# Install dependencies
# Install go-task on your own (https://taskfile.dev/installation/)
# If using macos, `brew install grep,awk`
# Install all the other dependencies
# (reference just the install taskfile so VARS don't need the dependencies)
task --taskfile .taskfiles/install.yml all
# Set up age/sops
task sops:init
## Replace the public key in .sops.yaml
# Friends don't let friends commit secrets
task pre-commit:init
# Configure your cluster
task talos:generate-secrets
## Edit ./talos/talconfig.yaml
task talos:generate-configs
# Boot nodes to talos
# Apply configuration to each node
task talos:apply-config -- <node>
# ONLY ONCE! Bootstrap a single node
talos -n $(task talos:get-a-node) bootstrap
# Install cilium
helmfile apply -f talos/cilium-helmfile.yaml
# Approve all of the certificates
kubectl get csr -o name | xargs kubectl certificate approve
# Add age secret to the cluster
sops -d age-key.secret.sops.yaml | kubectl apply -f -
#
gh auth token | helm registry login ghcr.io -u {my_github_user} --password-stdin
# Install flux
helmfile apply -f talos/flux-helmfile.yaml
Run all the tests locally that normally run in GitHub Actions CI.
# Install all tools via mise
mise install# Run all tests (like CI)
task test:all
# Run a quick test (skips slower Kubernetes validation)
task test:quick
# Run all linters
task test:lint:all
# Run individual linters
task test:lint:markdown # Lint markdown files
task test:lint:yaml # Lint YAML files
task test:lint:kubernetes # Validate Kubernetes manifests with kubeconform
task test:lint:format # Check code formatting with prettier
# Auto-fix formatting issues
task test:fix# Validate Flux resources locally
task test:flux:validate
# Show diffs for all Flux resources
task test:flux:diff:all- authentik - IDp + SSO
- cert-manager - SSL certificates - with Cloudflare DNS challenge
- flux - GitOps tool for deploying manifests from the
clusterdirectory - kasten k10 - backup implementation
- kyverno - policy engine
- reloader - restart pods when Kubernetes
configmaporsecretchanges - traefik - ingress controller
- rook - operator for ceph
The Git repository contains the following directories under cluster and are ordered below by how Flux will apply them.
- base directory is the entrypoint to Flux
- crds directory contains custom resource definitions (CRDs) that need to exist globally in your cluster before anything else exists
- core directory (depends on crds) are important infrastructure applications (grouped by namespace) that should never be pruned by Flux
- apps directory (depends on core) is where your common applications (grouped by namespace) could be placed, Flux will prune resources here if they are not tracked by Git anymore
| Node | Role | Specs |
|---|---|---|
| node1 | Control Plane, Storage | MinisForum MS-01 12600H, 96G |
| node2 | Control Plane, Storage | MinisForum MS-01 12600H, 96G |
| node3 | Control Plane, Storage | MinisForum MS-01 12600H, 96G |