talos stuff

brenix · Dec 25, 2024 · 0708b87 · 0708b87
1 parent 0f61b2d
commit 0708b87
Show file tree

Hide file tree

Showing 73 changed files with 22,271 additions and 2,548 deletions.
diff --git a/.sops.yaml b/.sops.yaml
@@ -1,7 +1,4 @@
 ---
 creation_rules:
-  - path_regex: cluster/.*\.sops\.ya?ml
-    encrypted_regex: "^(data|stringData)$"
-    key_groups:
-      - age:
-          - age1kky7jzc2x626xp4sfvpz7acytczqgdn7h2jxjqkjxzfd4kndcdxs8zr6ka
+  - age: >-
+      age1kky7jzc2x626xp4sfvpz7acytczqgdn7h2jxjqkjxzfd4kndcdxs8zr6ka
diff --git a/components/cilium/component.cue b/components/cilium/component.cue
@@ -0,0 +1,21 @@
+package holos
+
+holos: Component.BuildPlan
+
+Component: #Helm & {
+	Name:        "cilium"
+	Namespace:   "kube-system"
+	EnableHooks: true
+	Chart: {
+		name:    "cilium"
+		version: "1.16.5"
+		repository: {
+			name: "cilium"
+			url:  "https://helm.cilium.io"
+		}
+	}
+
+	Values: #Values
+
+	KustomizeConfig: Kustomization: namespace: Namespace
+}
diff --git a/components/cilium/values.cue b/components/cilium/values.cue
@@ -0,0 +1,63 @@
+package holos
+
+#Values: {
+	rollOutCiliumPods:    true
+	priorityClassName:    "system-cluster-critical"
+	autoDirectNodeRoutes: false
+	bgp: {
+		enabled: false
+		announce: {
+			loadbalancerIP: true
+			podCIDR:        false
+		}
+	}
+	bgpControlPlane: {
+		enabled: true
+	}
+	k8sNetworkPolicy: {
+		enabled: false
+	}
+	hubble: {
+		enabled: false
+	}
+	operator: {
+		enabled:           true
+		rollOutPods:       true
+		replicas:          1
+		priorityClassName: "system-cluster-critical"
+	}
+	enableCriticalPriorityClass: false
+
+	// Talos requirements
+	ipam: mode: "kubernetes"
+	kubeProxyReplacement: true
+	securityContext: capabilities: {
+		ciliumAgent: [
+			"CHOWN",
+			"KILL",
+			"NET_ADMIN",
+			"NET_RAW",
+			"IPC_LOCK",
+			"SYS_ADMIN",
+			"SYS_RESOURCE",
+			"DAC_OVERRIDE",
+			"FOWNER",
+			"SETGID",
+			"SETUID",
+		]
+		cleanCiliumState: [
+			"NET_ADMIN",
+			"SYS_ADMIN",
+			"SYS_RESOURCE",
+		]
+	}
+	cgroup: autoMount: enabled: false
+	cgroup: hostRoot: "/sys/fs/cgroup"
+
+	k8sServiceHost: "127.0.0.1" // Kubeprism
+	k8sServicePort: "7445"
+
+	l2announcements: enabled: true
+	externalIPs: enabled:     true
+	devices: "eno+"
+}
diff --git a/components/coredns/component.cue b/components/coredns/component.cue
@@ -0,0 +1,20 @@
+package holos
+
+holos: Component.BuildPlan
+
+Component: #Helm & {
+	Name:      "coredns"
+	Namespace: "kube-system"
+	Chart: {
+		name:    "coredns"
+		version: "1.37.0"
+		repository: {
+			name: "coredns"
+			url:  "https://coredns.github.io/helm"
+		}
+	}
+
+	Values: #Values
+
+	KustomizeConfig: Kustomization: namespace: Namespace
+}
diff --git a/components/coredns/values.cue b/components/coredns/values.cue
@@ -0,0 +1,55 @@
+package holos
+
+#Values: {
+	replicaCount: 2
+	resources: limits: cpu: null
+	service: {
+		clusterIP: "10.96.0.10"
+	}
+	serviceAccount: {
+		create: true
+	}
+	priorityClassName: "system-cluster-critical"
+
+	servers: [{
+		zones: [{zone: "."}]
+		port: 53
+		plugins: [{
+			name: "errors"
+		}, {
+			// Serves a /health endpoint on :8080, required for livenessProbe
+			name:        "health"
+			configBlock: "lameduck 5s"
+		}, {
+
+			// Serves a /ready endpoint on :8181, required for readinessProbe
+			name: "ready"
+		}, {
+			// Required to query kubernetes API for data
+			name:       "kubernetes"
+			parameters: "cluster.local in-addr.arpa ip6.arpa"
+			configBlock: """
+				pods insecure
+				fallthrough in-addr.arpa ip6.arpa
+				ttl 30
+				"""
+		}, {
+
+			// Serves a /metrics endpoint on :9153, required for serviceMonitor
+			name:       "prometheus"
+			parameters: "0.0.0.0:9153"
+		}, {
+			name:       "forward"
+			parameters: ". /etc/resolv.conf"
+		}, {
+			name:       "cache"
+			parameters: 30
+		}, {
+			name: "loop"
+		}, {
+			name: "reload"
+		}, {
+			name: "loadbalance"
+		}]
+	}]
+}
diff --git a/components/grafana/values.cue b/components/grafana/values.cue
@@ -68,7 +68,7 @@ package holos
 	}
 	persistence: {
 		enabled: true
-		size:    "2Gi"
+		size:    "1Gi"
 	}
 	plugins: [
 		"grafana-piechart-panel",

diff --git a/components/jellyfin/pvc.cue b/components/jellyfin/pvc.cue
@@ -0,0 +1,22 @@
+package holos
+
+Component: Resources: PersistentVolumeClaim: {
+	data: {
+		apiVersion: "v1"
+		metadata: name: "jellyfin-data"
+		spec: {
+			accessModes: ["ReadWriteOnce"]
+			resources: requests: storage: "1Gi"
+			storageClassName: "ceph-block"
+		}
+	}
+	cache: {
+		apiVersion: "v1"
+		metadata: name: "jellyfin-cache"
+		spec: {
+			accessModes: ["ReadWriteOnce"]
+			resources: requests: storage: "1Gi"
+			storageClassName: "ceph-block"
+		}
+	}
+}
diff --git a/components/jellyfin/values.cue b/components/jellyfin/values.cue
@@ -32,18 +32,17 @@ package holos
 	}
 	persistence: {
 		config: {
-			accessMode: "ReadWriteOnce"
-			enabled:    true
-			globalMounts: [{path: "/config"}]
-			size: "1Gi"
-			type: "persistentVolumeClaim"
+			existingClaim: "jellyfin-data"
+		}
+		cache: {
+			enabled:       true
+			existingClaim: "jellyfin-cache"
+			globalMounts: [{path: "/config/cache"}]
 		}
 		media: {
-			enabled: true
+			enabled:       true
+			existingClaim: "media"
 			globalMounts: [{path: "/media"}]
-			hostPath:     "/media"
-			hostPathType: "Directory"
-			type:         "hostPath"
 		}
 		transcode: {
 			enabled: true

diff --git a/components/jellyseerr/pvc.cue b/components/jellyseerr/pvc.cue
@@ -0,0 +1,13 @@
+package holos
+
+Component: Resources: PersistentVolumeClaim: {
+	data: {
+		apiVersion: "v1"
+		metadata: name: "jellyseerr"
+		spec: {
+			accessModes: ["ReadWriteOnce"]
+			resources: requests: storage: "1Gi"
+			storageClassName: "ceph-block"
+		}
+	}
+}
diff --git a/components/jellyseerr/values.cue b/components/jellyseerr/values.cue
@@ -29,11 +29,8 @@ package holos
 		}]
 	}
 	persistence: config: {
-		accessMode: "ReadWriteOnce"
-		enabled:    true
+		existingClaim: "jellyseerr"
 		globalMounts: [{path: "/app/config"}]
-		size: "1Gi"
-		type: "persistentVolumeClaim"
 	}
 	service: main: {
 		annotations: "metallb.universe.tf/loadBalancerIPs": "192.168.2.8"

diff --git a/components/linkding/pvc.cue b/components/linkding/pvc.cue
@@ -0,0 +1,13 @@
+package holos
+
+Component: Resources: PersistentVolumeClaim: {
+	data: {
+		apiVersion: "v1"
+		metadata: name: "linkding-data"
+		spec: {
+			accessModes: ["ReadWriteOnce"]
+			resources: requests: storage: "1Gi"
+			storageClassName: "ceph-block"
+		}
+	}
+}
diff --git a/components/linkding/values.cue b/components/linkding/values.cue
@@ -38,12 +38,9 @@ package holos
 		}]
 	}
 	persistence: data: {
-		accessMode: "ReadWriteOnce"
-		enabled:    true
+		enabled:       true
+		existingClaim: "linkding-data"
 		globalMounts: [{path: "/etc/linkding/data"}]
-		retain: true
-		size:   "1Gi"
-		type:   "persistentVolumeClaim"
 	}
 	service: main: {
 		annotations: "metallb.universe.tf/loadBalancerIPs": "192.168.2.9"

diff --git a/components/media-pvc/component.cue b/components/media-pvc/component.cue
@@ -0,0 +1,20 @@
+package holos
+
+holos: Component.BuildPlan
+
+Component: #Kustomize & {
+	Name:      "media"
+	Namespace: "default"
+
+	KustomizeConfig: Kustomization: namespace: Namespace
+
+	Resources: PersistentVolumeClaim: (Name): {
+		apiVersion: "v1"
+		metadata: name: Name
+		spec: {
+			accessModes: ["ReadWriteMany"]
+			resources: requests: storage: "300Gi"
+			storageClassName: "ceph-filesystem"
+		}
+	}
+}
diff --git a/components/metrics-server/component.cue b/components/metrics-server/component.cue
@@ -0,0 +1,20 @@
+package holos
+
+holos: Component.BuildPlan
+
+Component: #Helm & {
+	Name:      "metrics-server"
+	Namespace: "kube-system"
+	Chart: {
+		name:    "metrics-server"
+		version: "3.12.2"
+		repository: {
+			name: "metrics-server"
+			url:  "https://kubernetes-sigs.github.io/metrics-server/"
+		}
+	}
+
+	Values: #Values
+
+	KustomizeConfig: Kustomization: namespace: Namespace
+}
diff --git a/components/metrics-server/values.cue b/components/metrics-server/values.cue
@@ -0,0 +1,19 @@
+package holos
+
+#Values: {
+	args: [
+		"--v=1",
+		"--cert-dir=/tmp",
+		"--kubelet-insecure-tls",
+		"--requestheader-client-ca-file=/var/run/ssl/auth-proxy-ca/requestheader-client-ca-file",
+	]
+	extraVolumes: [{
+		name: "auth-proxy-ca-cert"
+		configMap: name: "extension-apiserver-authentication"
+	}]
+	extraVolumeMounts: [{
+		mountPath: "/var/run/ssl/auth-proxy-ca"
+		name:      "auth-proxy-ca-cert"
+		readOnly:  true
+	}]
+}
diff --git a/components/mongodb/pvc.cue b/components/mongodb/pvc.cue
@@ -0,0 +1,13 @@
+package holos
+
+Component: Resources: PersistentVolumeClaim: {
+	data: {
+		apiVersion: "v1"
+		metadata: name: "mongo-data"
+		spec: {
+			accessModes: ["ReadWriteOnce"]
+			resources: requests: storage: "1Gi"
+			storageClassName: "ceph-block"
+		}
+	}
+}
diff --git a/components/mongodb/values.cue b/components/mongodb/values.cue
@@ -17,12 +17,9 @@ package holos
 	}
 	persistence: {
 		data: {
-			accessMode: "ReadWriteOnce"
-			enabled:    true
+			enabled:       true
+			existingClaim: "mongo-data"
 			globalMounts: [{path: "/data/db"}]
-			retain: true
-			size:   "8Gi"
-			type:   "persistentVolumeClaim"
 		}
 		initdb: {
 			enabled: true

diff --git a/components/prowlarr/pvc.cue b/components/prowlarr/pvc.cue
@@ -0,0 +1,13 @@
+package holos
+
+Component: Resources: PersistentVolumeClaim: {
+	data: {
+		apiVersion: "v1"
+		metadata: name: "prowlarr"
+		spec: {
+			accessModes: ["ReadWriteOnce"]
+			resources: requests: storage: "1Gi"
+			storageClassName: "ceph-block"
+		}
+	}
+}