infra/metal
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Compare commits

base: infra:adec591290b52b7a36ab4229d6caf97b89c54cc3
Branches Tags
infra:main
..
compare: infra:787c763b7a033057ed6bac392abc56f97569d3de
Branches Tags
infra:main

4 Commits
adec591290 ... 787c763b7a

Author SHA1 Message Date
Dreaded_X
787c763b7a Added sops keys 2025-12-01 01:59:39 +01:00
Dreaded_X
1da24905ef Added helper function to load file content as base64 2025-12-01 01:59:08 +01:00
Dreaded_X
b0a1d04d7d Make route advertising configurable 2025-12-01 01:58:48 +01:00
Dreaded_X
7d5b09c623 Automatically add tailscale tag for cluster 2025-12-01 01:58:26 +01:00
11 changed files with 153 additions and 2 deletions
Expand all files Collapse all files

1
.gitattributes vendored
View File

@@ -1,2 +1,3 @@
_secrets.yaml filter=git-crypt diff=git-crypt _secrets.yaml filter=git-crypt diff=git-crypt
secrets.yaml filter=git-crypt diff=git-crypt secrets.yaml filter=git-crypt diff=git-crypt
_sops.asc filter=git-crypt diff=git-crypt

1
nodes/_defaults.yaml
View File

@@ -31,3 +31,4 @@ patches:
- !patch cilium - !patch cilium
patchesControlPlane: patchesControlPlane:
- !patch allow-control-plane-workloads - !patch allow-control-plane-workloads
- !patch sops

1
nodes/testing/_defaults.yaml
View File

@@ -6,3 +6,4 @@ cluster:
name: testing name: testing
controlPlaneIp: 192.168.1.100 controlPlaneIp: 192.168.1.100
secretsFile: !realpath _secrets.yaml secretsFile: !realpath _secrets.yaml
sopsKeyFile: !realpath _sops.asc

BIN
nodes/testing/_sops.asc Normal file
View File

Binary file not shown.

63
nodes/testing/_sops.pub.asc Normal file
View File

@@ -0,0 +1,63 @@
-----BEGIN PGP PUBLIC KEY BLOCK-----
mQINBGks4XgBEADGW3kWVuEpcHoqjO19ztTrRhqG7y58M6jo3aiL1YuAKUMsGJOv
ifWVnqy+Twbkc+o7yYZIaxdzXkmT+3vtHJzEI2HoL9tTs43fnG4Lu+28c8TFl480
k9rOrvhP1UFTiYt5lsa7+gnH6UPcbaNFOWDxOKrzzr879Vv6884XOPUQ4qdsk/jV
YkqYbOzsSNeaicJIfIA8PIrBNMeV/v83gnEo6sgL4E/nVT2foGZg+MnOU1rO2N63
R+qK1iNTHR3TswuwI4TDAdw93s5Qn+5dYKKnB5lTdipXfidarMFojLAcfHPwsFl0
p5HRJnOJo5Vfj5Ljaj0GLLPk8gZjwA69vLQYY0d+IDhnvToScgolt1b2XaKGw+m6
gC9THU4i+RqDf/o6B7nN97ySJeuDvigu7af1jdDocQNQKp1o8BCoe93jM6CS6EZN
YIvN/7cNP2E/ABdVPXYdrSTgbeltJyQtxPiwfdmiNKK5wFNl4GqeTa98Vh6q5Guw
U5ZZCvk/dfXodylG/3htCJyXKx1GXzd6w3fGn3cCemNnlOih7CiBqM3mL2/jLbE1
7AKDGXcM8gn3jEAssgZZWFl4C0Fs4c7ow4+6zMJ6+C9N/gJAd3CFMJPbiNlMbE9e
uW4TAx5lG/pXyQugEZ9Dw/jrQS/3K71kr4D4bo2K9SUj0+tjzuL41Xd2WwARAQAB
tCJ0ZXN0aW5nLmh1aXppbmcuZGV2IChmbHV4IHNlY3JldHMpiQJPBBMBCgA5FiEE
dv92pag2QTfq8b5ulf94w46a1ukFAmks4XgDGy8EBQsJCAcCBhUKCQgLAgQWAgMB
Ah4BAheAAAoJEJX/eMOOmtbpX8YP/2Z7a5xp+imXItXJSPgFa+NJBs4V1SMPPF2V
2YcHJGlnX6mOJJZUYXo8f615uN4+hRI3z4n2Uc2VYZdOFCKRcqFrY10wB1nvdukb
0OHR3CoBV4/S2NV6QS12JIyyYgV1WjstEK+CsdxVMVp4dvQvRcOWZ1Wt0tIx/rj0
1ccvBexXkyVrMc576yK+aB+fb9EOgdmpC8JswoyicHugi2Mq+QsVoNjKwMQwvKDR
NrLdJ+PCInuwBEwpy0cNRALrVTN9zzZpInZ7EAOkEUBH8t8g6MebDZgiZqgdeBJk
QcY9ciC8lyPcES0MOcSY2tpSAfHkPGbytv2DHxm7p+Lraczm8bxNOFnoCfy1i62Y
ewCMT4H/5PTmWVGPbKIOHg0B6ATZEnl+Hw4WIbKSAzIZnVNLSaFAXM3M/HWs/XUa
5CKYi2PmN0Jo85rsRczzboTuLyfqmnah1vznwrgp+MXk5Y7vT4DqHvhiij0vG9iG
buC4HQ642pszau2BF5+l16EnfFaC21k1AGQWiPQNZPeR18MvhJflmaMS6URZY0E9
QY487s+rJ1gTiL7zlPAfexNHc/z8kvQi8yF5PfBKPxXBAf18nIG6+n6vxn9lLxi4
7AjcA7pDbPAw2t9rgM6BUQkFHjwt6qCF7A65lLL1M36he/b7Wr8WYmo4Cd+X1jXK
WgGqwzk/uQINBGks4XgBEAC8EOELmKWvvuAMvKYb0kdeBYoCYMWscig8s6fQGJRt
vPsPvQmyZoVJ69fiEXcw9d/3StfkxlPaEakYNILdVL6Q+AgZgJFn/iY3ewMtnUNO
/P19cahl8PFSBnOWrGRLqGfC2bDoeW7rt7Muy1YjP+cVLoXL3qz685k8SUfVspka
qi84w1ucAvR8XTzN4/lwSgk8Avfx1vPiToFHugxDb7JiLmMBssKRRzAT3iPycMYK
kc0tNxAlMnKXPOPntdXw/50mtsM4WNP0/yMpdbmtGrGbIQUvpRBE7D7dZ6m0/+WI
9plpljVwbs3dikUfWILM3NseDK2CEid5VXQMqqdXaQlQDOwya2d0o5yzfUW+Yj+l
6dWlcNeI8wM9raum/GEsxoIGkzQ+fvT73StglcIPwACOJlwdRRu+WrDtS8PebirL
w70hKebEEwel8IA9U19L0GpnNjKhK10pqY39jX09YdMMq9f1gigsCj3Ika2l3ZyQ
Wl6y0UhiTiVkphqM9JJAApRlZbrxUxX6Sw0M6iOBX394ZKgzQbcpGcOGnGdQXs4V
7hMOtqYrQqYqTSoJYHqWNCgVsTcGeoo8/NN/9f0aVB2gv3CDIqnB+8xq15rsKrLN
9mM3Bxi2fRws6gTEcENV64j22Z1tKR3yHPSLv0/1Ta7A9SXnXmqw/BMjWJxQSmmN
ZwARAQABiQRsBBgBCgAgFiEEdv92pag2QTfq8b5ulf94w46a1ukFAmks4XgCGy4C
QAkQlf94w46a1unBdCAEGQEKAB0WIQTXTIfxfRLD7cv4AoBl1ZPdaI4nIwUCaSzh
eAAKCRBl1ZPdaI4nI+nzEACZspevA9KxrWo8ZMv3Jyz/SZ6qGeUZm0cS+wYlnXTO
jwHq+gjvzQvmrg/+S9kneE4mFx21p3exKh6waYt9M18MHj623HGTXrKHuXTbKhom
7kDISFbnKjcoyyLT7KvCP27lfhv9ahkgvj2GdjPCVsWY3m53dWMKjLEHNYrVPw5v
ublNbjvAZ8sUEuP1wIZDqqCImYR2VP+ND8BCx+br20mnpHbB9GRSWKWZ0kG8cc9n
bJgUnd0f6rp0kPqTvH2YNPx8V56v3NqbnvON+p/2YfRZ4ff9hTB65Gune8xlqXUf
KbRCgepkgH5uYXCl/1+urWQZJPlUOGYP5b37wezm2vrd3Gq9LY52JXw+If953dAi
AGYhlqtQsu/MtA0MwGqSYBWY9SRHoNkCJw798B3ZrQOescnmokjAZhH/8def2r6Q
NXlMVwrKYl7vQMxa5uDJP9VqwrLn3FMpnOCEAWfl+nc+cu1MP17KwofwbtzbDlSq
rTiIskYb571ZgW/wSNTi6Y0qtq0Hn7ruoRfLONgdsru/JlrRUWMHiziWz21lJYOZ
KR3snLGdURh8JBPHI4eUYe6F0gk1g6Mn9BJljWTASzEs41Wbs7SXyn0bKEvOVZza
t+on9ab22futkoxdD9TQgYLtYJy6kvcnd3opa9FaVlFzS4zLVetwgj2fcri779+o
ozu/D/4qlHXpPmgfPYfaLHPzpAq6GEFf3uLU/Ue7LJAipNdgSWgQGqpu070pFTYp
FxOyhECEixBpFzs9ygfa35Sjw/8cDd+6aAYrIPEk2V98gA8N0nIeUOwh7mcy8vfD
1omqkiS4hanhv2Q5OrgHlTj/28K6CXTRouRaaADvudjSLdt5jM9Y87uuBE7N2okF
tq1oYgvNOiZt9vERU3N8raefgGs869Oi3CawyD71/UV8mdUzkg4awlCDz2tCvEBg
h8G/ys/4fVp6orac6qvIr9SGKu8oT20VCmAc4tv1ze6avjcARvuzrhIRFbiZtDpB
nJafOLOqzOcoZgEy+7Iwa6/iZjFiRMdgEjgU62bVeQEQKny5Nm7y3lnEBNja/ISP
xB6emz/G6nmWwAt0OnZnH3lFwiXrRgefb+MPHi5rvRN9mqRHQ43UU4pkYQO0fa1H
PeNhhe7qo8H4AFdZTzsRurBOsLTZ+uJGjwto+Zq+hQkzPBvfVSzVbkvvEUFwn+Hm
PmP+lKYThzVSlxbDEMHu7BDnJQZX/MTTyJnviXgMaRstgjMak52SAjIReiI+RRgO
mihWQ21nN9u2WC78sZLHJTuej2yv6K7BZBl+TRRwwnRP7sQIassfXqB30kHFUXqr
kC7eCKdgW/DSKw5rhmMDfS0ILBTkhtL1XmOtcHK2PKdPe9DjAA==
=DrdW
-----END PGP PUBLIC KEY BLOCK-----

1
nodes/titan/_defaults.yaml
View File

@@ -5,3 +5,4 @@ cluster:
name: titan name: titan
controlPlaneIp: 10.0.2.1 controlPlaneIp: 10.0.2.1
secretsFile: !realpath _secrets.yaml secretsFile: !realpath _secrets.yaml
sopsKeyFile: !realpath _sops.asc

BIN
nodes/titan/_sops.asc Normal file
View File

Binary file not shown.

63
nodes/titan/_sops.pub.asc Normal file
View File

@@ -0,0 +1,63 @@
-----BEGIN PGP PUBLIC KEY BLOCK-----
mQINBGks5cwBEADdTNm9v45f1r76Ka6+5zd9JIO0b7qGKSRaQ1FBw5Cf6424FhLg
5VJ5Ct01cyqemJsmgf/qMOFW8hDs0X8KeQO24D79qdTu9DO/q212R6BKjuFz+TRX
rdPrSoky5MDhLcN+AEU+Ban9aMvUbKiVeEtxJq/1SgTWfKnUsil5OmmzsR6LXhlZ
gA2kubo2oh4hrql9+i+iO5A7HZ5dc1T5bPYivXA/7tJ8Y66OUs1kaaMR8Cy1Qfp7
iPRkvmrMTQtLwVpWNWn0KCvyxtpBeeWxo1oGJYvVm8GJTBrB+Xhl5bOrnvqbD9Pw
6jzyN5ecMXn+KF4JZZW8Y9EIfH5JX+hA/W/zfF4y3oNszS/JlxyuRIHc3dsQQ2za
YpZ+rsvKJtIsZdPW+J9J5fjQkYvF1+wmOEOVtvryFlFjH5aPlDSnSPbU138dRPva
IfY/c0bOKW/Xd5GawYGKdfkJThJR/In1WQMimSpqydzLt3ELfovLmBFyMWjmiz+b
VFUCPktrt7m2VFHWjYu03REdV60L1CqKFvkoBp4KV5EnjAN7XKDCfKxM5gC8f/Yg
3F+R1+XzZPLUgTk/5/rDjAFynwcWnf2WfXd5JwJEi1pXgLiFVbK6phnfAJLvcsDt
jHVmjYf8dkMuMPXdubeyPo+CKaOffmCAmLgCppR5qDTF/ubDB20gLpBCcwARAQAB
tCF0aXRhbi5odWl6aW5nYS5kZXYgKGZsdXggc2VjcmV0cymJAk8EEwEKADkWIQSz
0/lFIzjCNZTY/8wOE+ZBNIET3QUCaSzlzAMbLwQFCwkIBwIGFQoJCAsCBBYCAwEC
HgECF4AACgkQDhPmQTSBE92rjg//dzU4BFAZXtiSnuqCdI+kCNykRyP4UIjxZICz
ixsXoG+0eIgOgLN5A4i1lDg/lPj/lpPCWlJvnOm/OAU7XUNA3KK98qQGViwVfrou
CqAeWMPMAvAgUB2cwkWV3FmCR/v9xBdo6eHeZfPoZ7OnND7uSck/u+5GgtMX0ZP0
qRbQo7DC+2fjObgXuLaCG49vBTYmy1S/uAAhSU0W7wpOUztn1srNCgWwYCAjAt0A
CzdNYSP10k8hA2a9+a4zsXjScdVjEqkoLeWJMtzt4roYArZjt9XJ4iKnroXCx52T
uaMmFdpGeBZno0Ih/qwGLFkvEcIwHe4uxY4aQK8k9wLNdS9s3qayXj1mF2HSMH16
wlg6aD6XB/2rTAaIdSs4yLipbN9Lo4jDeEkmag0n6qAcqZHCp+Z1nKeehNIX2MxT
VDo0XwQzBl3MrOJI/U/n7tD9cKi6lWHNJ2SZf42gPe6a06WklAoAj/YpLe2FbxYh
TTnkmHbIyMSUcdQ+xC/3h8qo8F9TssO8fA0JgdwVa96iBPJShCWW4V4nfumQYRGV
zeWRu7LEVnflSVZz/2a9P3ecE5DtmkUibVxDn5/xYYWsJpARV3QEGPT1pOvI8TBB
hc//XxZZ8j8MyFSX+hMFj2y+cqprqb0vCUPcnP6g298yAWlpgJwP+UcnyrOuTKkM
B0Tnume5Ag0EaSzlzAEQAODCxs7vrTtGJbEWxDUa/q4G/3cGNuA52EpSZfM3ZfCU
66gIRC6OPrIz3pIB4UKExS9OZtLxcrAVggzFhgOEaaBK87ku6KmC+PCKX1oY6AVT
FeaWtW8ajY53VAASNeA7GcDlCAV7DgM9n2w3SuiybvJkMQ4XkUlDwW3hxIYOi1/R
h3cRBHiQDR6beHkBd9BmH9HFGEDO7d2sR33Bl2UZOvc6+NQartp8znDmTJ+5RoZz
A/i8AvurEm6u3e6W1LZmHitIhBINd71tjRXiRsOmCuEcoFyChR7BpAUn9WaiW5BB
Y3VWXZC/O86donSuoWwlgIi9T9SXs+iIZzm4w9ongKGdbsEmpp/NcT28gQytTrug
2o9SSSVmLpnH/hg4D/M/a5eOI7UzWszf4iCZB01f/fyWtbokUxDpnn4bzUWXyie1
2P9yGtSjyeZPRn6ELGuCOrjvHTA6uIgRaXjYenDlTOPv1Gr5XeuGEJZaK/4d7rQb
u4yLDKC9n80pF06qD00XpnyX6hGL5ntMIiXbWeAbWNcfZEBu5TJg5H4PqcSDwI3E
TfJgf6RBzG8+XcjAgEWzdDJhat5QGCKGKmANfwbYHLj2XJdiwWqanWZmDXFH5p6o
b4zwceS9zx31Ex/XhJ4mutibpvTtDklpU3Ol6Jml/koB4KYHxRQwipCfPElwouhB
ABEBAAGJBGwEGAEKACAWIQSz0/lFIzjCNZTY/8wOE+ZBNIET3QUCaSzlzAIbLgJA
CRAOE+ZBNIET3cF0IAQZAQoAHRYhBJdlMI5OZl6R69KAiY629oMZwkJNBQJpLOXM
AAoJEI629oMZwkJNfLgQAKclJQc1yXj8hu/peiLcfdoTqYCzitu9h3x5KNerKCO1
I/iGDcOc/g17K8QdyTRB4zHunVMfBuC8Wp7G6uwhnCanMcOzfVdM80MSxdaBb+hM
3nJooZTxnXNJBNy5NPy2P9vE/+Fx7UQhC5DK70wX96Xm7WnA6dunvDP/DdD7Tzf2
qU2I9/axRBsBowJ1N0CL7VusLr+Iml6s6S/Z20o5EfFKNfHHpK7lUIxc41J1KWRw
qhqzm9GJh+PrafeYcq1/Q99HkmFBFkAHfUhiHkpTGVdc39fEM3ywxxJ5VuK51CKj
Q772kITdoJxgfv//+k51OPDDYmcidyK/jU+SE8GXlBsEAGDvvxf8zsh/PhXw+qNM
1JqX+OD6Mm02cbaWieDXbFXta3/4apAcbvBLaPggHyIHvjA2WbAsq7iQwjlFLeBV
qP9Vs6muREocNbvxQ3x8kM5ruWgogWl60TS+lKCN+bmJ2u64VdCtHZZxUZr3swQY
67RTEUvicqr0unP9/+87rjYPPpc+XSoh+MIQLQ3YrzE9aG/29P55+WlzsjayrYBR
MkM76zWMK/7xRx+fG+GITyfqGF+jAylNqGkpMBq8257JzfEE3kQJKBaZF6apOF+H
uJtr1u5+Y1HpClBqROw52Szb5VfTxrYS7aCd5DJdA1YM/jFGQYh2lM0z98ZqlBqR
R/cP+QEzGdJ1bYZhBU/P1NvHkbYc3GwN6j8UFYCGncJiUhJcNPgixogNJLFiWHom
+PrvvFrQI8ATCvcNF3pbETUP+PH2oLZ35KmOI9GGMNS/v/66E7o+1vXylXP0pZ9W
knEgQEUSxTSqvsSxfn06rSZvwjUcd/qOjvSJVS1urtBL9dt3Ct1jiXHaJEhPEY/z
nJLD/qaTF3Z4K2SoermaS8d3+fnp+7HrQcVfLneWpb7hrWATtRyPTvfvMEQzmmXP
G1v57wbA2fwAHPoth5Yzn5Cnib/677n2grnsumHFWYWhpSaRVGhJe8lMXjDiwNV6
Y45o9lmBUbgRXuO1ZprVXbc0ujkFyTLa0NZtMALHiy7XjzVMFgRmtwKX+KjAZGLr
hhqOrX+S3pcFqJTVLMP0bk7dV8IKAcbWrf7luQAtbQqVGIECrUqzDx4OfxuZl/rF
5UZKVXTFEGEDt7OFKrPDM802FqvUVHJxCm21WDUdBKWhLd9OnD74f16+9B+0cKHt
LXMTVEQINOcEuPwbqnkZqUz/vbR5Q7IR70Rdw3rXMEfvlyQMNzgmCw4PRzfa4cHq
CUgCYrvIBTmcjwa78+DCvfgfbe0/FtuQv1SNkpYiSU0qYx2S+aBl07pknO8mfSll
EWXe/zokPxeEtteNZkZ/gz4YtBymE+GUR+zM3IV7pYxVmtPE
=UtAO
-----END PGP PUBLIC KEY BLOCK-----

17
patches/sops.yaml Normal file
View File

@@ -0,0 +1,17 @@
cluster:
inlineManifests:
- name: sops-key
contents: |
apiVersion: v1
kind: Namespace
metadata:
name: flux-system
---
apiVersion: v1
kind: Secret
metadata:
name: sops-gpg
namespace: flux-system
data:
sops.acs: |
{{ helper.load_secret(node.cluster.sopsKeyFile) }}

2
patches/tailscale.yaml
View File

@@ -3,7 +3,7 @@ kind: ExtensionServiceConfig
name: tailscale name: tailscale
environment: environment:
- TS_AUTHKEY={{ config.tailscale.authKey }} - TS_AUTHKEY={{ config.tailscale.authKey }}
- TS_EXTRA_ARGS=--login-server {{ config.tailscale.loginServer }} --advertise-tags "tag:cluster-{{ node.cluster.name }}" - TS_EXTRA_ARGS=--login-server {{ config.tailscale.loginServer }} --advertise-tags=tag:cluster-{{ node.cluster.name }}
{% if node.advertiseRoutes %} {% if node.advertiseRoutes %}
- TS_ROUTES={{ helper.tailscale_subnet(node.gateway, node.netmask) }} - TS_ROUTES={{ helper.tailscale_subnet(node.gateway, node.netmask) }}
{% endif %} {% endif %}

6
tools/render
View File

@@ -3,6 +3,7 @@
# Adapted from: https://enix.io/en/blog/pxe-talos/ # Adapted from: https://enix.io/en/blog/pxe-talos/
import base64
import functools import functools
import json import json
import pathlib import pathlib
@@ -71,6 +72,9 @@ def tailscale_subnet(gateway: str, netmask: str):
netmask_bits = IPAddress(netmask).netmask_bits() netmask_bits = IPAddress(netmask).netmask_bits()
return f"{IPAddress(gateway) & IPAddress(netmask)}/{netmask_bits}" return f"{IPAddress(gateway) & IPAddress(netmask)}/{netmask_bits}"
def load_secret(path: str):
with open(path) as f:
return base64.b64encode(f.read().encode()).decode()
@functools.cache @functools.cache
def get_schematic_id(schematic: str): def get_schematic_id(schematic: str):
@@ -165,7 +169,7 @@ def main():
template_args = { template_args = {
"config": config, "config": config,
"root": ROOT, "root": ROOT,
"helper": {"tailscale_subnet": tailscale_subnet}, "helper": {"tailscale_subnet": tailscale_subnet, "load_secret": load_secret},
} }
nodes = [] nodes = []