Compare commits
1 Commits
main
...
9319202f35
| Author | SHA1 | Date | |
|---|---|---|---|
9319202f35
|
37
README.md
37
README.md
@@ -1,37 +0,0 @@
|
|||||||
# Main Infrastructure: weyma-talos
|
|
||||||
|
|
||||||
**Production Kubernetes infrastructure with disaster recovery capabilities**
|
|
||||||
|
|
||||||
This repository contains the foundational infrastructure for my Kubernetes homelab, designed with reliability and rapid recovery as core principles.
|
|
||||||
|
|
||||||
## Architecture
|
|
||||||
|
|
||||||
My infrastructure follows a layered "black start" approach - essential services run outside the Kubernetes cluster to enable cluster bootstrapping and recovery from total failures.
|
|
||||||
|
|
||||||
### Black Start Layer
|
|
||||||
Static services (Docker Compose on TrueNAS/Proxmox) that provide cluster dependencies:
|
|
||||||
- Image cache for faster deployments and offline capability
|
|
||||||
- Talos discovery server for node bootstrapping
|
|
||||||
- HashiCorp Vault for secrets management (external to cluster)
|
|
||||||
- Future: Self-hosted Sidero Omni server (migrating from SaaS)
|
|
||||||
|
|
||||||
### System Apps Layer
|
|
||||||
Applications running within Kubernetes that provide core cluster functionality, managed via ArgoCD with GitOps principles.
|
|
||||||
|
|
||||||
## Repository Structure
|
|
||||||
|
|
||||||
- **`black-start/`** - Docker Compose services for cluster dependencies
|
|
||||||
- **`config-patches/`** - Talos Linux configuration patches for cluster and individual machines
|
|
||||||
- **`omni/`** - Sidero Omni [cluster template](https://docs.siderolabs.com/omni/reference/cluster-templates)
|
|
||||||
- **`system-apps/`** - System applications (ArgoCD projects) - monitoring, ingress, certificates, storage
|
|
||||||
|
|
||||||
## Tech Stack
|
|
||||||
|
|
||||||
**OS:** Talos Linux | **Orchestration:** Kubernetes | **GitOps:** ArgoCD | **Secrets:** Vault | **Storage:** Rook-Ceph
|
|
||||||
|
|
||||||
## Recovery Process
|
|
||||||
|
|
||||||
The "black start" architecture enables ~15-20 minute automated recovery from complete infrastructure failure:
|
|
||||||
1. Start black-start services → 2. Bootstrap Talos → 3. Deploy system apps → 4. Deploy core apps
|
|
||||||
|
|
||||||
For application deployments, see [core-apps](https://git.dubyatp.xyz/core-apps).
|
|
||||||
@@ -2,7 +2,7 @@ version: "3.8"
|
|||||||
services:
|
services:
|
||||||
discovery:
|
discovery:
|
||||||
restart: unless-stopped
|
restart: unless-stopped
|
||||||
image: ghcr.io/siderolabs/discovery-service:v1.0.15
|
image: ghcr.io/siderolabs/discovery-service:v1.0.13
|
||||||
ports:
|
ports:
|
||||||
- 10.105.6.215:3000:3000
|
- 10.105.6.215:3000:3000
|
||||||
- 10.105.6.215:3001:3001
|
- 10.105.6.215:3001:3001
|
||||||
@@ -52,7 +52,6 @@ patches:
|
|||||||
bind-address: 0.0.0.0
|
bind-address: 0.0.0.0
|
||||||
proxy:
|
proxy:
|
||||||
extraArgs:
|
extraArgs:
|
||||||
proxy-mode: ipvs
|
|
||||||
metrics-bind-address: 0.0.0.0:10249
|
metrics-bind-address: 0.0.0.0:10249
|
||||||
scheduler:
|
scheduler:
|
||||||
extraArgs:
|
extraArgs:
|
||||||
@@ -288,45 +287,6 @@ patches:
|
|||||||
selector:
|
selector:
|
||||||
k8s-app: metrics-server
|
k8s-app: metrics-server
|
||||||
name: metrics-lb
|
name: metrics-lb
|
||||||
- contents: |-
|
|
||||||
apiVersion: v1
|
|
||||||
data:
|
|
||||||
Corefile: |
|
|
||||||
.:53 {
|
|
||||||
errors
|
|
||||||
health {
|
|
||||||
lameduck 5s
|
|
||||||
}
|
|
||||||
ready
|
|
||||||
log . {
|
|
||||||
class error
|
|
||||||
}
|
|
||||||
prometheus :9153
|
|
||||||
|
|
||||||
kubernetes cluster.local in-addr.arpa ip6.arpa {
|
|
||||||
pods insecure
|
|
||||||
fallthrough in-addr.arpa ip6.arpa
|
|
||||||
ttl 30
|
|
||||||
}
|
|
||||||
|
|
||||||
rewrite name git.dubyatp.xyz traefik-local.traefik.svc.cluster.local
|
|
||||||
|
|
||||||
forward . /etc/resolv.conf {
|
|
||||||
max_concurrent 1000
|
|
||||||
}
|
|
||||||
cache 30 {
|
|
||||||
disable success cluster.local
|
|
||||||
disable denial cluster.local
|
|
||||||
}
|
|
||||||
loop
|
|
||||||
reload
|
|
||||||
loadbalance
|
|
||||||
}
|
|
||||||
kind: ConfigMap
|
|
||||||
metadata:
|
|
||||||
name: coredns
|
|
||||||
namespace: kube-system
|
|
||||||
name: coredns-config
|
|
||||||
---
|
---
|
||||||
kind: ControlPlane
|
kind: ControlPlane
|
||||||
machines:
|
machines:
|
||||||
|
|||||||
@@ -15,9 +15,10 @@
|
|||||||
],
|
],
|
||||||
"packageRules": [
|
"packageRules": [
|
||||||
{
|
{
|
||||||
"description": "Consolidate patch and minor updates to one PR",
|
"description": "Automerge patch updates",
|
||||||
"matchUpdateTypes": ["minor", "patch"],
|
"matchUpdateTypes": ["patch"],
|
||||||
"groupName": "all-minor-patch-updates"
|
"matchCurrentVersion": "!/^0/",
|
||||||
|
"automerge": true
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
"description": "Rook Ceph - auto-update minor and patch versions only",
|
"description": "Rook Ceph - auto-update minor and patch versions only",
|
||||||
|
|||||||
@@ -24,5 +24,5 @@ appVersion: "1.0"
|
|||||||
|
|
||||||
dependencies:
|
dependencies:
|
||||||
- name: argo-cd
|
- name: argo-cd
|
||||||
version: 9.4.7
|
version: 9.3.7
|
||||||
repository: https://argoproj.github.io/argo-helm
|
repository: https://argoproj.github.io/argo-helm
|
||||||
@@ -128,30 +128,18 @@ argo-cd:
|
|||||||
remoteRef:
|
remoteRef:
|
||||||
key: argo-cd
|
key: argo-cd
|
||||||
property: webhook.gitea.secret
|
property: webhook.gitea.secret
|
||||||
conversionStrategy: Default
|
|
||||||
decodingStrategy: None
|
|
||||||
metadataPolicy: None
|
|
||||||
- secretKey: admin.password
|
- secretKey: admin.password
|
||||||
remoteRef:
|
remoteRef:
|
||||||
key: argo-cd
|
key: argo-cd
|
||||||
property: admin.password
|
property: admin.password
|
||||||
conversionStrategy: Default
|
|
||||||
decodingStrategy: None
|
|
||||||
metadataPolicy: None
|
|
||||||
- secretKey: admin.passwordMtime
|
- secretKey: admin.passwordMtime
|
||||||
remoteRef:
|
remoteRef:
|
||||||
key: argo-cd
|
key: argo-cd
|
||||||
property: admin.passwordMtime
|
property: admin.passwordMtime
|
||||||
conversionStrategy: Default
|
|
||||||
decodingStrategy: None
|
|
||||||
metadataPolicy: None
|
|
||||||
- secretKey: dex.authentik.clientSecret
|
- secretKey: dex.authentik.clientSecret
|
||||||
remoteRef:
|
remoteRef:
|
||||||
key: argo-cd
|
key: argo-cd
|
||||||
property: dex.authentik.clientSecret
|
property: dex.authentik.clientSecret
|
||||||
conversionStrategy: Default
|
|
||||||
decodingStrategy: None
|
|
||||||
metadataPolicy: None
|
|
||||||
- apiVersion: external-secrets.io/v1
|
- apiVersion: external-secrets.io/v1
|
||||||
kind: ExternalSecret
|
kind: ExternalSecret
|
||||||
metadata:
|
metadata:
|
||||||
@@ -172,23 +160,14 @@ argo-cd:
|
|||||||
remoteRef:
|
remoteRef:
|
||||||
key: argo-cd-git
|
key: argo-cd-git
|
||||||
property: sshPrivateKey
|
property: sshPrivateKey
|
||||||
conversionStrategy: Default
|
|
||||||
decodingStrategy: None
|
|
||||||
metadataPolicy: None
|
|
||||||
- secretKey: type
|
- secretKey: type
|
||||||
remoteRef:
|
remoteRef:
|
||||||
key: argo-cd-git
|
key: argo-cd-git
|
||||||
property: type
|
property: type
|
||||||
conversionStrategy: Default
|
|
||||||
decodingStrategy: None
|
|
||||||
metadataPolicy: None
|
|
||||||
- secretKey: url
|
- secretKey: url
|
||||||
remoteRef:
|
remoteRef:
|
||||||
key: argo-cd-git
|
key: argo-cd-git
|
||||||
property: url.core-apps
|
property: url.core-apps
|
||||||
conversionStrategy: Default
|
|
||||||
decodingStrategy: None
|
|
||||||
metadataPolicy: None
|
|
||||||
- apiVersion: external-secrets.io/v1
|
- apiVersion: external-secrets.io/v1
|
||||||
kind: ExternalSecret
|
kind: ExternalSecret
|
||||||
metadata:
|
metadata:
|
||||||
@@ -209,23 +188,14 @@ argo-cd:
|
|||||||
remoteRef:
|
remoteRef:
|
||||||
key: argo-cd-git
|
key: argo-cd-git
|
||||||
property: sshPrivateKey
|
property: sshPrivateKey
|
||||||
conversionStrategy: Default
|
|
||||||
decodingStrategy: None
|
|
||||||
metadataPolicy: None
|
|
||||||
- secretKey: type
|
- secretKey: type
|
||||||
remoteRef:
|
remoteRef:
|
||||||
key: argo-cd-git
|
key: argo-cd-git
|
||||||
property: type
|
property: type
|
||||||
conversionStrategy: Default
|
|
||||||
decodingStrategy: None
|
|
||||||
metadataPolicy: None
|
|
||||||
- secretKey: url
|
- secretKey: url
|
||||||
remoteRef:
|
remoteRef:
|
||||||
key: argo-cd-git
|
key: argo-cd-git
|
||||||
property: url.weyma-talos
|
property: url.weyma-talos
|
||||||
conversionStrategy: Default
|
|
||||||
decodingStrategy: None
|
|
||||||
metadataPolicy: None
|
|
||||||
- apiVersion: external-secrets.io/v1
|
- apiVersion: external-secrets.io/v1
|
||||||
kind: ExternalSecret
|
kind: ExternalSecret
|
||||||
metadata:
|
metadata:
|
||||||
@@ -246,23 +216,14 @@ argo-cd:
|
|||||||
remoteRef:
|
remoteRef:
|
||||||
key: argo-cd-git
|
key: argo-cd-git
|
||||||
property: sshPrivateKey
|
property: sshPrivateKey
|
||||||
conversionStrategy: Default
|
|
||||||
decodingStrategy: None
|
|
||||||
metadataPolicy: None
|
|
||||||
- secretKey: type
|
- secretKey: type
|
||||||
remoteRef:
|
remoteRef:
|
||||||
key: argo-cd-git
|
key: argo-cd-git
|
||||||
property: type
|
property: type
|
||||||
conversionStrategy: Default
|
|
||||||
decodingStrategy: None
|
|
||||||
metadataPolicy: None
|
|
||||||
- secretKey: url
|
- secretKey: url
|
||||||
remoteRef:
|
remoteRef:
|
||||||
key: argo-cd-git
|
key: argo-cd-git
|
||||||
property: url.williamp-sites
|
property: url.williamp-sites
|
||||||
conversionStrategy: Default
|
|
||||||
decodingStrategy: None
|
|
||||||
metadataPolicy: None
|
|
||||||
- apiVersion: external-secrets.io/v1
|
- apiVersion: external-secrets.io/v1
|
||||||
kind: ExternalSecret
|
kind: ExternalSecret
|
||||||
metadata:
|
metadata:
|
||||||
@@ -283,20 +244,11 @@ argo-cd:
|
|||||||
remoteRef:
|
remoteRef:
|
||||||
key: argo-cd-git
|
key: argo-cd-git
|
||||||
property: sshPrivateKey
|
property: sshPrivateKey
|
||||||
conversionStrategy: Default
|
|
||||||
decodingStrategy: None
|
|
||||||
metadataPolicy: None
|
|
||||||
- secretKey: type
|
- secretKey: type
|
||||||
remoteRef:
|
remoteRef:
|
||||||
key: argo-cd-git
|
key: argo-cd-git
|
||||||
property: type
|
property: type
|
||||||
conversionStrategy: Default
|
|
||||||
decodingStrategy: None
|
|
||||||
metadataPolicy: None
|
|
||||||
- secretKey: url
|
- secretKey: url
|
||||||
remoteRef:
|
remoteRef:
|
||||||
key: argo-cd-git
|
key: argo-cd-git
|
||||||
property: url.db-operators
|
property: url.db-operators
|
||||||
conversionStrategy: Default
|
|
||||||
decodingStrategy: None
|
|
||||||
metadataPolicy: None
|
|
||||||
@@ -24,5 +24,5 @@ appVersion: "1.0"
|
|||||||
|
|
||||||
dependencies:
|
dependencies:
|
||||||
- name: cert-manager
|
- name: cert-manager
|
||||||
version: v1.19.4
|
version: v1.19.2
|
||||||
repository: https://charts.jetstack.io
|
repository: https://charts.jetstack.io
|
||||||
@@ -24,5 +24,5 @@ appVersion: "1.0"
|
|||||||
|
|
||||||
dependencies:
|
dependencies:
|
||||||
- name: external-secrets
|
- name: external-secrets
|
||||||
version: 2.0.1
|
version: 1.3.1
|
||||||
repository: https://charts.external-secrets.io
|
repository: https://charts.external-secrets.io
|
||||||
@@ -24,5 +24,5 @@ appVersion: "1.0"
|
|||||||
|
|
||||||
dependencies:
|
dependencies:
|
||||||
- name: kubernetes-replicator
|
- name: kubernetes-replicator
|
||||||
version: 2.12.3
|
version: 2.12.2
|
||||||
repository: https://helm.mittwald.de
|
repository: https://helm.mittwald.de
|
||||||
@@ -24,5 +24,5 @@ appVersion: "1.0"
|
|||||||
|
|
||||||
dependencies:
|
dependencies:
|
||||||
- name: kube-prometheus-stack
|
- name: kube-prometheus-stack
|
||||||
version: 82.8.0
|
version: 81.4.1
|
||||||
repository: https://prometheus-community.github.io/helm-charts
|
repository: https://prometheus-community.github.io/helm-charts
|
||||||
@@ -24,5 +24,5 @@ appVersion: "1.0"
|
|||||||
|
|
||||||
dependencies:
|
dependencies:
|
||||||
- name: rook-ceph
|
- name: rook-ceph
|
||||||
version: v1.19.2
|
version: v1.19.0
|
||||||
repository: https://charts.rook.io/release
|
repository: https://charts.rook.io/release
|
||||||
@@ -24,5 +24,5 @@ appVersion: "1.0"
|
|||||||
|
|
||||||
dependencies:
|
dependencies:
|
||||||
- name: traefik
|
- name: traefik
|
||||||
version: 39.0.2
|
version: 39.0.0
|
||||||
repository: https://traefik.github.io/charts
|
repository: https://traefik.github.io/charts
|
||||||
@@ -37,7 +37,7 @@ traefik:
|
|||||||
kind: DaemonSet
|
kind: DaemonSet
|
||||||
additionalContainers:
|
additionalContainers:
|
||||||
- name: cloudflared
|
- name: cloudflared
|
||||||
image: cloudflare/cloudflared:2026.2.0
|
image: cloudflare/cloudflared:2026.1.2
|
||||||
command:
|
command:
|
||||||
- cloudflared
|
- cloudflared
|
||||||
- tunnel
|
- tunnel
|
||||||
@@ -128,27 +128,4 @@ traefik:
|
|||||||
replicator.v1.mittwald.de/replicated-keys: "tls.crt,tls.key"
|
replicator.v1.mittwald.de/replicated-keys: "tls.crt,tls.key"
|
||||||
data:
|
data:
|
||||||
tls.crt: ""
|
tls.crt: ""
|
||||||
tls.key: ""
|
tls.key: ""
|
||||||
- apiVersion: v1
|
|
||||||
kind: Service
|
|
||||||
metadata:
|
|
||||||
name: traefik-local
|
|
||||||
spec:
|
|
||||||
sessionAffinity: ClientIP
|
|
||||||
sessionAffinityConfig:
|
|
||||||
clientIP:
|
|
||||||
timeoutSeconds: 3600
|
|
||||||
selector:
|
|
||||||
app.kubernetes.io/name: traefik
|
|
||||||
app.kubernetes.io/instance: traefik-traefik
|
|
||||||
ports:
|
|
||||||
- name: gitssh
|
|
||||||
port: 22
|
|
||||||
targetPort: gitssh
|
|
||||||
- name: web
|
|
||||||
port: 80
|
|
||||||
targetPort: web
|
|
||||||
- name: websecure
|
|
||||||
port: 443
|
|
||||||
targetPort: websecure
|
|
||||||
type: ClusterIP
|
|
||||||
@@ -24,5 +24,5 @@ appVersion: "1.0"
|
|||||||
|
|
||||||
dependencies:
|
dependencies:
|
||||||
- name: velero
|
- name: velero
|
||||||
version: 11.4.0
|
version: 11.3.2
|
||||||
repository: https://vmware-tanzu.github.io/helm-charts
|
repository: https://vmware-tanzu.github.io/helm-charts
|
||||||
Reference in New Issue
Block a user