update repo from new cluster-template

Author: brettinternet

.editorconfig

@@ -0,0 +1,14 @@
+# editorconfig.org
+root = true
+
+[*]
+indent_style = space
+indent_size = 2
+end_of_line = lf
+charset = utf-8
+trim_trailing_whitespace = true
+insert_final_newline = true
+
+[*.py]
+indent_style = space
+indent_size = 4

.gitattributes

@@ -1,2 +1,3 @@
-*.sops.yaml diff=sopsdiffer
-*.sops.toml linguist-language=JSON
+* text=auto eol=lf
+*.yaml.j2 linguist-language=YAML
+*.sops.* diff=sopsdiffer

.github/workflows/flux-diff.yaml

@@ -0,0 +1,68 @@
+---
+# yaml-language-server: $schema=https://json.schemastore.org/github-workflow.json
+name: "Flux Diff"
+
+on:
+  pull_request:
+    branches: ["main"]
+    paths: ["kubernetes/**"]
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.event.number || github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  flux-diff:
+    name: Flux Diff
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      pull-requests: write
+    strategy:
+      matrix:
+        paths: ["kubernetes"]
+        resources: ["helmrelease", "kustomization"]
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          path: pull
+
+      - name: Checkout Default Branch
+        uses: actions/checkout@v4
+        with:
+          ref: "${{ github.event.repository.default_branch }}"
+          path: default
+
+      - name: Diff Resources
+        uses: docker://ghcr.io/allenporter/flux-local:main
+        with:
+          args: >-
+            diff ${{ matrix.resources }}
+            --unified 6
+            --path /github/workspace/pull/${{ matrix.paths }}/flux
+            --path-orig /github/workspace/default/${{ matrix.paths }}/flux
+            --strip-attrs "helm.sh/chart,checksum/config,app.kubernetes.io/version,chart"
+            --limit-bytes 10000
+            --all-namespaces
+            --sources "home-kubernetes"
+            --output-file diff.patch
+
+      - name: Generate Diff
+        id: diff
+        run: |
+          cat diff.patch
+          echo "diff<<EOF" >> $GITHUB_OUTPUT
+          cat diff.patch >> $GITHUB_OUTPUT
+          echo "EOF" >> $GITHUB_OUTPUT
+
+      - if: ${{ steps.diff.outputs.diff != '' }}
+        name: Add comment
+        uses: mshick/add-pr-comment@v2
+        with:
+          message-id: "${{ github.event.pull_request.number }}/${{ matrix.paths }}/${{ matrix.resources }}"
+          message-failure: Diff was not successful
+          message: |
+            ```diff
+            ${{ steps.diff.outputs.diff }}
+            ```

.github/workflows/gitleaks.yaml

@@ -1,3 +1,5 @@
+---
+# yaml-language-server: $schema=https://json.schemastore.org/github-workflow.json
 name: gitleaks
 
 on: # yamllint disable-line rule:truthy

.github/workflows/kubeconform.yaml

@@ -0,0 +1,29 @@
+---
+# yaml-language-server: $schema=https://json.schemastore.org/github-workflow.json
+name: "Kubeconform"
+
+on:
+  pull_request:
+    branches: ["main"]
+    paths: ["kubernetes/**"]
+
+env:
+  KUBERNETES_DIR: ./kubernetes
+
+jobs:
+  kubeconform:
+    name: Kubeconform
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Setup Homebrew
+        uses: Homebrew/actions/setup-homebrew@master
+
+      - name: Setup Workflow Tools
+        run: brew install fluxcd/tap/flux kubeconform kustomize
+
+      - name: Run kubeconform
+        shell: bash
+        run: bash ./scripts/kubeconform.sh ${{ env.KUBERNETES_DIR }}

.github/workflows/lint.yaml

@@ -1,4 +1,5 @@
 ---
+# yaml-language-server: $schema=https://json.schemastore.org/github-workflow.json
 name: Lint
 
 on: # yamllint disable-line rule:truthy

.gitignore

@@ -10,8 +10,6 @@ talosconfig
 *.agekey
 *.pub
 *.key
-# Ansible
-xanmanning.k3s*
 # Taskfile
 .task
 Brewfile.lock.json

.taskfiles/Brewfile

@@ -0,0 +1,18 @@
+brew "age"
+brew "cloudflared"
+brew "direnv"
+brew "fluxcd/tap/flux"
+brew "go-task"
+brew "kubescape"
+brew "helm"
+brew "helmfile"
+brew "jq"
+brew "kubeconform"
+brew "kubernetes-cli"
+brew "kustomize"
+brew "pre-commit"
+brew "prettier"
+brew "sops"
+brew "talhelper"
+brew "siderolabs/tap/talosctl"
+brew "yamllint"

.taskfiles/flux.yaml

@@ -3,8 +3,6 @@
 version: "3"
 
 vars:
-  # renovate: datasource=github-releases depName=prometheus-operator/prometheus-operator
-  PROMETHEUS_OPERATOR_VERSION: v0.73.2
   CLUSTER_SECRET_SOPS_FILE: "{{.KUBERNETES_DIR}}/flux/vars/cluster-secrets.sops.yaml"
   CLUSTER_SETTINGS_FILE: "{{.KUBERNETES_DIR}}/flux/vars/cluster-settings.yaml"
   GITHUB_DEPLOY_KEY_FILE: "{{.KUBERNETES_DIR}}/bootstrap/flux/github-deploy-key.sops.yaml"
@@ -14,22 +12,19 @@ tasks:
     desc: Verify flux meets the prerequisites
     cmd: flux check --pre
 
-  install:
+  bootstrap:
     desc: Bootstrap Flux into a Kubernetes cluster
     cmds:
-      - kubectl apply --kubeconfig {{.KUBECONFIG_FILE}} --server-side --filename https://raw.githubusercontent.com/prometheus-operator/prometheus-operator/{{.PROMETHEUS_OPERATOR_VERSION}}/example/prometheus-operator-crd/monitoring.coreos.com_podmonitors.yaml
-      - kubectl apply --kubeconfig {{.KUBECONFIG_FILE}} --server-side --filename https://raw.githubusercontent.com/prometheus-operator/prometheus-operator/{{.PROMETHEUS_OPERATOR_VERSION}}/example/prometheus-operator-crd/monitoring.coreos.com_prometheusrules.yaml
-      - kubectl apply --kubeconfig {{.KUBECONFIG_FILE}} --server-side --filename https://raw.githubusercontent.com/prometheus-operator/prometheus-operator/{{.PROMETHEUS_OPERATOR_VERSION}}/example/prometheus-operator-crd/monitoring.coreos.com_scrapeconfigs.yaml
-      - kubectl apply --kubeconfig {{.KUBECONFIG_FILE}} --server-side --filename https://raw.githubusercontent.com/prometheus-operator/prometheus-operator/{{.PROMETHEUS_OPERATOR_VERSION}}/example/prometheus-operator-crd/monitoring.coreos.com_servicemonitors.yaml
       - kubectl apply --kubeconfig {{.KUBECONFIG_FILE}} --server-side --kustomize {{.KUBERNETES_DIR}}/bootstrap/flux
       - cat {{.AGE_FILE}} | kubectl -n flux-system create secret generic sops-age --from-file=age.agekey=/dev/stdin
       - sops --decrypt {{.CLUSTER_SECRET_SOPS_FILE}} | kubectl apply --kubeconfig {{.KUBECONFIG_FILE}} --server-side --filename -
       - kubectl apply --kubeconfig {{.KUBECONFIG_FILE}} --server-side --filename {{.CLUSTER_SETTINGS_FILE}}
       - kubectl apply --kubeconfig {{.KUBECONFIG_FILE}} --server-side --kustomize {{.KUBERNETES_DIR}}/flux/config
-      - task: github-deploy-key
     preconditions:
-      - { msg: "Missing kubeconfig", sh: "test -f {{.KUBECONFIG_FILE}}" }
-      - { msg: "Missing Sops Age key file", sh: "test -f {{.AGE_FILE}}" }
+      - msg: Missing kubeconfig
+        sh: test -f {{.KUBECONFIG_FILE}}
+      - msg: Missing Sops Age key file
+        sh: test -f {{.AGE_FILE}}
 
   apply:
     desc: Apply a Flux Kustomization resource for a cluster
@@ -53,14 +48,29 @@ tasks:
       ks:
         sh: flux --kubeconfig {{.KUBECONFIG_FILE}} --namespace {{.ns}} get kustomizations $(basename {{.path}}) 2>&1
     preconditions:
-      - { msg: "Missing kubeconfig", sh: "test -f {{.KUBECONFIG_FILE}}" }
-      - { msg: "Missing Flux Kustomization for app {{.path}}", sh: "test -f {{.KUBERNETES_DIR}}/apps/{{.path}}/ks.yaml" }
+      - msg: Missing kubeconfig
+        sh: test -f {{.KUBECONFIG_FILE}}
+      - msg: Missing Flux Kustomization for app {{.path}}
+        sh: test -f {{.KUBERNETES_DIR}}/apps/{{.path}}/ks.yaml
 
   reconcile:
     desc: Force update Flux to pull in changes from your Git repository
     cmd: flux --kubeconfig {{.KUBECONFIG_FILE}} reconcile --namespace flux-system kustomization cluster --with-source
     preconditions:
-      - { msg: "Missing kubeconfig", sh: "test -f {{.KUBECONFIG_FILE}}" }
+      - msg: Missing kubeconfig
+        sh: test -f {{.KUBECONFIG_FILE}}
+
+  github-deploy-key:
+    cmds:
+      - kubectl create namespace flux-system --dry-run=client -o yaml | kubectl --kubeconfig {{.KUBECONFIG_FILE}} apply --filename -
+      - sops --decrypt {{.GITHUB_DEPLOY_KEY_FILE}} | kubectl apply --kubeconfig {{.KUBECONFIG_FILE}} --server-side --filename -
+    preconditions:
+      - msg: Missing kubeconfig
+        sh: test -f {{.KUBECONFIG_FILE}}
+      - msg: Missing Sops Age key file
+        sh: test -f {{.AGE_FILE}}
+      - msg: Missing Github deploy key file
+        sh: test -f {{.GITHUB_DEPLOY_KEY_FILE}}
 
   redo:
     desc: Force reset drift in HelmRelease
@@ -75,15 +85,6 @@ tasks:
       - kubectl get hr --all-namespaces | grep False | awk '{print $2, $1}' | gxargs -l bash -c 'flux suspend hr $0 -n $1'
       - kubectl get hr --all-namespaces | grep False | awk '{print $2, $1}' | gxargs -l bash -c 'flux resume hr $0 -n $1'
 
-  github-deploy-key:
-    cmds:
-      - kubectl create namespace flux-system --dry-run=client -o yaml | kubectl --kubeconfig {{.KUBECONFIG_FILE}} apply --filename -
-      - sops --decrypt {{.GITHUB_DEPLOY_KEY_FILE}} | kubectl apply --kubeconfig {{.KUBECONFIG_FILE}} --server-side --filename -
-    preconditions:
-      - { msg: "Missing kubeconfig", sh: "test -f {{.KUBECONFIG_FILE}}" }
-      - { msg: "Missing Sops Age key file", sh: "test -f {{.AGE_FILE}}" }
-      - { msg: "Missing Github deploy key file", sh: "test -f {{.GITHUB_DEPLOY_KEY_FILE}}" }
-
   delete-tunnel:
     desc: |
       Force delete cloudflared tunnel release to stop external ingress

.taskfiles/kubernetes.yaml

@@ -1,27 +1,11 @@
 ---
+# yaml-language-server: $schema=https://taskfile.dev/schema.json
 version: "3"
 
 vars:
   KUBECONFORM_SCRIPT: "{{.SCRIPTS_DIR}}/kubeconform.sh"
 
 tasks:
-  kubeconfig:
-    desc: Remotely fetch kubeconfig from Kubernetes
-    cmds:
-      - rsync --verbose --progress --partial --rsync-path="sudo rsync" {{.K3S_PRIMARY_CONTROLLER_NODE_USERNAME}}@{{.K3S_PRIMARY_CONTROLLER_NODE_ADDR}}:/etc/rancher/k3s/k3s.yaml "{{.KUBERNETES_DIR}}/kubeconfig"
-      - sed -i '' 's/127.0.0.1/{{.K3S_LB_ADDR}}/g' "{{.KUBERNETES_DIR}}/kubeconfig"
-      - chmod go-r "{{.KUBERNETES_DIR}}/kubeconfig"
-    vars:
-      K3S_PRIMARY_CONTROLLER_NODE_USERNAME: "brett"
-      K3S_PRIMARY_CONTROLLER_NODE_ADDR: "10.1.2.30"
-      K3S_LB_ADDR: "10.1.2.200"
-
-  top:
-    desc: List top metrics
-    cmds:
-      - kubectl top node
-      - kubectl top pod -A
-
   resources:
     desc: Gather common resources in your cluster, useful when asking for support
     cmds:
@@ -43,4 +27,11 @@ tasks:
     desc: Validate Kubernetes manifests with kubeconform
     cmd: bash {{.KUBECONFORM_SCRIPT}} {{.KUBERNETES_DIR}}
     preconditions:
-      - { msg: "Missing kubeconform script", sh: "test -f {{.KUBECONFORM_SCRIPT}}" }
+      - msg: Missing kubeconform script
+        sh: test -f {{.KUBECONFORM_SCRIPT}}
+
+  top:
+    desc: List top metrics
+    cmds:
+      - kubectl top node
+      - kubectl top pod -A

.taskfiles/lint.yaml

@@ -1,4 +1,5 @@
 ---
+# yaml-language-server: $schema=https://taskfile.dev/schema.json
 version: "3"
 
 vars:

.taskfiles/precommit.yaml

@@ -1,4 +1,5 @@
 ---
+# yaml-language-server: $schema=https://taskfile.dev/schema.json
 version: "3"
 
 tasks:

.taskfiles/setup_darwin.yaml

@@ -1,56 +1,24 @@
 ---
+# yaml-language-server: $schema=https://taskfile.dev/schema.json
 version: "3"
 
 vars:
-  PYTHON_BIN: python3
+  BREWFILE: "{{.ROOT_DIR}}/.taskfiles/Brewfile"
 
 tasks:
   init:
     desc: Darwin setup
     cmds:
+      - task: direnv
       - task: brew
       - task: python
 
   brew:
-    desc: Install homebrew dependencies
-    cmds:
-      - brew install -q {{.DEPS}} {{.CLI_ARGS}}
+    desc: Install workstation dependencies with Brew
+    cmd: brew bundle --file {{.BREWFILE}}
     preconditions:
-      - sh: command -v brew
-        msg: Homebrew is not installed
-    vars:
-      DEPS: >-
-        age
-        ansible
-        cloudflared
-        direnv
-        fluxcd/tap/flux
-        go-task
-        kubescape
-        helm
-        helmfile
-        jq
-        kubeconform
-        kubernetes-cli
-        kustomize
-        pre-commit
-        prettier
-        sops
-        yamllint
-
-# age: SOP dependency
-# ansible: homelab provisioning
-# cloudflare/cloudflare/cloudflared: Cloudflared tunnel credentials
-# fluxcd/tap/flux: cluster reconciliation
-# go-task/tap/go-task: Task runner
-# kubescape https://github.com/kubescape/kubescape
-# helm: Deployment charts
-# kubernetes-cli
-# kustomize: Define k8s manifests
-# pre-commit: Repo helper
-# prettier: Repo helper
-# sops: Secrets encryption
-# yamllint: Yaml linting
+      - { msg: "Missing Homebrew", sh: "command -v brew" }
+      - { msg: "Missing Brewfile", sh: "test -f {{.BREWFILE}}" }
 
   python:
     desc: Set up virtual environment
@@ -65,3 +33,10 @@ tasks:
     preconditions:
       - msg: "Missing Pip requirements file"
         sh: "test -f {{.PIP_REQUIREMENTS_FILE}}"
+
+  direnv:
+    desc: Run direnv hooks
+    cmd: direnv allow .
+    status:
+      - "[[ $(direnv status --json | jq '.state.foundRC.allowed') == 0 ]]"
+      - "[[ $(direnv status --json | jq '.state.loadedRC.allowed') == 0 ]]"

.taskfiles/sops.yaml

@@ -1,4 +1,5 @@
 ---
+# yaml-language-server: $schema=https://taskfile.dev/schema.json
 version: "3"
 
 tasks: