Set up flux.

nix/kubernetes/README.org

@@ -13,6 +13,9 @@
 * Bootstrap
 ** Install cilium
 #+begin_src bash
+  # nix shell nixpkgs#cilium-cli
+  nix shell 'nixpkgs#kubernetes-helm'
+
   helm repo add cilium https://helm.cilium.io/
   helm template --dry-run=server cilium cilium/cilium --version 1.18.4 --namespace kube-system \
        --set kubeProxyReplacement=true \
@@ -26,3 +29,96 @@
   #      --set hostFirewall.enabled=true
   # routingMode=native
 #+end_src
+** Install flux
+#+begin_src bash
+  nix shell 'nixpkgs#fluxcd'
+
+  flux bootstrap git \
+    --url=ssh://git@<host>/<org>/<repository> \
+    --branch=main \
+    --private-key-file=<path/to/private.key> \
+    --password=<key-passphrase> \
+    --path=clusters/my-cluster
+#+end_src
+
+#+begin_src bash
+  nix shell 'nixpkgs#kubernetes-helm'
+
+  helm template --dry-run=server flux-operator oci://ghcr.io/controlplaneio-fluxcd/charts/flux-operator \
+    --namespace flux-system \
+    --create-namespace
+#+end_src
+
+#+begin_src text
+  apiVersion: fluxcd.controlplane.io/v1
+  kind: FluxInstance
+  metadata:
+    name: flux
+    namespace: flux-system
+    annotations:
+      fluxcd.controlplane.io/reconcileEvery: "1h"
+      fluxcd.controlplane.io/reconcileTimeout: "5m"
+  spec:
+    distribution:
+      version: "2.x"
+      registry: "ghcr.io/fluxcd"
+      artifact: "oci://ghcr.io/controlplaneio-fluxcd/flux-operator-manifests"
+    components:
+      - source-controller
+      - kustomize-controller
+      - helm-controller
+      - notification-controller
+      - image-reflector-controller
+      - image-automation-controller
+    cluster:
+      type: kubernetes
+      size: medium
+      multitenant: false
+      networkPolicy: true
+      domain: "cluster.local"
+    kustomize:
+      patches:
+        - target:
+            kind: Deployment
+          patch: |
+            - op: replace
+              path: /spec/template/spec/nodeSelector
+              value:
+                kubernetes.io/os: linux
+            - op: add
+              path: /spec/template/spec/tolerations
+              value:
+                - key: "CriticalAddonsOnly"
+                  operator: "Exists"
+    sync:
+      kind: OCIRepository
+      url: "oci://ghcr.io/my-org/my-fleet-manifests"
+      ref: "latest"
+      path: "clusters/my-cluster"
+      pullSecret: "ghcr-auth"
+#+end_src
+
+#+begin_src text
+  apiVersion: fluxcd.controlplane.io/v1
+  kind: FluxInstance
+  metadata:
+    name: flux
+    namespace: flux-system
+  spec:
+    distribution:
+      version: "2.7.x"
+      registry: "ghcr.io/fluxcd"
+    sync:
+      kind: GitRepository
+      url: "https://gitlab.com/my-org/my-fleet.git"
+      ref: "refs/heads/main"
+      path: "clusters/my-cluster"
+      pullSecret: "flux-system"
+#+end_src
+
+#+begin_src bash
+  flux create secret git flux-system \
+    --url=https://gitlab.com/my-org/my-fleet.git \
+    --username=git \
+    --password=$GITLAB_TOKEN
+#+end_src

nix/kubernetes/roles/bootstrap/files/flux_namespace.yaml

@@ -0,0 +1,4 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: flux-system