEA1Od6lz66cF4kKJVo7ZSBMIpb/8LhtZ3EO+RvigOU5A278rI9B3Ojfj1Gez/k82A4ANLNdijQ+KPPJbQ3o5Rq8vJoElaZqkXrhc/WZhrJOr2OT6jSj48HEJvTWysY/GPiSNdID2kmagdQMOPdBxLrBvQ3XX85tyvYUYvNGYCYUcy1vcvWDPKuORoB73e07zC1Fu4e3AsNERhX8mGMzDRDVaeJQA33uRFqHAnRBNZzbdoJEoYNnSCQGiJbYHl0AvbH3Vb0OTmnEcHqKDDfdtYwJwDNxORd2awXp/cZLvVrgjM37XdEkTqXpC1uH9XugsuOQ3RRrle4pW9rz+A3Uqx87One81QwgVDH2cv00i+zSmMsU2XvVGG+iydKfUzS4ej8T/yzNeMd1dNXLyFdiv8kXNPD9wsWOw3L5FAgkAQ7x8ZJOMguJZUCO548KbisJ3JtEL7bVsP0zp4Nlh2qwXhEfSPS/eA98o9zI1y8egZieU172xvMI1+gANf38CkQIGLhTRA5FNnRouARKGSPEZFkYTxEAKSaOGlvu7pZyaOZXeREPGUuojnxcRnugXNjcf9crQ2T+ng2iln1lMIssYPBBWDnKN9oiJpbszmtp2AQPSYRJScEFcPxNxMz4yFbSHsA6P07lly595nw7DrnHsmMkbZ/qtEhME+7LSdLl7oiTQ6ec8HDoYh73otuaNRvs2OPOZ9/C6ISbnV3Z/nBIk/efK/bhKE2ygxqeAMwxfb7321RP/9w7J9tkOGmNDYwBMJFeUz2/4/+LK6wV/1PTLWHJYUoWDKZB85d4HHKczP5z1XNcKD/ZtZ7uZ1U/Hq+XNyAsWmeAKDrV/ID0AB9qVNHYBV8Ec8Y0cV13nqzEsVB2AevjZffGlQSU6+exZ/iwHBOj063C6a/T43b7m5ucRjGsunCrzV2AL5ozBI032snohPeiJ2RaT9jD+QEovudRFGTSj/YPwq62yKXK9dg5DLx6sDt+TYQAYkas1kbOgzSUE0lZF/TIYahmcC+49BNFpF1dkqu8ipvEpx5bW49PyZw8xUP8myTERfRyenvKxEtxdVjlfwt4WygYuTSstoUOfi2p0kidi87lF/upK6F2jQh1gCyKKsU8vlRq+ohNV1BYW0Myw8m1DR92vSgh5/WjdJ8XaldhEyFFX6346ilu27ZAhZdlrhR13FKscl69zgX+3uRrN1jdTYqbyE3cS6dPTmIgFbC6uoWOTezRb0zjbdfVf1mrG9TmFusgbh/gSWuPL6Sluxu0PYDHBmBAPyy3iVyyEw6ygzY/mm2OOB4kBcgSIlwHK3SzMB0AphPl+y7r+DNl3MCaL7GfRpl2FV8K8NSmhGrEzr9JItZXw3GGEgul4PHCwIZrT26AUwe+zwit1NZXN6OHBuZbV1pF85iuAacTxC8zpJXfVni4B/Kx1xJcKblmjq/EJ2W81x6N5tkSgNaK+tGJo1tnPtyI0QtoTnFTdW+d34A3zelaamL9FrW0CFalC/NVUPirF5QrFHvbDx792mhNhf/ijuErjTPkZsZyyDgHAMh6v59ww8BlVY7P75RFoGk/cwkxhVKUixKLj2+vnaJYsHkBtQdtfEujhpGHwm9Sz/WqPxoBMyLqB3lT/Nh702JmBIZaLCP9iIeSRl5cWn7EEg4mbTq0a2aXWaM4rNAIIS31hetfGZabDOyamk2arX5A26Go38CJqi0FKgih4SEi7UM3nqpQVHq9I54TI/c2dsSsLBKpEyxXDfKckNFreg9Qyg6D0c6D6uIqz3gRctZrZLmi4k3RKYyFNHr1SOJxlV0r+xaBfX+aC8Pny98/MnuBhYHmNADs5nr3K3/BIMAexsWJDpNHI3DIxqvQN4WSKWqcNnurK+wX5Otxaba0cIfsPj2i4crEBeLRzvXRYsgppYfdf7YBse0Qfs5Hk0RgsfRzz12Olzb+djP5SEEFThwdklxQooV78LBIeeIiIJDrc28nXKxkwEYjjtNGI2iPtXM5GN3n0KSaLob1hbl6jshKid6z/E2ygu3wTuy64jVBAqLU4S4BrGBXh/PZO5uPtAi20YBHgu6dJJ6DFL1mbQo5+YzI1G8fZU6ykAwno8ihXh9m59dBey/aVZ88SvLoroE5DshQiJ8J75G+bcJBnm4cdafze2qnKZiZZ9NzOFH3YyjLEJYPpJUZHztTL6B0dCXHy8qNVHIhGW8myrpLNMnZTScfjSK7iFbCq8bdIuydJaHzqIqAjqNaj7DGVhqvsLxpleGqlSQE6gQo3DbzC/2bY7TbD3SfpPsjfh9xPVI+5ZTYzGu+gM3nFIaTJe6ksPoyYLUlD8g4ZYvFGa9hzQyHwnSd405PSAducVVhOxFfMJiBwkvUq9MrDSzkxOVdCPnXzUL4DH83UQqqZwt1omaWQKy17GYg1RBE42X96MdLwqG73R7Rq4NG3rIb/6uaMVkF5GRUw0i+IcxtRs1chTxJojnWRNDlNcOgWWQeq73GDhwrE24o9gfdSbsmfQ7LTrEz+VMg8w0KBYZkULRMtV/yOzVldG24B1ZkHWpvwG+giTrTelPKpLIK4re698ZoNMlsp7AgZsnCDbo49jG6WejFVbnTMprTchw4xSLmvrAKDIWe4WgvGJvz/eOHgDu/s5fmnCHH1AVEwAsf1uuhj8NQ6nzlP9XR0FsuLhGcZLygej4QmwfLVVDiKxFetfretaR6/y5Wcnjw/U4dw/ApurlHhoLDB2uIFQ6B3ME0Tc/WweCXlIMFqM2GDD6lzwO6Uai+8bWO4HwNXV4C1UMsrMo8/S/ZP9vxDiRuHEbAwpPP4wRU+DAyNpo1v0ROzDaLF7gKSwWQ4tclwBJIJtRH0BiIeCcidzc9DuPUIjl5kgIi4/wYkTvAZ6ysvDBIXYO0D7Bse9/hKohyopv1Sddr/cf2Sdbtv/55LgjnCI9+MwebQwcvLWr+sh6g==,iv:R8T5tEbDmBNXSIN7bDOmm9IOxF4Oc2RnxV6b2ZNTnVM=,tag:+CtyLotoI/YiOlc1/pO1iA==,type:str] - # -- Services - proxy: - disabled: true - apiServer: - image: registry.k8s.io/kube-apiserver:v1.29.1 - extraArgs: - oidc-issuer-url: https://oauth.id.jumpcloud.com/ - oidc-client-id: ENC[AES256_GCM,data:r7e1pbQnu7750T/TVfNjeaurw8BAi1bCyZozaOn3gAJEog7y,iv:YKU+PtGFks2ZjKZGKaCXS+V/1n5/EUviEO4hFiF6BZM=,tag:XWlIq6/VZUPuyms71JxIdA==,type:str] - oidc-username-claim: email - oidc-groups-claim: groups - service-account-issuer: https://raw.githubusercontent.com/timtorChen/homelab/main/amethyst - service-account-jwks-uri: https://192.168.253.10:6443/openid/v1/jwks - # Certificae SANs for API server CA signing certificate - certSANs: - - 192.168.253.10 - disablePodSecurityPolicy: true - admissionControl: - - name: PodSecurity - configuration: - apiVersion: pod-security.admission.config.k8s.io/v1 - kind: PodSecurityConfiguration - defaults: - enforce: restricted - enforce-version: latest - audit: restricted - audit-version: latest - warn: restricted - warn-version: latest - exemptions: - namespaces: - - kube-system - runtimeClasses: [] - usernames: [] - auditPolicy: - apiVersion: audit.k8s.io/v1 - kind: Policy - rules: - - level: Metadata - etcd: - image: gcr.io/etcd-development/etcd:v3.5.9-arm64 - # Etcd CA - ca: - crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUJmakNDQVNTZ0F3SUJBZ0lSQU5zTU81VDlyMUpDZ3F0a1JWRSs4c1l3Q2dZSUtvWkl6ajBFQXdJd0R6RU4KTUFzR0ExVUVDaE1FWlhSalpEQWVGdzB5TXpBMk1UUXdOelUxTVRCYUZ3MHpNekEyTVRFd056VTFNVEJhTUE4eApEVEFMQmdOVkJBb1RCR1YwWTJRd1dUQVRCZ2NxaGtqT1BRSUJCZ2dxaGtqT1BRTUJCd05DQUFSRjZaUEdLamVNCi9KT3hkZnFpZWF0Uk4xc1c1VHFJcUtsRzlBZU5ZNXlEVlpUVExTdVNEaE1PNFpuTjE2V2trTnZqNUFBdlJiNW0Kc1pUdkJDUkpKak1CbzJFd1h6QU9CZ05WSFE4QkFmOEVCQU1DQW9Rd0hRWURWUjBsQkJZd0ZBWUlLd1lCQlFVSApBd0VHQ0NzR0FRVUZCd01DTUE4R0ExVWRFd0VCL3dRRk1BTUJBZjh3SFFZRFZSME9CQllFRkJkdnlHL1FobVdJCnVqTXRVMExZTkNjZHlEOUdNQW9HQ0NxR1NNNDlCQU1DQTBnQU1FVUNJUUQzUkYxbWlEalc1Y0JFNmJhenMxOFoKMVJxQlpBRDVIVnRJSEpZdE1wWVVVZ0lnSjZPbTYxU1d3UTB2Skd6NEJIQUZTZGludWV3TzJ4OGFEaFU0eTE3Two5dHM9Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K - key: ENC[AES256_GCM,data:eYGYl4yKYHXlLjwtBKHdnGLAq/1tWR9Ud6fKT5OoEmRoM3qPBLau0T8UkiynApVyYBO6SvgwFid67RZY6xM3A2TO0Zfpq50LW8a0T8ieDRZ5ai37dsq1dllhilOOAqj4MaByjv/X1s3Z6YngwmhYaBDZoYBf9CI4OP7yM9GK0dVvsiJ6bIDrmuhPQBynIQ1GhIUrTF19/eSXOFYIqAr/V+bKx23R/uEvEzgiLZTfC6ttXvatLgqq2XbG2p3B6e7/ZK9LbGYBk/vg+uIUi9BP4HQe/dIzo8ijk+7W20CR/jxuSNv0go7H1tEmABBioEFqkAIypIqL2kBjDRKHW4KKXcdNg5KFiDXtvtuWBpe1+PTj/KO//8/jT9WJrMqpbWHe1Z4Yq+WTlFVq/NkfYUoaUQ==,iv:q7etmrfFrLOu3It0KQrZ0N0zuh3ptBAK8VKZQTarRRg=,tag:eJ0MXQRhHJQES8a5Wb8KzQ==,type:str] - extraArgs: - listen-metrics-urls: http://0.0.0.0:2381 - controllerManager: - image: registry.k8s.io/kube-controller-manager:v1.29.1 - extraArgs: - bind-address: 0.0.0.0 - scheduler: - image: registry.k8s.io/kube-scheduler:v1.29.1 - extraArgs: - bind-address: 0.0.0.0 - coreDNS: - image: docker.io/coredns/coredns:1.11.1 - # -- Extras - extraManifests: [] - inlineManifests: [] - discovery: - enabled: false -sops: - kms: [] - gcp_kms: [] - azure_kv: [] - hc_vault: [] - age: [] - lastmodified: "2024-02-15T10:31:34Z" - mac: ENC[AES256_GCM,data:X8RMfWchrxa1oNexfxCHnJfLCPnjDTN7/EkhgotrIsbD30P3xWeo9m1ge0PlZqtSn+jj2Ai0alTUK7/N04JqFZCBjDSAbDRpJvfiRCtMO26byWCr+KrUx2RgNEJr6MzNDptiH1/+H0OGPXXSzNGO2jNxvI0axuadQR86n+Zz2nw=,iv:34ySdfmnGTD/D5MkmYF8aCDXuVpkYVlJ9rLpMI9id2U=,tag:E6UT50C+fOPrpg/BP30omg==,type:str] - pgp: - - created_at: "2024-02-09T16:47:10Z" - enc: |- - -----BEGIN PGP MESSAGE----- - - hQMOA7Xwm0UuZgqEEAv6Amf7LspbQoSzL89TkHeapkUnQhaD49zolrNcQ820V1Te - kSUh+V67gYo6sYSfMlU6YMT/rdW3kOMPBP2hZBqQJhVHlgyTGCicRdKdnQSl2nIW - k+kjz2WNLDT7pqki02FiOXrBvmviGhd+leeFHM1Amre/ZXYD5HAvroN7dQH6x+ON - y/43Mm1Rth7f3bouH/l0teBxlM7xIU06IBfJncTNrEudI2rTsrKmY/dBJnkre5GL - xfZ/UWq+f5F0Pp7XV/YVFr1XYRnXsvDd6shsQ+Ll0lj/SL6oXFVmLLZ6/lySH/FF - XMIcfqtNcMmPCaeewClJs5VNjRppUB+AEKua7tHbDRB66pqi5st9tPothOUWViHw - YygaiQoqZ5v9RURInO8BBFq7WbVjrKMI3cgeTzUAEriq7Q+4XvrTv4Yu5Y6VMVP3 - ePBSdvY72bIW4phkLIjgTv90mUEIa432d2v2hcQSFbCKXcCT8SOjk772YZxg4YUp - OlyMwHyQ6SYxHiFgol4nDACtUiZW6GsR3UEJpnCs/95nM8TL3t7nl61XzsG06K0T - 1By+inO560ZJFIMCB1LPYdtdnKywAoJASV7TLBa2WMwZ7ns1J9hQJOpGt0MkvNmK - tloiOCNncIbMfdrFhjRiInvl0nZo7JmeJCvp555iVZzpiAsQ1MoSV00ETxVUQGaZ - m9+z9AG8RByUtBeBSC4d+MlqczN6ZCWgYCqpjd9VmKqINXk5fk1s93iRCPPKRSq7 - EVVKI8GaxLtg/8ZxQrIVNxQ9BsnZ5lwTJiZFJLa8V2tW//HxuQfpPzHr0ryhaseE - r5wBvsBzz8/f1yJ1YEmdtz8V7mPJeltoJNAq63uxgrHSSPWfved8pvofGXZdlnBF - PktCC7c3x5zRegOYD9vTKsKMvvhU+AD49OGKm8J6IvhTyoayNDOmWOqPL8Phbeya - sOC8WsHCWegZ3ov3vnEv0T5vMwInolhOS77+/n3Tm3pZR10swP4GBFcnzbR91zEo - m5QDZ03yPThY+rWFDm4Os17SXAGxnN4roRfjR+VdiB2TQ2zNDZ98TENCIPvQSR6e - L44r9pysKPMUrqo3VepDQ8NVpOV/RPSgZM1R+ydmXwI1dVySIsWTwcZrObrUUSjJ - fb8Sm+VTCBUtOz5DBjG8 - =up+H - -----END PGP MESSAGE----- - fp: 1CFC8FF236EC0896 - encrypted_regex: ^(token|key|secret|stringData|oidc-client-id) - version: 3.8.1 diff --git a/amethyst/talos/controlplane.yaml b/amethyst/talos/controlplane.yaml new file mode 100644 index 00000000..6b2c749b --- /dev/null +++ b/amethyst/talos/controlplane.yaml @@ -0,0 +1,139 @@ +--- +version: v1alpha1 +debug: false +persist: true +machine: + # -- Setup + type: controlplane + token: ${machine_token} + # Talos CA + ca: + crt: ${machine_ca_crt} + key: ${machine_ca_key} + certSANs: [] + install: + image: ghcr.io/siderolabs/installer:v1.6.4 + disk: /dev/sda + wipe: false + extraKernelArgs: + - talos.logging.kernel=tcp://192.168.253.100:3001 + # disable predictable interface naming + - net.ifnames=0 + network: + interfaces: + - interface: eth0 + dhcp: true + vip: + ip: 192.168.253.10 + logging: + destinations: + - endpoint: tcp://192.168.253.100:3002 + format: json_lines + # -- Services + kubelet: + image: ghcr.io/siderolabs/kubelet:v1.29.1 + defaultRuntimeSeccompProfileEnabled: true + disableManifestsDirectory: true + # -- Talos features + features: + rbac: true + stableHostname: true + apidCheckExtKeyUsage: true + kubePrism: + enabled: true + port: 7745 +cluster: + # -- Setup + clusterName: amethyst + controlPlane: + endpoint: https://192.168.253.10:6443 + network: + cni: + name: none + dnsDomain: cluster.local + podSubnets: + - 10.244.0.0/16 + serviceSubnets: + - 10.96.0.0/12 + # Cluster id + id: ${cluster_id} + # Cluster shared secret + secret: ${cluster_secret} + # Boostrap token used to join the cluster + token: ${cluster_token} + # Etcd encryption at rest + secretboxEncryptionSecret: ${cluster_secretboxEncryptionSecret} + # Kubernetes CA + ca: + crt: ${cluster_ca_crt} + key: ${cluster_ca_key} + # Aggregator CA for generating fortned-proxy certificate + aggregatorCA: + crt: ${cluster_aggregatorCA_crt} + key: ${cluster_aggregatorCA_key} + # Private key for generating serviceAccount token (JWT) + # Talos generates ECDSA key by default + # Change to RSA for AWS IAM identity provider + serviceAccount: + key: ${cluster_serviceAccount_key} + # -- Services + proxy: + disabled: true + apiServer: + image: registry.k8s.io/kube-apiserver:v1.29.1 + extraArgs: + oidc-issuer-url: https://oauth.id.jumpcloud.com/ + oidc-client-id: ${cluster_apiServer_extraArgs_oidc-client-id} + oidc-username-claim: email + oidc-groups-claim: groups + service-account-issuer: https://raw.githubusercontent.com/timtorChen/homelab/main/amethyst + service-account-jwks-uri: https://192.168.253.10:6443/openid/v1/jwks + # Certificae SANs for API server CA signing certificate + certSANs: + - 192.168.253.10 + disablePodSecurityPolicy: true + admissionControl: + - name: PodSecurity + configuration: + apiVersion: pod-security.admission.config.k8s.io/v1 + kind: PodSecurityConfiguration + defaults: + enforce: restricted + enforce-version: latest + audit: restricted + audit-version: latest + warn: restricted + warn-version: latest + exemptions: + namespaces: + - kube-system + runtimeClasses: [] + usernames: [] + auditPolicy: + apiVersion: audit.k8s.io/v1 + kind: Policy + rules: + - level: Metadata + etcd: + image: gcr.io/etcd-development/etcd:v3.5.9-arm64 + # Etcd CA + ca: + crt: ${cluster_etcd_ca_crt} + key: ${cluster_etcd_ca_key} + extraArgs: + listen-metrics-urls: http://0.0.0.0:2381 + controllerManager: + image: registry.k8s.io/kube-controller-manager:v1.29.1 + extraArgs: + bind-address: 0.0.0.0 + scheduler: + image: registry.k8s.io/kube-scheduler:v1.29.1 + extraArgs: + bind-address: 0.0.0.0 + coreDNS: + image: docker.io/coredns/coredns:1.11.1 + # -- Extras + extraManifests: [] + inlineManifests: [] + discovery: + enabled: false diff --git a/amethyst/talos/worker.sops.yaml b/amethyst/talos/worker.sops.yaml deleted file mode 100644 index 226ed4b6..00000000 --- a/amethyst/talos/worker.sops.yaml +++ /dev/null @@ -1,90 +0,0 @@ -version: v1alpha1 -debug: false -persist: true -machine: - # -- Setup - type: worker - token: ENC[AES256_GCM,data:PLBmg/5CR99F4g9sw8ssGtBi0KwVqMM=,iv:NsG+E/k2SvMuchGOE9HcRfko82UmBsrTCIfn110V23s=,tag:dlqBSxbwVJuYlN9+yWeAUA==,type:str] - ca: - crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUJQakNCOGFBREFnRUNBaEJWdDdDNitxdjZJN3ZmNWVNazhoM0JNQVVHQXl0bGNEQVFNUTR3REFZRFZRUUsKRXdWMFlXeHZjekFlRncweU16QTJNVFF3TnpVMU1UQmFGdzB6TXpBMk1URXdOelUxTVRCYU1CQXhEakFNQmdOVgpCQW9UQlhSaGJHOXpNQ293QlFZREsyVndBeUVBZ2lVQ0hqelNhakpUSkFIWUhJL0tMVVJLNFBBU2Y5M3FiMEkyCjBvNTZzb3lqWVRCZk1BNEdBMVVkRHdFQi93UUVBd0lDaERBZEJnTlZIU1VFRmpBVUJnZ3JCZ0VGQlFjREFRWUkKS3dZQkJRVUhBd0l3RHdZRFZSMFRBUUgvQkFVd0F3RUIvekFkQmdOVkhRNEVGZ1FVdVFqRGMyYmxWeGszMVNidgprMXJwYlFWcWwzb3dCUVlESzJWd0EwRUFKYlRlSVhCV29iUTUvOUFNMjkwcmsvYmJNK29YS3E2VzFsY2piSGEwCmpNeWY0Zld5TjBnNHJZUWNzdVFFSUVKV2VlOC85cksvemdIZU0xK2Q0VTBFREE9PQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg== - key: "" - certSANs: [] - install: - disk: /dev/sda - image: ghcr.io/siderolabs/installer:v1.6.4 - wipe: false - extraKernelArgs: - - talos.logging.kernel=tcp://192.168.253.100:3001 - # disable predictable interface naming - - net.ifnames=0 - network: {} - logging: - destinations: - - endpoint: tcp://192.168.253.100:3002 - format: json_lines - # -- Services - kubelet: - image: ghcr.io/siderolabs/kubelet:v1.29.1 - defaultRuntimeSeccompProfileEnabled: true - disableManifestsDirectory: true - # -- Talos features - features: - rbac: true - stableHostname: true - apidCheckExtKeyUsage: true - kubePrism: - enabled: true - port: 7745 -cluster: - # -- Setup - controlPlane: - endpoint: https://192.168.253.10:6443 - network: - cni: - name: none - dnsDomain: cluster.local - podSubnets: - - 10.244.0.0/16 - serviceSubnets: - - 10.96.0.0/12 - id: OMJ-snfRLFPqBNRJ5G5mSYxbNenZTVkio14Sp_e2jeM= - secret: ENC[AES256_GCM,data:YvNA4/aX7kJ/znkWPSejIZPG6CeOwbK6lK+yaXDAEivrx7KVm9JIpWDwXuQ=,iv:Z06egbJowZWVjxJ5v+kw4kcR6R/CmFuUHw0azs50b5M=,tag:3feArHNw/MW899y0Pd/mOQ==,type:str] - token: ENC[AES256_GCM,data:EQh40X1RUshhSkDAze1qMgM5eFjzEoU=,iv:k8tJb7USI7O+M9gzqQux0CFyUEUA6ArDsoEhZ+bfd5o=,tag:9OfH9/wisdlUnDWRSCOQGg==,type:str] - ca: - crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUJpekNDQVRDZ0F3SUJBZ0lSQUk1N1d4Sk5ZYlBNRHhIWmt3RkJhQ1F3Q2dZSUtvWkl6ajBFQXdJd0ZURVQKTUJFR0ExVUVDaE1LYTNWaVpYSnVaWFJsY3pBZUZ3MHlNekEyTVRRd056VTFNVEJhRncwek16QTJNVEV3TnpVMQpNVEJhTUJVeEV6QVJCZ05WQkFvVENtdDFZbVZ5Ym1WMFpYTXdXVEFUQmdjcWhrak9QUUlCQmdncWhrak9QUU1CCkJ3TkNBQVE4bVdKTjBSQXlEaEE2WENINW5jVm9rb1R1RmVjdHR6MjlhbVliMWt2bm9VbXM1RE1iTlk2VjRsZEUKYjl1RHBjblVBNmRvaHZhUTY5czZHNHFUWEhKU28yRXdYekFPQmdOVkhROEJBZjhFQkFNQ0FvUXdIUVlEVlIwbApCQll3RkFZSUt3WUJCUVVIQXdFR0NDc0dBUVVGQndNQ01BOEdBMVVkRXdFQi93UUZNQU1CQWY4d0hRWURWUjBPCkJCWUVGT3o3NlhLYzlBck5sdUFWMXMzd2lJaDFMSHpHTUFvR0NDcUdTTTQ5QkFNQ0Ewa0FNRVlDSVFDT0hoUEwKSUNtL0c3TXFIcFBFTmJnUXlrenJJenBDOFcwQWNxR1VlNW00c2dJaEFMVSt0NjByTnNGTlp3TFI5Z2lpTGwxWgpyL2d4aHVONFZGS29aQ05uZDJNTQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg== - key: "" - # -- Service - proxy: - disabled: true - # -- Extras - discovery: - enabled: false -sops: - kms: [] - gcp_kms: [] - azure_kv: [] - hc_vault: [] - age: [] - lastmodified: "2024-02-15T10:00:01Z" - mac: ENC[AES256_GCM,data:Cry1GKHyT7TIjvV37LFQrhP4ClD4tDe3JdY02VVPZt6GZ1B+t9o9tMLLA6tAVqMigdOXAU5FWqrCM+8JdiElV1qyenIfYG9mxvT0lKO1a9+f+gc6Oas2qJn3JPrNa2j1k9sxnYfvozAWRIXsKQX0ccgV9r0Hpk8SrPWR/uJXAtQ=,iv:j6TERBT1HNbKg6YTr9Th4/cSV6lcaQUW5SxyqYITFg0=,tag:efTXpl78ApzqPAzl+XmIfA==,type:str] - pgp: - - created_at: "2023-06-19T09:28:13Z" - enc: | - -----BEGIN PGP MESSAGE----- - - hQGMAxz8j/I27AiWAQv+M6mh7Fo9bZcm4tTMORD6sgWo3uJaQqtwHJubQf9bb+mD - bMHFPatzAx57u+JNG/tidgyNdCGAtxeKARb5JRYvSOFuUL/SZG2TGAI+sVeDeZTj - lSRlJvqBoG18jok88qC2RMuquKi6IRgCSeXKe62UzHqU/Bq7u/ws4HruYrzDc2Wy - zOBDE9yGJAzVrFFDPkPfUBeLtFWorvg3m/FZ1n/SAK9n29+iBNMLTONi9VvXEipl - BTL87hnV8i6jZDirVEJ3+WztcNx6Ioj8C1UQuxMimKMhZG5Rzqc8rinBDnAx5Ron - sHZIB+PZ+gTlwyHDuiFZOuRj+e70DlKbNsDQ0S5H5VhXxMyWmy6wTFRtrsvcxUsf - sP1KF6FqMpaDr6G2yTl+FBMOoFM5IhC6UhABiRD7pITNfRnOzA3qpexormlBR+AB - yN3v7FU/csfCtjeb7WRHHcvPLBvojHvtereu1MTCWGUxbixDVPO5gUT3uFSoinOf - 6aMMGCEK+nH6zBmxIIrV0lEB4tBbLmGhpMu1owJ8Kh+u+xXF4M70GnAZ33PbgYdb - lexmis6eUK82P/zF9iLq6ALBMdXnPQkZVCHzaecflBg2DmNgyMT9eny22IUUruHu - AgU= - =cEIQ - -----END PGP MESSAGE----- - fp: 1CFC8FF236EC0896 - encrypted_regex: ^(token|key|secret) - version: 3.8.1 diff --git a/amethyst/talos/worker.yaml b/amethyst/talos/worker.yaml new file mode 100644 index 00000000..bb5721c9 --- /dev/null +++ b/amethyst/talos/worker.yaml @@ -0,0 +1,62 @@ +--- +version: v1alpha1 +debug: false +persist: true +machine: + # -- Setup + type: worker + token: ${machine_token} + ca: + crt: ${machine_ca_crt} + key: "" + certSANs: [] + install: + disk: /dev/sda + image: ghcr.io/siderolabs/installer:v1.6.4 + wipe: false + extraKernelArgs: + - talos.logging.kernel=tcp://192.168.253.100:3001 + # disable predictable interface naming + - net.ifnames=0 + network: {} + logging: + destinations: + - endpoint: tcp://192.168.253.100:3002 + format: json_lines + # -- Services + kubelet: + image: ghcr.io/siderolabs/kubelet:v1.29.1 + defaultRuntimeSeccompProfileEnabled: true + disableManifestsDirectory: true + # -- Talos features + features: + rbac: true + stableHostname: true + apidCheckExtKeyUsage: true + kubePrism: + enabled: true + port: 7745 +cluster: + # -- Setup + controlPlane: + endpoint: https://192.168.253.10:6443 + network: + cni: + name: none + dnsDomain: cluster.local + podSubnets: + - 10.244.0.0/16 + serviceSubnets: + - 10.96.0.0/12 + id: ${cluster_id} + secret: ${cluster_secret} + token: ${cluster_token} + ca: + crt: ${cluster_ca_crt} + key: "" + # -- Service + proxy: + disabled: true + # -- Extras + discovery: + enabled: false diff --git a/renovate.json5 b/renovate.json5 index f692af03..c3daa13f 100644 --- a/renovate.json5 +++ b/renovate.json5 @@ -1,46 +1,22 @@ { - "$schema": "https://docs.renovatebot.com/renovate-schema.json", + $schema: "https://docs.renovatebot.com/renovate-schema.json", // configurations // https://docs.renovatebot.com/configuration-options - "extends": ["config:recommended"], - "timezone": "Asia/Taipei", - "dependencyDashboard": true, - "commitMessagePrefix": "chore({{{replace '(.*?)\\/.*' '$1' packageFileDir }}}):", - "kubernetes": { - "fileMatch": [".*\\.yaml$"] + extends: [ + "config:recommended", + ":disableRateLimiting", + "github>timtorChen/homelab//amethyst/renovate.json5", + ], + timezone: "Asia/Taipei", + dependencyDashboard: true, + commitMessagePrefix: "chore({{{replace '(.*?)\\/.*' '$1' packageFileDir }}}):", + kubernetes: { + fileMatch: ["^amethyst/kubernetes/.*\\.yaml$"], + }, + flux: { + fileMatch: ["^amethyst/kubernetes/.*\\.yaml$"], + }, + "helm-values": { + fileMatch: ["^amethyst/(kubernetes|talos)/.*\\.yaml$"], }, - "customManagers": [ - { - // HelmRelease - "fileMatch": [".*\\.yaml$"], - "datasourceTemplate": "helm", - "matchStrings": [ - "# renovate: registryUrl=(?.*?)\n *chart: (?.*?)\n *version: (?.*?)\n" - ] - }, - { - // HelmRelease image tag - "fileMatch": [".*\\.yaml$"], - "datasourceTemplate": "docker", - "matchStrings": [ - "# renovate:\n *repository: (?.*?)\n *tag: (?.*?)\n" - ] - }, - { - // OCI based HelmRelease - "fileMatch": [".*\\.yaml$"], - "datasourceTemplate": "docker", - "matchStrings": [ - "# renovate: packageName=(?.*?)\n *chart: (?.*?)\n *version: (?.*?)\n" - ] - }, - { - // GitRepository - "fileMatch": [".*\\.yaml"], - "datasourceTemplate": "github-tags", - "matchStrings": [ - "# renovate: github-repo=(?.*?)\n *tag: (?\\S+)" - ] - } - ] }