feat: TESTING

This also came with a big rework of the configuration format that should
make everything a bit less hacky to work with.

.editorconfig

@@ -0,0 +1,8 @@
+root = true
+
+[*]
+indent_style = tab
+
+[*.yaml]
+indent_style = space
+indent_size = 2

.git-crypt/.gitattributes

@@ -0,0 +1,4 @@
+# Do not edit this file.  To specify the files to encrypt, create your own
+# .gitattributes file in the directory where your files are.
+* !filter !diff
+*.gpg binary

.gitattributes

@@ -0,0 +1,2 @@
+*.key filter=git-crypt diff=git-crypt
+secrets.yaml filter=git-crypt diff=git-crypt

.gitignore

@@ -1,3 +1,4 @@
-ipxe/
+.ipxe/
 rendered/
-tftp/
+configs/
+.vagrant/

.pre-commit-config.yaml

@@ -0,0 +1,67 @@
+default_install_hook_types:
+  - pre-commit
+  - commit-msg
+
+default_stages:
+  - pre-commit
+
+repos:
+  - repo: meta
+    hooks:
+      - id: check-hooks-apply
+      - id: check-useless-excludes
+
+  - repo: builtin
+    hooks:
+      - id: trailing-whitespace
+      - id: end-of-file-fixer
+      - id: check-yaml
+      - id: check-toml
+      - id: check-added-large-files
+      - id: check-merge-conflict
+      - id: check-executables-have-shebangs
+
+  - repo: https://github.com/python-jsonschema/check-jsonschema
+    rev: 0.37.1
+    hooks:
+      - id: check-jsonschema
+        files: ^talos/patches/.*\.y(a?)ml$
+        args:
+          [
+            "--schemafile",
+            "https://raw.githubusercontent.com/siderolabs/talos/refs/heads/release-1.12/website/content/v1.12/schemas/config.schema.json",
+          ]
+      - id: check-jsonschema
+        files: ^talos/nodes/.*\.y(a?)ml$
+        args:
+          [
+            "--schemafile",
+            "https://git.huizinga.dev/infra/crete/raw/branch/main/schemas/node.json",
+          ]
+      - id: check-jsonschema
+        files: ^talos/clusters/.*\.y(a?)ml$
+        args:
+          [
+            "--schemafile",
+            "https://git.huizinga.dev/infra/crete/raw/branch/main/schemas/cluster.json",
+          ]
+
+  - repo: https://github.com/pre-commit/mirrors-prettier
+    rev: v3.1.0
+    hooks:
+      - id: prettier
+
+  - repo: https://github.com/crate-ci/typos
+    rev: v1.40.0
+    hooks:
+      - id: typos
+
+  - repo: https://github.com/sirwart/ripsecrets
+    rev: v0.1.11
+    hooks:
+      - id: ripsecrets-system
+
+  - repo: https://github.com/crate-ci/committed
+    rev: v1.1.8
+    hooks:
+      - id: committed

.prettierrc

@@ -0,0 +1,3 @@
+{
+	"bracketSpacing": false
+}

.secretsignore

@@ -0,0 +1,2 @@
+secrets.yaml
+*.key

Dockerfile

@@ -1,40 +0,0 @@
-FROM docker.io/library/debian:stable AS builder-ipxe
-RUN apt-get update \
-	&& apt-get install -y \
-		build-essential \
-		curl \
-		liblzma-dev \
-		genisoimage
-ARG IPXE_VERSION=b41bda4413bf286d7b7a449bc05e1531da1eec2e
-RUN curl -L https://github.com/ipxe/ipxe/archive/${IPXE_VERSION}.tar.gz | tar -xz
-WORKDIR /ipxe-${IPXE_VERSION}/src
-
-# Enable HTTPS
-RUN sed -i 's/^#undef[\t ]DOWNLOAD_PROTO_HTTPS.*$/#define DOWNLOAD_PROTO_HTTPS/g' config/general.h
-
-RUN mkdir /build
-RUN make -j$(nproc) bin/ipxe.pxe && cp bin/ipxe.pxe /build
-RUN make -j$(nproc) bin-x86_64-efi/ipxe.efi && cp bin-x86_64-efi/ipxe.efi /build
-
-FROM docker.io/library/python:3.13-slim AS config-renderer
-COPY --from=docker.io/hairyhenderson/gomplate:v4.3 /gomplate /bin/gomplate
-COPY ./requirements.txt /requirements.txt
-RUN pip install -r /requirements.txt
-COPY ./generate.sh /generate.sh
-COPY ./tools /tools
-COPY ./nodes /nodes
-COPY ./templates /templates
-RUN ./generate.sh
-
-FROM docker.io/library/alpine:3.22.2 AS runtime
-RUN apk add dnsmasq
-
-COPY --from=builder-ipxe /build/ipxe.pxe /tftproot/
-COPY --from=builder-ipxe /build/ipxe.efi /tftproot/
-COPY --from=config-renderer /rendered/boot.ipxe /tftproot/
-COPY --from=config-renderer /rendered/dnsmasq.conf /dnsmasq.conf
-
-EXPOSE 67/udp
-EXPOSE 69/udp
-
-CMD ["dnsmasq", "--conf-file=/dnsmasq.conf", "--keep-in-foreground", "--user=root", "--log-facility=-", "--port=0"]

README.md

@@ -0,0 +1,73 @@
+# Talos
+
+To decrypt the secrets file:
+
+```
+git-crypt unlock
+```
+
+Generate the config files:
+
+```bash
+talosctl gen config <cluster_name> https://<controlplane_ip>:6443 -f \
+--with-secrets secrets.yaml \
+--config-patch @<path_to_patch> \
+--config-patch-control-plane @<path_to_controlplane_patch> \
+--install-image factory.talos.dev/metal-installer/<schematic_id>:<version> \
+-o configs
+```
+
+Set TALOSCONFIG:
+
+```bash
+export TALOSCONFIG=$(realpath configs/talosconfig)
+```
+
+Apply the configs for each node, use worker.yaml for worker nodes:
+
+```bash
+talosctl apply-config --insecure --nodes <node_id> --file configs/controlplane.yaml
+```
+
+Set endpoint to one of the nodes:
+
+```bash
+talosctl config endpoint <node_ip>
+```
+
+Bootstrap Kubernetes:
+
+```bash
+talosctl -n <node_id> bootstrap
+```
+
+Set endpoint to control plane:
+
+```bash
+talosctl config endpoint <controlplane_ip>
+```
+
+Get kubeconfig and set KUBECONFIG:
+
+```bash
+talosctl -n 192.168.1.100 kubeconfig $PWD/configs/kubeconfig
+export KUBECONFIG=$(realpath configs/kubeconfig)
+```
+
+For applying updated config to node:
+
+```bash
+talosctl apply-config --nodes <node_id> --file configs/controlplane.yaml
+```
+
+Upgrading talos or changing the schematic:
+
+```bash
+talosctl upgrade --nodes <node_id> --image factory.talos.dev/metal-installer/<schematic_id>:<version>
+```
+
+To upgrade kubernetes or inline manifests, first apply the updated controlplane configs, then run:
+
+```bash
+talosctl upgrade-k8s
+```

Vagrantfile

@@ -0,0 +1,28 @@
+Vagrant.configure("2") do |config|
+	config.vm.define "talos-vm" do |vm|
+		vm.vm.network :private_network,
+			:type => "dhcp",
+			:libvirt__network_address => "192.168.1.0",
+			:libvirt__netmask => "255.255.255.0",
+			# :libvirt__dhcp_bootp_file => "ipxe.pxe"
+			:libvirt__dhcp_bootp_file => "http://192.168.1.1:8000/ipxe.pxe"
+
+		vm.vm.hostname = "talos"
+
+		vm.vm.provider :libvirt do |domain|
+			domain.cpus = 6
+			domain.memory = 16 * 1024
+			domain.storage :file, :size => '100G', :type => 'raw'
+			domain.mgmt_attach = false
+
+			domain.boot "hd"
+			domain.boot "network"
+
+			domain.sysinfo = {
+				"system": {
+					"serial": "talos-vm"
+				}
+			}
+		end
+	end
+end

committed.toml

@@ -0,0 +1,2 @@
+style = "conventional"
+ignore_author_re = "Flux"

dhcp.yaml

@@ -1 +0,0 @@
-tftpIp: 10.0.0.3

generate.sh

@@ -1,5 +0,0 @@
-#!/usr/bin/env bash
-set -euxo pipefail
-SCRIPT_DIR=$(dirname -- "$(readlink -f -- "$BASH_SOURCE")")
-
-${SCRIPT_DIR}/tools/merge.py ./nodes | gomplate -d nodes=stdin://nodes.json -d dhcp=${SCRIPT_DIR}/dhcp.yaml --input-dir ${SCRIPT_DIR}/templates --output-dir ${SCRIPT_DIR}/rendered

mise.toml

@@ -0,0 +1,2 @@
+[env]
+VAGRANT_DEFAULT_PROVIDER = "libvirt"

nodes/_defaults.yaml

@@ -1,9 +0,0 @@
-schematicID: !schematic "_schematic.yaml"
-arch: amd64
-talosVersion: v1.11.3
-kernelArgs: talos.platform=metal console=tty0 init_on_alloc=1 slab_nomerge pti=on consoleblank=0 nvme_core.io_timeout=4294967295 printk.devkmsg=on selinux=1 lockdown=confidentiality
-dns0: 1.1.1.1
-dns1: 8.8.8.8
-ntp: nl.pool.ntp.org
-install: false
-upgradeIPXE: false

nodes/production/_defaults.yaml

@@ -1,3 +0,0 @@
-netmask: 255.255.252.0
-gateway: 10.0.0.1
-install: true

nodes/production/helios.yaml

@@ -1,3 +0,0 @@
-serial: 5CZ7NX2
-interface: enp2s0
-ip: 10.0.0.202

nodes/production/hyperion.yaml

@@ -1,3 +0,0 @@
-serial: F3PKRH2
-interface: enp3s0
-ip: 10.0.0.201

nodes/production/selene.yaml

@@ -1,3 +0,0 @@
-serial: J33CHY2
-interface: enp2s0
-ip: 10.0.0.203

nodes/vm/_defaults.yaml

@@ -1,3 +0,0 @@
-netmask: 255.255.255.0
-gateway: 192.168.1.1
-upgradeIPXE: ipxe.pxe

nodes/vm/vm.yaml

@@ -1,4 +0,0 @@
-serial: vm
-interface: enp1s0
-ip: 192.168.1.2
-install: true

requirements.txt

@@ -1,2 +0,0 @@
-PyYAML==6.0.3
-requests==2.32.5

talos/clusters/default.yaml

@@ -0,0 +1,52 @@
+# yaml-language-server: $schema=https://git.huizinga.dev/infra/crete/raw/branch/main/schemas/cluster.json
+version:
+  kubernetes: 1.35.3
+  talos: 1.12.6
+
+base:
+  kernelArgs:
+    - talos.platform=metal
+    - console=tty0
+    - init_on_alloc=1
+    - init_on_free=1
+    - slab_nomerge
+    - pti=on
+    - consoleblank=0
+    - nvme_core.io_timeout=4294967295
+    - printk.devkmsg=on
+    - selinux=1
+    - lockdown=confidentiality
+  patches:
+    all:
+      - system/hostname.yaml
+      - system/install-disk.yaml
+      - system/network.yaml.jinja
+      - system/ntp.yaml
+      - system/dns.yaml.jinja
+      - networking/vip.yaml
+      - networking/tailscale.yaml
+      - networking/cilium.yaml
+      - spegel.yaml
+      - storage/longhorn.yaml
+      - storage/longhorn/user-volume.yaml
+      - storage/local-path-provisioner/user-volume.yaml
+      - storage/limit-ephemeral.yaml
+      - metrics/all.yaml
+    controlPlane:
+      - system/allow-control-plane-workloads.yaml
+      - sops.yaml
+      - flux/cluster-variables.yaml
+      - metrics/control-plane.yaml
+      - networking/gateway-api.yaml
+default:
+  arch: amd64
+  schematic: default.yaml
+  network:
+    dns:
+      - 1.1.1.1
+      - 8.8.8.8
+    tailscale:
+      server: https://headscale.huizinga.dev
+  ntp: nl.pool.ntp.org
+  install:
+    auto: true

talos/clusters/testing.yaml

@@ -0,0 +1,19 @@
+# yaml-language-server: $schema=https://git.huizinga.dev/infra/crete/raw/branch/main/schemas/cluster.json
+clusterEnv: staging
+controlPlaneIp: 192.168.1.100
+secretsFile: testing/secrets.yaml
+nodes:
+  - testing/talos-vm
+
+default:
+  network:
+    interface: ens5
+    netmask: 255.255.255.0
+    gateway: 192.168.1.1
+    tailscale:
+      authKey:
+        file: testing/tailscale.key
+  sops:
+    file: testing/age.key
+  install:
+    disk: /dev/vda

talos/clusters/titan.yaml

@@ -0,0 +1,20 @@
+# yaml-language-server: $schema=https://git.huizinga.dev/infra/crete/raw/branch/main/schemas/cluster.json
+clusterEnv: production
+controlPlaneIp: 10.0.2.1
+secretsFile: titan/secrets.yaml
+nodes:
+  - titan/hyperion
+  - titan/helios
+  - titan/selene
+
+default:
+  network:
+    netmask: 255.255.252.0
+    gateway: 10.0.0.1
+    tailscale:
+      authKey:
+        file: testing/tailscale.key
+  sops:
+    file: titan/age.key
+  install:
+    disk: /dev/sda

talos/nodes/testing/talos-vm.yaml

@@ -0,0 +1,8 @@
+# yaml-language-server: $schema=https://git.huizinga.dev/infra/crete/raw/branch/main/schemas/node.json
+type: controlPlane
+install:
+  serial: talos-vm
+network:
+  ip: 192.168.1.2
+  tailscale:
+    advertiseRoutes: true

talos/nodes/titan/helios.yaml

@@ -0,0 +1,7 @@
+# yaml-language-server: $schema=https://git.huizinga.dev/infra/crete/raw/branch/main/schemas/node.json
+type: controlPlane
+install:
+  serial: 5CZ7NX2
+network:
+  interface: enp2s0
+  ip: 10.0.0.202

talos/nodes/titan/hyperion.yaml

@@ -0,0 +1,7 @@
+# yaml-language-server: $schema=https://git.huizinga.dev/infra/crete/raw/branch/main/schemas/node.json
+type: controlPlane
+install:
+  serial: F3PKRH2
+network:
+  interface: enp3s0
+  ip: 10.0.0.201

talos/nodes/titan/selene.yaml

@@ -0,0 +1,7 @@
+# yaml-language-server: $schema=https://git.huizinga.dev/infra/crete/raw/branch/main/schemas/node.json
+type: controlPlane
+install:
+  serial: J33CHY2
+network:
+  interface: enp2s0
+  ip: 10.0.0.203

talos/patches/flux/cluster-variables.yaml

@@ -0,0 +1,18 @@
+# yaml-language-server: $schema=https://raw.githubusercontent.com/siderolabs/talos/refs/heads/release-1.12/website/content/v1.12/schemas/config.schema.json
+cluster:
+  inlineManifests:
+    - name: cluster-variables
+      contents: |
+        ---
+        apiVersion: v1
+        kind: Namespace
+        metadata:
+          name: flux-system
+        ---
+        apiVersion: v1
+        kind: ConfigMap
+        metadata:
+          name: cluster-variables
+          namespace: flux-system
+        data:
+          cluster_env: {{ cluster.clusterEnv }}

talos/patches/metrics/all.yaml

@@ -0,0 +1,5 @@
+# yaml-language-server: $schema=https://raw.githubusercontent.com/siderolabs/talos/refs/heads/release-1.12/website/content/v1.12/schemas/config.schema.json
+machine:
+  kubelet:
+    extraArgs:
+      rotate-server-certificates: "true"

talos/patches/metrics/control-plane.yaml

@@ -0,0 +1,5 @@
+# yaml-language-server: $schema=https://raw.githubusercontent.com/siderolabs/talos/refs/heads/release-1.12/website/content/v1.12/schemas/config.schema.json
+cluster:
+  extraManifests:
+    - https://raw.githubusercontent.com/alex1989hu/kubelet-serving-cert-approver/main/deploy/standalone-install.yaml
+    - https://github.com/kubernetes-sigs/metrics-server/releases/latest/download/components.yaml

talos/patches/networking/cilium.yaml

@@ -0,0 +1,12 @@
+# yaml-language-server: $schema=https://raw.githubusercontent.com/siderolabs/talos/refs/heads/release-1.12/website/content/v1.12/schemas/config.schema.json
+machine:
+  features:
+    hostDNS:
+      # This option is enabled by default and causes issues with cilium
+      forwardKubeDNSToHost: false
+cluster:
+  network:
+    cni:
+      name: none
+  proxy:
+    disabled: true

talos/patches/networking/gateway-api.yaml

@@ -0,0 +1,4 @@
+# yaml-language-server: $schema=https://raw.githubusercontent.com/siderolabs/talos/refs/heads/release-1.12/website/content/v1.12/schemas/config.schema.json
+cluster:
+  extraManifests:
+    - https://github.com/kubernetes-sigs/gateway-api/releases/download/v1.4.1/standard-install.yaml

talos/patches/networking/tailscale.yaml

@@ -0,0 +1,8 @@
+# yaml-language-server: $schema=https://raw.githubusercontent.com/siderolabs/talos/refs/heads/release-1.12/website/content/v1.12/schemas/config.schema.json
+apiVersion: v1alpha1
+kind: ExtensionServiceConfig
+name: tailscale
+environment:
+  - TS_AUTHKEY={{ node.network.tailscale.authKey }}
+  - TS_EXTRA_ARGS={% if node.network.tailscale.server %}--login-server {{ node.network.tailscale.server }}{% endif +%}
+  - TS_ROUTES={% if node.network.tailscale.advertiseRoutes %}{{node.network.ip}}/{{ node.network.netmask | to_prefix }}{% endif %}

talos/patches/networking/vip.yaml

@@ -0,0 +1,5 @@
+# yaml-language-server: $schema=https://raw.githubusercontent.com/siderolabs/talos/refs/heads/release-1.12/website/content/v1.12/schemas/config.schema.json
+apiVersion: v1alpha1
+kind: Layer2VIPConfig
+name: "{{ cluster.controlPlaneIp }}"
+link: "{{ node.network.interface }}"

talos/patches/sops.yaml

@@ -0,0 +1,18 @@
+# yaml-language-server: $schema=https://raw.githubusercontent.com/siderolabs/talos/refs/heads/release-1.12/website/content/v1.12/schemas/config.schema.json
+cluster:
+  inlineManifests:
+    - name: sops-key
+      contents: |
+        apiVersion: v1
+        kind: Namespace
+        metadata:
+          name: flux-system
+        ---
+        apiVersion: v1
+        kind: Secret
+        metadata:
+          name: sops-gpg
+          namespace: flux-system
+        stringData:
+          age.agekey: |
+            {{ node.sops | indent(6*2) }}

talos/patches/spegel.yaml

@@ -0,0 +1,8 @@
+# yaml-language-server: $schema=https://raw.githubusercontent.com/siderolabs/talos/refs/heads/release-1.12/website/content/v1.12/schemas/config.schema.json
+machine:
+  files:
+    - path: /etc/cri/conf.d/20-customization.part
+      op: create
+      content: |
+        [plugins."io.containerd.cri.v1.images"]
+          discard_unpacked_layers = false

talos/patches/storage/limit-ephemeral.yaml

@@ -0,0 +1,6 @@
+# yaml-language-server: $schema=https://raw.githubusercontent.com/siderolabs/talos/refs/heads/release-1.12/website/content/v1.12/schemas/config.schema.json
+apiVersion: v1alpha1
+kind: VolumeConfig
+name: EPHEMERAL
+provisioning:
+  maxSize: 30GB

talos/patches/storage/local-path-provisioner/user-volume.yaml

@@ -0,0 +1,9 @@
+# yaml-language-server: $schema=https://raw.githubusercontent.com/siderolabs/talos/refs/heads/release-1.12/website/content/v1.12/schemas/config.schema.json
+apiVersion: v1alpha1
+kind: UserVolumeConfig
+name: local-path-provisioner
+provisioning:
+  diskSelector:
+    match: system_disk
+  grow: true
+  maxSize: 10GB

talos/patches/storage/longhorn.yaml

@@ -0,0 +1,11 @@
+# yaml-language-server: $schema=https://raw.githubusercontent.com/siderolabs/talos/refs/heads/release-1.12/website/content/v1.12/schemas/config.schema.json
+machine:
+  kubelet:
+    extraMounts:
+      - destination: /var/lib/longhorn
+        type: bind
+        source: /var/lib/longhorn
+        options:
+          - bind
+          - rshared
+          - rw

talos/patches/storage/longhorn/user-volume.yaml

@@ -0,0 +1,20 @@
+# yaml-language-server: $schema=https://raw.githubusercontent.com/siderolabs/talos/refs/heads/release-1.12/website/content/v1.12/schemas/config.schema.json
+apiVersion: v1alpha1
+kind: UserVolumeConfig
+name: longhorn
+provisioning:
+  diskSelector:
+    match: system_disk
+  grow: true
+  maxSize: 2000GB
+# # yaml-language-server: $schema=https://raw.githubusercontent.com/siderolabs/talos/refs/heads/release-1.12/website/content/v1.12/schemas/config.schema.json
+# apiVersion: v1alpha1
+# kind: UserVolumeConfig
+# name: longhorn
+# # We want to take the whole distk
+# # TODO: Add second disk to virtual machine
+# volumeType: "disk"
+# provisioning:
+#   diskSelector:
+#     # TODO: UPDATE THIS
+#     # match: system_disk

talos/patches/storage/openebs.yaml

@@ -0,0 +1,17 @@
+# yaml-language-server: $schema=https://raw.githubusercontent.com/siderolabs/talos/refs/heads/release-1.12/website/content/v1.12/schemas/config.schema.json
+machine:
+  # This is only needed on nodes that will have storage
+  sysctls:
+    vm.nr_hugepages: "1024"
+  nodeLabels:
+    openebs.io/engine: mayastor
+  # This is needed on ALL nodes
+  kubelet:
+    extraMounts:
+      - destination: /var/local
+        type: bind
+        source: /var/local
+        options:
+          - bind
+          - rshared
+          - rw

talos/patches/system/allow-control-plane-workloads.yaml

@@ -0,0 +1,3 @@
+# yaml-language-server: $schema=https://raw.githubusercontent.com/siderolabs/talos/refs/heads/release-1.12/website/content/v1.12/schemas/config.schema.json
+cluster:
+  allowSchedulingOnControlPlanes: true

talos/patches/system/dns.yaml.jinja

@@ -0,0 +1,7 @@
+# yaml-language-server: $schema=https://raw.githubusercontent.com/siderolabs/talos/refs/heads/release-1.12/website/content/v1.12/schemas/config.schema.json
+apiVersion: v1alpha1
+kind: ResolverConfig
+nameservers:
+  {% for dns in node.network.dns %}
+  - address: {{ dns }}
+ {% endfor %}

talos/patches/system/hostname.yaml

@@ -0,0 +1,5 @@
+# yaml-language-server: $schema=https://raw.githubusercontent.com/siderolabs/talos/refs/heads/release-1.12/website/content/v1.12/schemas/config.schema.json
+apiVersion: v1alpha1
+kind: HostnameConfig
+hostname: "{{node.hostname}}"
+auto: "off"

talos/patches/system/install-disk.yaml

@@ -0,0 +1,4 @@
+# yaml-language-server: $schema=https://raw.githubusercontent.com/siderolabs/talos/refs/heads/release-1.12/website/content/v1.12/schemas/config.schema.json
+machine:
+  install:
+    disk: "{{node.install.disk}}"

talos/patches/system/network.yaml.jinja

@@ -0,0 +1,10 @@
+# yaml-language-server: $schema=https://raw.githubusercontent.com/siderolabs/talos/refs/heads/release-1.12/website/content/v1.12/schemas/config.schema.json
+apiVersion: v1alpha1
+kind: LinkConfig
+name: "{{node.network.interface}}"
+up: true
+mtu: 9000
+addresses:
+  - address: "{{node.network.ip}}/{{ node.network.netmask | to_prefix }}"
+routes:
+  - gateway: "{{node.network.gateway}}"

talos/patches/system/ntp.yaml

@@ -0,0 +1,5 @@
+apiVersion: v1alpha1
+kind: TimeSyncConfig
+ntp:
+  servers:
+    - "{{ node.ntp }}"

talos/schematics/default.yaml

@@ -3,3 +3,6 @@ customization:
     officialExtensions:
       - siderolabs/iscsi-tools
       - siderolabs/util-linux-tools
+      - siderolabs/intel-ucode
+      - siderolabs/i915
+      - siderolabs/tailscale

templates/boot.ipxe

@@ -1,36 +1,22 @@
+{% set httpUrl = "http://192.168.1.1:8000" -%}
 #!ipxe
-
 dhcp
 
+echo Starting ${serial}
+
 :start
-# Is a known serial is set, execute that
+goto node_${serial} || exit
-# If an unknown serial is set, exit
-# If no serial is set, ask the user
-goto node_${serial} || goto manual
 # Default behavior (non install mode) is to exit iPXE script
 
-{{ range (datasource "nodes" | jsonArray) }}
+{% for cluster in clusters%}
-{{- if .install }}
+{% for node in cluster.nodes %}
-# {{ .filename }}
+{%- if node.install.serial -%}
-:node_{{ .serial }}
+# {{ cluster.name }}/{{ node.hostname }}
-{{- $ipArg := printf "ip=%s::%s:%s:%s:%s::%s:%s:%s" .ip .gateway .netmask .hostname .interface .dns0 .dns1 .ntp }}
+:node_{{ node.install.serial }}
-{{- $kernelArgs := printf "%s %s" $ipArg .kernelArgs }}
 imgfree
-kernel https://pxe.factory.talos.dev/image/{{ .schematicID }}/{{ .talosVersion }}/kernel-{{ .arch }} {{ $kernelArgs }} {{- if .upgradeIPXE }} || boot {{ .upgradeIPXE }} {{- end }}
+kernel https://pxe.factory.talos.dev/image/{{ node.schematic }}/v{{ cluster.version.talos }}/kernel-{{ node.arch }} {{ node.kernelArgs|join(" ") }} {% if node.install.auto %}talos.config={{httpUrl}}/configs/{{cluster.name}}/{{node.hostname}}.yaml{% endif +%}
-initrd https://pxe.factory.talos.dev/image/{{ .schematicID }}/{{ .talosVersion }}/initramfs-{{ .arch }}.xz
+initrd https://pxe.factory.talos.dev/image/{{ node.schematic }}/v{{ cluster.version.talos }}/initramfs-{{ node.arch }}.xz
 boot
-{{- end }}
+{% endif %}
-{{ end }}
+{% endfor %}
-
+{% endfor %}
-:manual
-menu Select node
-{{ range (datasource "nodes" | jsonArray) }}
-item {{ .serial }} {{ .hostname }}
-{{ end }}
-choose selected || goto cancel
-goto node_${selected}
-
-:cancel
-echo Type exit to restart script
-shell
-goto start

templates/dnsmasq.conf

@@ -1,4 +1,4 @@
-{{ $tftpIp := (ds "dhcp").tftpIp -}}
+{% set tftpIp = "192.168.1.1" -%}
 
 enable-tftp
 tftp-root=/tftproot
@@ -9,9 +9,9 @@ dhcp-vendorclass=UEFI,PXEClient:Arch:00007
 dhcp-vendorclass=UEFI64,PXEClient:Arch:00009
 
 # 1st stage: pxe rom boot on ipxe
-dhcp-boot=net:BIOS,ipxe.pxe,{{ $tftpIp }},{{ $tftpIp }}
+dhcp-boot=net:BIOS,ipxe.pxe,{{ tftpIp }},{{ tftpIp }}
-dhcp-boot=net:UEFI,ipxe.efi,{{ $tftpIp }},{{ $tftpIp }}
+dhcp-boot=net:UEFI,ipxe.efi,{{ tftpIp }},{{ tftpIp }}
-dhcp-boot=net:UEFI64,ipxe.efi,{{ $tftpIp }},{{ $tftpIp }}
+dhcp-boot=net:UEFI64,ipxe.efi,{{ tftpIp }},{{ tftpIp }}
 
 # Based on logic in https://gist.github.com/robinsmidsrod/4008017
 # iPXE sends a 175 option, checking suboptions
@@ -30,11 +30,11 @@ tag-if=set:ipxe-ok,tag:ipxe-http,tag:ipxe-https
 
 # these create option 43 cruft, which is required in proxy mode
 # TFTP IP is required on all dhcp-boot lines (unless dnsmasq itself acts as tftp server?)
-pxe-service=tag:!ipxe-ok,X86PC,PXE,undionly.kpxe,{{ $tftpIp }}
+pxe-service=tag:!ipxe-ok,X86PC,PXE,undionly.kpxe,{{ tftpIp }}
-pxe-service=tag:!ipxe-ok,IA32_EFI,PXE,snponlyx32.efi,{{ $tftpIp }}
+pxe-service=tag:!ipxe-ok,IA32_EFI,PXE,snponlyx32.efi,{{ tftpIp }}
-pxe-service=tag:!ipxe-ok,BC_EFI,PXE,snponly.efi,{{ $tftpIp }}
+pxe-service=tag:!ipxe-ok,BC_EFI,PXE,snponly.efi,{{ tftpIp }}
-pxe-service=tag:!ipxe-ok,X86-64_EFI,PXE,snponly.efi,{{ $tftpIp }}
+pxe-service=tag:!ipxe-ok,X86-64_EFI,PXE,snponly.efi,{{ tftpIp }}
 
 # later match overrides previous, keep ipxe script last
 # server address must be non zero, but can be anything as long as iPXE script is not fetched over TFTP
-dhcp-boot=tag:ipxe-ok,boot.ipxe,,{{ $tftpIp }}
+dhcp-boot=tag:ipxe-ok,boot.ipxe,,{{ tftpIp }}

templates/source.sh

@@ -0,0 +1,2 @@
+export TALOSCONFIG={{ root }}/configs/talosconfig
+export KUBECONFIG={{ clusters|map(attribute='name')|kubeconfig|join(":") }}

tools/merge.py

@@ -1,96 +0,0 @@
-#!/usr/bin/env python3
-
-# Adapted from: https://enix.io/en/blog/pxe-talos/
-
-import argparse
-import functools
-import json
-import pathlib
-
-import requests
-import yaml
-
-
-@functools.cache
-def get_schematic_id(schematic: str):
-    """Lookup the schematic id associated with a given schematic"""
-    r = requests.post("https://factory.talos.dev/schematics", data=schematic)
-    r.raise_for_status()
-    data = r.json()
-    return data["id"]
-
-
-def schematic_constructor(directory: pathlib.Path):
-    """Load specified schematic file and get the assocatied schematic id"""
-
-    def constructor(loader: yaml.SafeLoader, node: yaml.nodes.ScalarNode):
-        filename = str(loader.construct_scalar(node))
-        try:
-            schematic = directory.joinpath(filename).read_text()
-            return get_schematic_id(schematic)
-        except Exception:
-            raise yaml.MarkedYAMLError("Failed to load schematic", node.start_mark)
-
-    return constructor
-
-
-def get_loader(directory: pathlib.Path):
-    """Add special constructors to yaml loader"""
-    loader = yaml.SafeLoader
-    loader.add_constructor("!schematic", schematic_constructor(directory))
-
-    return loader
-
-
-@functools.cache
-def get_defaults(directory: pathlib.Path, root: pathlib.Path):
-    """Compute the defaults from the provided directory and parents."""
-    try:
-        with open(directory.joinpath("_defaults.yaml")) as fyaml:
-            yml_data = yaml.load(fyaml, Loader=get_loader(directory))
-    except OSError:
-        yml_data = {}
-
-    # Stop recursion when reaching root directory
-    if directory != root:
-        return get_defaults(directory.parent, root) | yml_data
-    else:
-        return yml_data
-
-
-def walk_files(root: pathlib.Path):
-    """Get all files that do not start with and underscore"""
-    for dirpath, _dirnames, filenames in root.walk():
-        for fn in filenames:
-            if not fn.startswith("_"):
-                yield dirpath.joinpath(fn)
-
-
-def main():
-    parser = argparse.ArgumentParser()
-    parser.add_argument("directory", type=pathlib.Path)
-    parser.add_argument("-f", "--filter")
-    args = parser.parse_args()
-
-    data = []
-    for fullname in walk_files(args.directory):
-        filename = (
-            str(fullname.relative_to(args.directory).parent) + "/" + fullname.stem
-        )
-
-        if args.filter is not None and not filename.startswith(args.filter):
-            continue
-
-        with open(fullname) as fyaml:
-            yml_data = yaml.load(fyaml, Loader=get_loader(fullname.parent))
-        yml_data = get_defaults(fullname.parent, args.directory) | yml_data
-        yml_data["hostname"] = fullname.stem
-        yml_data["filename"] = filename
-        data.append(yml_data)
-
-    # Dump everything to json
-    print(json.dumps(data))
-
-
-if __name__ == "__main__":
-    main()

tools/server

@@ -0,0 +1,92 @@
+#!/usr/bin/env bash
+set -euo pipefail
+ROOT=$(git rev-parse --show-toplevel)
+
+IPXE_VERSION=b41bda4413bf286d7b7a449bc05e1531da1eec2e
+IPXE_BIN=(bin/ipxe.pxe bin-x86_64-efi/ipxe.efi)
+
+IPXE_DIR=${ROOT}/.ipxe/ipxe-${IPXE_VERSION}
+HTTP_URL="http://192.168.1.1:8000"
+
+function download_ipxe() {
+	base_dir=$(dirname ${IPXE_DIR})
+	# Download the iPXE source if needed
+	if [ ! -d "${IPXE_DIR}" ]; then
+		mkdir -p "${base_dir}"
+		curl -L https://github.com/ipxe/ipxe/archive/${IPXE_VERSION}.tar.gz | tar -xz -C "${base_dir}"
+	fi
+}
+
+function patch_ipxe() {
+	# Apply patches to iPXE source
+	cd "${IPXE_DIR}/src"
+	sed -i 's/^#undef[\t ]DOWNLOAD_PROTO_HTTPS.*$/#define DOWNLOAD_PROTO_HTTPS/g' config/general.h
+
+	cat > embed.ipxe << EOF
+#!ipxe
+
+dhcp
+chain ${HTTP_URL}/boot.ipxe || shell
+# chain boot.ipxe || shell
+EOF
+
+	cd - > /dev/null
+}
+
+function build_ipxe() {
+	cd "${IPXE_DIR}/src"
+	for bin in "${IPXE_BIN[@]}"; do
+		path=${IPXE_DIR}/src/${bin}
+		if [ ! -f "${path}" ]; then
+			make -j$(nproc) ${bin} EMBED=embed.ipxe
+		fi
+	done
+	cd - > /dev/null
+}
+
+
+function host_tftp() {
+	TFTP_DIR=$(mktemp --tmpdir -d tftp.XXX)
+	chmod 755 ${TFTP_DIR}
+	function cleanup() {
+		rm -rf ${TFTP_DIR}
+	}
+	trap cleanup EXIT
+
+	cp ${ROOT}/rendered/boot.ipxe ${TFTP_DIR}
+	for bin in "${IPXE_BIN[@]}"; do
+		path=${IPXE_DIR}/src/${bin}
+		cp ${path} ${TFTP_DIR}
+	done
+
+	echo "Starting tftpd"
+	sudo in.tftpd --verbosity 100 --permissive -L --secure ${TFTP_DIR}
+}
+
+function host_http() {
+	HTTP_DIR=$(mktemp --tmpdir -d http.XXX)
+	chmod 755 ${HTTP_DIR}
+	function cleanup() {
+		rm -rf ${HTTP_DIR}
+	}
+	trap cleanup EXIT
+
+	ln -s ${ROOT}/rendered/boot.ipxe ${HTTP_DIR}
+	for bin in "${IPXE_BIN[@]}"; do
+		path=${IPXE_DIR}/src/${bin}
+		ln -s ${path} ${HTTP_DIR}
+	done
+
+	ln -s ${ROOT}/configs ${HTTP_DIR}
+
+	echo "Starting http"
+	cd ${HTTP_DIR}
+	python -m http.server 8000
+	cd -
+}
+
+download_ipxe
+patch_ipxe
+build_ipxe
+crete generate
+host_http

vm/cluster-vm.xml

@@ -1,13 +0,0 @@
-<network xmlns:dnsmasq='http://libvirt.org/schemas/network/dnsmasq/1.0'>
-  <name>cluster-vm</name>
-  <bridge name="cluster0" stp="on" delay="0"/>
-  <forward mode='nat'>
-    <nat/>
-  </forward>
-  <ip address="192.168.1.1" netmask="255.255.255.0">
-    <dhcp>
-      <range start="192.168.1.2" end="192.168.1.254"/>
-      <bootp file='boot.ipxe'/>
-    </dhcp>
-  </ip>
-</network>

vm/create.sh

@@ -1,15 +0,0 @@
-#!/usr/bin/env bash
-SCRIPT_DIR=$(dirname -- "$(readlink -f -- "$BASH_SOURCE")")
-source ${SCRIPT_DIR}/helper.sh
-
-if [[ $(virsh --connect="${CONNECTION}" net-list --all | grep -c "${NETWORK}") == "0" ]]; then
-  virsh --connect="${CONNECTION}" net-define "${SCRIPT_DIR}/${NETWORK}.xml"
-  virsh --connect="${CONNECTION}" net-start "${NETWORK}"
-  virsh --connect="${CONNECTION}" net-autostart "${NETWORK}"
-fi
-
-virt-install --connect="${CONNECTION}" --name="${VM_NAME}" --vcpus="${VCPUS}" --memory="${RAM_MB}" \
-        --os-variant="linux2022" \
-        --disk="size=${DISK_GB}" \
-		--pxe \
-        --network network="${NETWORK}"

vm/destroy.sh

@@ -1,8 +0,0 @@
-#!/usr/bin/env bash
-SCRIPT_DIR=$(dirname -- "$(readlink -f -- "$BASH_SOURCE")")
-source ${SCRIPT_DIR}/helper.sh
-
-virsh --connect="${CONNECTION}" destroy "${VM_NAME}"
-virsh --connect="${CONNECTION}" undefine "${VM_NAME}" --remove-all-storage
-virsh --connect="${CONNECTION}" net-destroy "${NETWORK}"
-virsh --connect="${CONNECTION}" net-undefine "${NETWORK}"

vm/helper.sh

@@ -1,10 +0,0 @@
-set -euxo pipefail
-VM_NAME="test"
-VCPUS="2"
-RAM_MB="2048"
-DISK_GB="10"
-NETWORK=cluster-vm
-CONNECTION="qemu:///system"
-
-IPXE_VERSION=b41bda4413bf286d7b7a449bc05e1531da1eec2e
-IPXE_BIN=bin/ipxe.pxe

vm/start.sh

@@ -1,7 +0,0 @@
-#!/usr/bin/env bash
-SCRIPT_DIR=$(dirname -- "$(readlink -f -- "$BASH_SOURCE")")
-source ${SCRIPT_DIR}/helper.sh
-
-virsh --connect="${CONNECTION}" start ${VM_NAME}
-virt-viewer --connect="${CONNECTION}" ${VM_NAME}
-virsh --connect="${CONNECTION}" shutdown ${VM_NAME}

vm/tftp.sh

@@ -1,26 +0,0 @@
-#!/usr/bin/env bash
-SCRIPT_DIR=$(dirname -- "$(readlink -f -- "$BASH_SOURCE")")
-source ${SCRIPT_DIR}/helper.sh
-
-TFTP_DIR=${SCRIPT_DIR}/../tftp
-rm -rf "${TFTP_DIR}"
-mkdir -p "${TFTP_DIR}"
-
-IPXE_DIR=${SCRIPT_DIR}/../ipxe
-IPXE_FILE=${IPXE_DIR}/ipxe-${IPXE_VERSION}/src/${IPXE_BIN}
-if [ ! -f "${IPXE_FILE}" ]; then
-	mkdir -p "${IPXE_DIR}"
-	rm -rf "${IPXE_DIR}/ipxe-${IPXE_VERSION}"
-	curl -L https://github.com/ipxe/ipxe/archive/${IPXE_VERSION}.tar.gz | tar -xz -C "${IPXE_DIR}"
-	cd "${IPXE_DIR}/ipxe-${IPXE_VERSION}/src"
-	sed -i 's/^#undef[\t ]DOWNLOAD_PROTO_HTTPS.*$/#define DOWNLOAD_PROTO_HTTPS/g' config/general.h
-	make -j$(nproc) ${IPXE_BIN}
-	cd -
-fi
-
-${SCRIPT_DIR}/../generate.sh
-
-cp ${SCRIPT_DIR}/../rendered/boot.ipxe ${TFTP_DIR}
-cp ${IPXE_FILE} ${TFTP_DIR}
-
-sudo in.tftpd -L --secure ./tftp