initial commit

.devcontainer/Dockerfile

@@ -0,0 +1,87 @@
+FROM alpine:edge@sha256:f4b9f111e2c5290552a920590dd48dc58f5ea1cacda6e25b0a2718974d090cf0
+
+ARG USERNAME=vscode
+ARG USER_UID=2100
+ARG USER_GID=$USER_UID
+# renovate: depName=fluxcd/flux2
+ARG FLUX_VERSION=v2.4.0
+# renovate: depName=getsops/sops
+ARG SOPS_VERSION=v3.9.3
+# renovate: depName=kubernetes/kubernetes
+ARG KUBECTL_VERSION=v1.32.0
+# renovate: depName=helmfile/helmfile
+ARG HELMFILE_VERSION=v0.169.2
+# renovate: depName=helm/helm
+ARG HELM_VERSION=v3.16.4
+# renovate: depName=go-task/task
+ARG TASK_VERSION=v3.40.1
+# renovate: depName=siderolabs/talos
+ARG TALOSCTL_VERSION=v1.9.1
+# renovate: depName=kubevirt/kubevirt
+ARG VIRTCTL_VERSION=v1.4.0
+
+ENV LANG="C.UTF-8"
+ENV SHELL=/bin/bash
+ENV EDITOR=/usr/bin/nano
+
+WORKDIR /tmp
+
+RUN apk update && \
+    apk upgrade && \
+    apk add --no-cache \
+    coreutils \
+    curl \
+    cosign \
+    jq \
+    nano \
+    bash \
+    bash-completion \
+    openssl \
+    ca-certificates \
+    git \
+    github-cli \
+    libstdc++ \
+    direnv \
+    yq \
+    aws-cli \
+    unzip && \
+    rm -rf /var/cache/apk/* && \
+    addgroup -g $USER_GID $USERNAME && \
+    adduser -u $USER_UID -G $USERNAME -s /bin/sh -D $USERNAME && \
+    echo 'alias k=kubectl' >> /home/$USERNAME/.bashrc && \
+    echo 'complete -o default -F __start_kubectl k' >> /home/$USERNAME/.bashrc && \
+    echo 'eval "$(direnv hook bash)"' >> /home/$USERNAME/.bashrc && \
+    curl -fsSLO "https://dl.k8s.io/release/$KUBECTL_VERSION/bin/linux/amd64/kubectl" && \
+    curl -fsSLO "https://dl.k8s.io/release/$KUBECTL_VERSION/bin/linux/amd64/kubectl.sha256" && \
+    echo "$(cat kubectl.sha256)  kubectl" | sha256sum --check --strict && \
+    mv ./kubectl /usr/local/bin/kubectl && \
+    curl -fsSL https://raw.githubusercontent.com/helm/helm/main/scripts/get-helm-3 | bash -s -- -v $HELM_VERSION && \
+    curl -fsSLO https://github.com/getsops/sops/releases/download/$SOPS_VERSION/sops-$SOPS_VERSION{,.linux.amd64,.checksums.txt,.checksums.pem,.checksums.sig} && \
+    cosign verify-blob sops-$SOPS_VERSION.checksums.txt \
+      --certificate sops-$SOPS_VERSION.checksums.pem \
+      --signature sops-$SOPS_VERSION.checksums.sig \
+      --certificate-identity-regexp=https://github.com/getsops \
+      --certificate-oidc-issuer=https://token.actions.githubusercontent.com && \
+    sha256sum --check --strict --ignore-missing sops-$SOPS_VERSION.checksums.txt && \
+    mv sops-$SOPS_VERSION.linux.amd64 /usr/local/bin/sops && \
+    curl -fsSLO https://github.com/siderolabs/talos/releases/download/$TALOSCTL_VERSION/{,talosctl-linux-amd64,sha256sum.txt} && \
+    sha256sum --check --strict --ignore-missing sha256sum.txt && \
+    mv ./talosctl-linux-amd64 /usr/local/bin/talosctl && \
+    curl -fsSLO https://github.com/helmfile/helmfile/releases/download/$HELMFILE_VERSION/helmfile_$(echo $HELMFILE_VERSION | sed 's/^v//'){,_linux_amd64.tar.gz,_checksums.txt} && \
+    sha256sum --check --strict --ignore-missing helmfile_$(echo $HELMFILE_VERSION | sed 's/^v//')_checksums.txt && \
+    tar -xvzf helmfile_$(echo $HELMFILE_VERSION | sed 's/^v//')_linux_amd64.tar.gz && \
+    mv helmfile /usr/local/bin/helmfile && \
+    curl -fsSL https://taskfile.dev/install.sh | bash -s -- -d $TASK_VERSION -b /usr/local/bin && \
+    curl -fsSL https://fluxcd.io/install.sh | FLUX_VERSION=$(echo $FLUX_VERSION | sed 's/^v//') bash && \
+    curl -fsSLO https://github.com/kubevirt/kubevirt/releases/download/$VIRTCTL_VERSION/virtctl-$VIRTCTL_VERSION-linux-amd64 && \
+    mv ./virtctl-$VIRTCTL_VERSION-linux-amd64 /usr/local/bin/virtctl && \
+    chown -R root:root /usr/local/bin && chmod -R 755 /usr/local/bin && \
+    chown -R $USERNAME:$USERNAME /home/$USERNAME && chmod -R 750 /home/$USERNAME && \
+    kubectl completion bash | tee /etc/bash_completion.d/kubectl > /dev/null && \
+    rm -rf /root/.cache /tmp/*
+
+WORKDIR /project
+
+USER $USERNAME
+
+SHELL ["/bin/bash", "-c"]

.devcontainer/devcontainer.json

@@ -0,0 +1,79 @@
+//devcontainer.json
+{
+    "name": "Kubernetes Management",
+
+    "image": "ghcr.io/d4rkfella/devcontainer:v1.0.0@sha256:7d4f742c635828d1efe03cadc750b460e5c47c2e7cbad74ae17373bf90df4408",
+
+    "postStartCommand": "/usr/bin/direnv allow /project/.envrc",
+
+    "workspaceFolder": "/project",
+    "workspaceMount": "source=${localWorkspaceFolder},target=/project,type=bind,consistency=consistent",
+
+    "customizations": {
+      "vscode": {
+        "settings": {
+            "editor.bracketPairColorization.enabled": true,
+            "editor.fontFamily": "FiraCode Nerd Font, monospace",
+            "editor.fontLigatures": true,
+            "editor.guides.bracketPairs": true,
+            "editor.guides.bracketPairsHorizontal": true,
+            "editor.guides.highlightActiveBracketPair": true,
+            "editor.hover.delay": 1500,
+            "editor.rulers": [
+                100
+            ],
+            "editor.stickyScroll.enabled": false,
+            "explorer.autoReveal": false,
+
+            "files.associations": {
+                "**/*.json5": "jsonc"
+            },
+            "files.trimTrailingWhitespace": true,
+
+            "material-icon-theme.files.associations": {
+                "*.secret.sops.env": "lock",
+                "*.secret.sops.yaml": "lock"
+            },
+            "material-icon-theme.folders.associations": {
+                ".archive": "archive",
+                ".github/workflows": "robot",
+                "actions-runner-system": "github",
+                "cert-manager": "guard",
+                "external-secrets": "secure",
+                "flux-system": "pipe",
+                "flux": "pipe",
+                "kube-system": "kubernetes",
+                "network": "connection",
+                "observability": "event",
+                "storage": "dump",
+                "system-upgrade": "update",
+                "tools": "tools",
+                "volsync": "aws",
+                "cloudflared": "cloudflare",
+                "talos": "linux",
+                "vault": "secure",
+                "cdi": "upload",
+                "virtual-machines": "Vm"
+            },
+            "sops.defaults.ageKeyFile": "./age.key",
+            "sops.creationEnabled": true,
+            "yaml.schemaStore.enable": true,
+            "yaml.schemas": {
+                "kubernetes": "./kubernetes/**/*.yaml"
+            }
+        },
+        "extensions": [
+            "signageos.signageos-vscode-sops",
+            "BriteSnow.vscode-toggle-quotes",
+            "redhat.vscode-yaml",
+            "mitchdenny.ecdc",
+            "mikestead.dotenv",
+            "fcrespo82.markdown-table-formatter",
+            "albert.TabOut",
+            "pkief.material-icon-theme",
+            "PKief.material-product-icons",
+            "editorconfig.editorconfig"
+        ]
+      }
+    }
+}

.devcontainer/version.txt

@@ -0,0 +1 @@
+v1.0.0

.editorconfig

@@ -0,0 +1,23 @@
+; https://editorconfig.org/
+
+root = true
+
+[*]
+indent_style = space
+indent_size = 2
+end_of_line = lf
+charset = utf-8
+trim_trailing_whitespace = true
+insert_final_newline = true
+
+[{Makefile,go.mod,go.sum,*.go,.gitmodules}]
+indent_style = tab
+indent_size = 4
+
+[*.md]
+indent_size = 4
+trim_trailing_whitespace = false
+
+[{Dockerfile,*.bash,*.sh}]
+indent_style = space
+indent_size = 4

.envrc

@@ -0,0 +1,8 @@
+#shellcheck disable=SC2148,SC2155
+# Kubernetes
+export KUBECONFIG="$(expand_path ./kubernetes/main/kubeconfig)"
+export SOPS_AGE_KEY_FILE="$(expand_path ./age.key)"
+export TALOSCONFIG="$(expand_path ./kubernetes/main/talosconfig)"
+# Taskfile
+export TASK_X_ENV_PRECEDENCE=1
+export TASK_X_MAP_VARIABLES=0

.gitattributes

@@ -0,0 +1,2 @@
+* text=auto eol=lf
+*.sops.* diff=sopsdiffer

.github/labeler.yaml

@@ -0,0 +1,22 @@
+---
+# Areas
+area/docs:
+  - changed-files:
+      - any-glob-to-any-file:
+          - "docs/**/*"
+          - "README.md"
+area/github:
+  - changed-files:
+      - any-glob-to-any-file: ".github/**/*"
+area/kubernetes:
+  - changed-files:
+      - any-glob-to-any-file: "kubernetes/**/*"
+area/taskfile:
+  - changed-files:
+      - any-glob-to-any-file:
+          - ".taskfiles/**/*"
+          - "Taskfile.yaml"
+# Clusters
+cluster/main:
+  - changed-files:
+      - any-glob-to-any-file: "kubernetes/main/**/*"

.github/labels.yaml

@@ -0,0 +1,38 @@
+---
+# Areas
+- name: area/docs
+  color: "0e8a16"
+- name: area/github
+  color: "0e8a16"
+- name: area/kubernetes
+  color: "0e8a16"
+- name: area/taskfile
+  color: "0e8a16"
+# Clusters
+- name: cluster/main
+  color: "ffc300"
+# Renovate Types
+- name: renovate/container
+  color: "027fa0"
+- name: renovate/github-action
+  color: "027fa0"
+- name: renovate/grafana-dashboard
+  color: "027fa0"
+- name: renovate/github-release
+  color: "027fa0"
+- name: renovate/helm
+  color: "027fa0"
+# Semantic Types
+- name: type/digest
+  color: "ffeC19"
+- name: type/patch
+  color: "ffeC19"
+- name: type/minor
+  color: "ff9800"
+- name: type/major
+  color: "f6412d"
+# Uncategorized
+- name: community
+  color: "370fb2"
+- name: hold
+  color: "ee0701"

.github/renovate.json5

@@ -0,0 +1,44 @@
+{
+  "$schema": "https://docs.renovatebot.com/renovate-schema.json",
+  "extends": [
+    "config:recommended",
+    "docker:enableMajor",
+    "replacements:k8s-registry-move",
+    ":automergeBranch",
+    ":disableRateLimiting",
+    ":dependencyDashboard",
+    ":semanticCommits",
+    ":skipStatusChecks",
+    ":timezone(Europe/Sofia)",
+    "github>d4rkfella/home-ops//.github/renovate/autoMerge.json5",
+    "github>d4rkfella/home-ops//.github/renovate/clusters.json5",
+    "github>d4rkfella/home-ops//.github/renovate/commitMessage.json5",
+    "github>d4rkfella/home-ops//.github/renovate/customManagers.json5",
+    "github>d4rkfella/home-ops//.github/renovate/grafanaDashboards.json5",
+    "github>d4rkfella/home-ops//.github/renovate/groups.json5",
+    "github>d4rkfella/home-ops//.github/renovate/labels.json5",
+    "github>d4rkfella/home-ops//.github/renovate/packageRules.json5",
+    "github>d4rkfella/home-ops//.github/renovate/semanticCommits.json5"
+  ],
+  "dependencyDashboardTitle": "Renovate Dashboard 🤖",
+  "suppressNotifications": ["prEditedNotification", "prIgnoreNotification"],
+  "onboarding": false,
+  "requireConfig": "ignored",
+  "ignorePaths": ["**/*.sops.*", "**/.archive/**", "**/resources/**", "**/k8s-0.secret.sops.yaml"],
+  "flux": {
+    "fileMatch": [
+      "(^|/)kubernetes/.+\\.ya?ml(?:\\.j2)?$"
+    ]
+  },
+  "helm-values": {
+    "fileMatch": [
+      "(^|/)kubernetes/.+\\.ya?ml(?:\\.j2)?$"
+    ]
+  },
+  "kubernetes": {
+    "fileMatch": [
+      "(^|/)\\.taskfiles/.+\\.ya?ml(?:\\.j2)?$",
+      "(^|/)kubernetes/.+\\.ya?ml(?:\\.j2)?$"
+    ]
+  }
+}

.github/renovate/autoMerge.json5

@@ -0,0 +1,21 @@
+{
+  "$schema": "https://docs.renovatebot.com/renovate-schema.json",
+  "packageRules": [
+    {
+      "description": ["Auto-merge container digests updates for trusted containers"],
+      "matchDatasources": ["docker"],
+      "automerge": true,
+      "automergeType": "branch",
+      "matchUpdateTypes": ["digest"],
+      "matchPackagePatterns": ["ghcr.io/bjw-s", "ghcr.io/onedr0p"]
+    },
+    {
+      "description": ["Auto-merge GitHub Actions for minor and patch"],
+      "matchManagers": ["github-actions"],
+      "matchDatasources": ["github-tags"],
+      "automerge": true,
+      "automergeType": "branch",
+      "matchUpdateTypes": ["minor", "patch"]
+    }
+  ]
+}

.github/renovate/clusters.json5

@@ -0,0 +1,10 @@
+{
+  "$schema": "https://docs.renovatebot.com/renovate-schema.json",
+  "packageRules": [
+    {
+      "description": ["Separate PRs for main cluster"],
+      "matchFileNames": ["**/kubernetes/main/**"],
+      "additionalBranchPrefix": "main-"
+    }
+  ]
+}

.github/renovate/commitMessage.json5

@@ -0,0 +1,16 @@
+{
+  "$schema": "https://docs.renovatebot.com/renovate-schema.json",
+  "commitMessageTopic": "{{depName}}",
+  "commitMessageExtra": "to {{newVersion}}",
+  "commitMessageSuffix": "",
+  "packageRules": [
+    {
+      "matchDatasources": ["helm"],
+      "commitMessageTopic": "chart {{depName}}"
+    },
+    {
+      "matchDatasources": ["docker"],
+      "commitMessageTopic": "image {{depName}}"
+    }
+  ]
+}