talexander/machine_setup
1
0
Fork 0
Code Issues Pull Requests Releases Activity

Compare commits

base: talexander:ae5519bb39389c6949612f62e80e413c7bd528fc
Branches Tags
talexander:main talexander:nix talexander:kubernetes talexander:mt7927 talexander:yubipi talexander:upstream_amd_debug_tools talexander:install_files_mixin talexander:starship talexander:pixelbook
..
compare: talexander:b531c675ede0c124853b75a0242e2c8c2baa1546
Branches Tags
talexander:nix talexander:kubernetes talexander:main talexander:mt7927 talexander:yubipi talexander:upstream_amd_debug_tools talexander:install_files_mixin talexander:starship talexander:pixelbook

3 Commits
ae5519bb39 ... b531c675ed

Author SHA1 Message Date
Tom Alexander
b531c675ed Delete images after 24 hours of being unused. 2026-05-02 17:41:08 -04:00
Tom Alexander
9630c065bb Set up containerd use harbor.fizz.buzz. 2026-05-02 17:41:08 -04:00
Tom Alexander
5e789063a7 Add secrets for archive-box, webhook-bridge, and tekton. 2026-05-02 17:41:08 -04:00
5 changed files with 39 additions and 207 deletions
Expand all files Collapse all files

188
nix/kubernetes/keys/package/bootstrap-script/files/manifests/flux.yaml
View File

@@ -6,10 +6,10 @@ metadata:
name: flux-operator-web
namespace: flux-system
labels:
helm.sh/chart: flux-operator-0.48.0
helm.sh/chart: flux-operator-0.37.1
app.kubernetes.io/name: flux-operator
app.kubernetes.io/instance: flux-operator
app.kubernetes.io/version: "v0.48.0"
app.kubernetes.io/version: "v0.37.1"
app.kubernetes.io/managed-by: Helm
spec:
policyTypes:
@@ -32,10 +32,10 @@ metadata:
name: flux-operator
namespace: flux-system
labels:
helm.sh/chart: flux-operator-0.48.0
helm.sh/chart: flux-operator-0.37.1
app.kubernetes.io/name: flux-operator
app.kubernetes.io/instance: flux-operator
app.kubernetes.io/version: "v0.48.0"
app.kubernetes.io/version: "v0.37.1"
app.kubernetes.io/managed-by: Helm
automountServiceAccountToken: true
---
@@ -44,14 +44,14 @@ apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.20.0
controller-gen.kubebuilder.io/version: v0.19.0
helm.sh/resource-policy: keep
labels:
app.kubernetes.io/instance: 'flux-operator'
app.kubernetes.io/managed-by: 'Helm'
app.kubernetes.io/name: 'flux-operator'
app.kubernetes.io/version: 'v0.48.0'
helm.sh/chart: 'flux-operator-0.48.0'
app.kubernetes.io/version: 'v0.37.1'
helm.sh/chart: 'flux-operator-0.37.1'
name: fluxinstances.fluxcd.controlplane.io
spec:
group: fluxcd.controlplane.io
@@ -205,11 +205,7 @@ spec:
components:
description: |-
Components is the list of controllers to install.
Defaults to the core Flux controllers:
- source-controller
- kustomize-controller
- helm-controller
- notification-controller
Defaults to a commonly used subset.
items:
description: Component is the name of a controller to install.
enum:
@@ -665,14 +661,14 @@ apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.20.0
controller-gen.kubebuilder.io/version: v0.19.0
helm.sh/resource-policy: keep
labels:
app.kubernetes.io/instance: 'flux-operator'
app.kubernetes.io/managed-by: 'Helm'
app.kubernetes.io/name: 'flux-operator'
app.kubernetes.io/version: 'v0.48.0'
helm.sh/chart: 'flux-operator-0.48.0'
app.kubernetes.io/version: 'v0.37.1'
helm.sh/chart: 'flux-operator-0.37.1'
name: fluxreports.fluxcd.controlplane.io
spec:
group: fluxcd.controlplane.io
@@ -832,7 +828,7 @@ spec:
failing:
description: |-
Failing is the number of reconciled
resources in the Failing state and not Suspended.
resources in the Failing state.
type: integer
running:
description: |-
@@ -969,14 +965,14 @@ apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.20.0
controller-gen.kubebuilder.io/version: v0.19.0
helm.sh/resource-policy: keep
labels:
app.kubernetes.io/instance: 'flux-operator'
app.kubernetes.io/managed-by: 'Helm'
app.kubernetes.io/name: 'flux-operator'
app.kubernetes.io/version: 'v0.48.0'
helm.sh/chart: 'flux-operator-0.48.0'
app.kubernetes.io/version: 'v0.37.1'
helm.sh/chart: 'flux-operator-0.37.1'
name: resourcesetinputproviders.fluxcd.controlplane.io
spec:
group: fluxcd.controlplane.io
@@ -1033,9 +1029,9 @@ spec:
- a PEM-encoded CA certificate (`ca.crt`)
- a PEM-encoded client certificate (`tls.crt`) and private key (`tls.key`)
When connecting to a Git, OCI, or ExternalService provider that uses self-signed certificates,
the CA certificate must be set in the Secret under the 'ca.crt' key to establish the trust relationship.
When connecting to a provider that supports client certificates (mTLS), the client certificate
When connecting to a Git or OCI provider that uses self-signed certificates, the CA certificate
must be set in the Secret under the 'ca.crt' key to establish the trust relationship.
When connecting to an OCI provider that supports client certificates (mTLS), the client certificate
and private key must be set in the Secret under the 'tls.crt' and 'tls.key' keys, respectively.
properties:
name:
@@ -1106,11 +1102,6 @@ spec:
Supported only for tags at the moment.
type: string
type: object
insecure:
description: |-
Insecure allows connecting to an ExternalService or OCIArtifactTag provider
over plain HTTP without TLS. When not set, the URL must use HTTPS.
type: boolean
schedule:
description: Schedule defines the schedules for the input provider
to run.
@@ -1138,16 +1129,13 @@ spec:
type: array
secretRef:
description: |-
SecretRef specifies the Kubernetes Secret containing the credentials
SecretRef specifies the Kubernetes Secret containing the basic-auth credentials
to access the input provider.
When connecting to a Git provider, the secret must contain the keys
'username' and 'password', and the password should be a personal access token
that grants read-only access to the repository.
When connecting to an OCI provider, the secret must contain a Kubernetes
Image Pull Secret, as if created by `kubectl create secret docker-registry`.
When connecting to an ExternalService provider, the secret must contain either
a 'token' key for bearer token authentication, or 'username' and 'password'
keys for basic authentication.
properties:
name:
description: Name of the referent.
@@ -1189,14 +1177,10 @@ spec:
- AzureDevOpsBranch
- AzureDevOpsTag
- AzureDevOpsPullRequest
- GiteaBranch
- GiteaTag
- GiteaPullRequest
- OCIArtifactTag
- ACRArtifactTag
- ECRArtifactTag
- GARArtifactTag
- ExternalService
type: string
url:
description: |-
@@ -1222,16 +1206,6 @@ spec:
- message: spec.url must start with 'oci://' when spec.type is an OCI
provider
rule: '!self.type.endsWith(''ArtifactTag'') || self.url.startsWith(''oci'')'
- message: spec.url must start with 'http://' or 'https://' when spec.type
is 'ExternalService'
rule: self.type != 'ExternalService' || self.url.startsWith('http')
- message: spec.insecure can only be set when spec.type is 'ExternalService'
or 'OCIArtifactTag'
rule: '!has(self.insecure) || !self.insecure || self.type == ''ExternalService''
|| self.type == ''OCIArtifactTag'''
- message: spec.url must use 'https://' unless spec.insecure is true
rule: self.type != 'ExternalService' || !self.url.startsWith('http://')
|| (has(self.insecure) && self.insecure)
- message: cannot specify spec.serviceAccountName when spec.type is not
one of AzureDevOps* or *ArtifactTag
rule: '!has(self.serviceAccountName) || self.type.startsWith(''AzureDevOps'')
@@ -1371,14 +1345,14 @@ apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.20.0
controller-gen.kubebuilder.io/version: v0.19.0
helm.sh/resource-policy: keep
labels:
app.kubernetes.io/instance: 'flux-operator'
app.kubernetes.io/managed-by: 'Helm'
app.kubernetes.io/name: 'flux-operator'
app.kubernetes.io/version: 'v0.48.0'
helm.sh/chart: 'flux-operator-0.48.0'
app.kubernetes.io/version: 'v0.37.1'
helm.sh/chart: 'flux-operator-0.37.1'
name: resourcesets.fluxcd.controlplane.io
spec:
group: fluxcd.controlplane.io
@@ -1485,15 +1459,6 @@ spec:
input provider objects are used. Defaults to flattening all inputs
from all providers into a single list of input sets.
properties:
includeEmptyProviders:
description: |-
IncludeEmptyProviders controls how input providers that export no
inputs are treated. Only applies when Name is Permute. When true, if
any provider has zero inputs the resulting permutation set is empty
(mathematically correct Cartesian product behavior). When false or
unset (default), providers with zero inputs are silently skipped and
the remaining providers still permute among themselves.
type: boolean
name:
description: |-
Name defines how the inputs are combined when multiple
@@ -1516,9 +1481,6 @@ spec:
required:
- name
type: object
x-kubernetes-validations:
- message: includeEmptyProviders only applies when name is Permute
rule: '!has(self.includeEmptyProviders) || self.name == ''Permute'''
inputs:
description: Inputs contains the list of ResourceSet inputs.
items:
@@ -1697,16 +1659,6 @@ spec:
- type
type: object
type: array
externalChecksumRefs:
description: |-
ExternalChecksumRefs lists the ConfigMap and Secret references
discovered in checksumFrom annotations on the last reconciliation
that point to objects not rendered by this ResourceSet. Each entry
has the form "Kind/namespace/name". It is used to trigger a
reconciliation when one of the referenced objects changes.
items:
type: string
type: array
history:
description: |-
History contains the reconciliation history of the ResourceSet
@@ -1812,10 +1764,10 @@ metadata:
labels:
rbac.authorization.k8s.io/aggregate-to-edit: "true"
rbac.authorization.k8s.io/aggregate-to-admin: "true"
helm.sh/chart: flux-operator-0.48.0
helm.sh/chart: flux-operator-0.37.1
app.kubernetes.io/name: flux-operator
app.kubernetes.io/instance: flux-operator
app.kubernetes.io/version: "v0.48.0"
app.kubernetes.io/version: "v0.37.1"
app.kubernetes.io/managed-by: Helm
rules:
- apiGroups:
@@ -1839,10 +1791,10 @@ metadata:
rbac.authorization.k8s.io/aggregate-to-admin: "true"
rbac.authorization.k8s.io/aggregate-to-edit: "true"
rbac.authorization.k8s.io/aggregate-to-view: "true"
helm.sh/chart: flux-operator-0.48.0
helm.sh/chart: flux-operator-0.37.1
app.kubernetes.io/name: flux-operator
app.kubernetes.io/instance: flux-operator
app.kubernetes.io/version: "v0.48.0"
app.kubernetes.io/version: "v0.37.1"
app.kubernetes.io/managed-by: Helm
rules:
- apiGroups:
@@ -1855,86 +1807,16 @@ rules:
- list
- watch
---
# Source: flux-operator/templates/web-standard-roles.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: flux-web-user
labels:
helm.sh/chart: flux-operator-0.48.0
app.kubernetes.io/name: flux-operator
app.kubernetes.io/instance: flux-operator
app.kubernetes.io/version: "v0.48.0"
app.kubernetes.io/managed-by: Helm
rules:
- apiGroups: ["*"]
resources: ["*"]
verbs: ["get", "list", "watch"]
---
# Source: flux-operator/templates/web-standard-roles.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: flux-web-admin
labels:
helm.sh/chart: flux-operator-0.48.0
app.kubernetes.io/name: flux-operator
app.kubernetes.io/instance: flux-operator
app.kubernetes.io/version: "v0.48.0"
app.kubernetes.io/managed-by: Helm
rules:
- apiGroups: ["*"]
resources: ["*"]
verbs: ["get", "list", "watch"]
- apiGroups:
- fluxcd.controlplane.io
- source.toolkit.fluxcd.io
- source.extensions.fluxcd.io
- kustomize.toolkit.fluxcd.io
- helm.toolkit.fluxcd.io
- image.toolkit.fluxcd.io
- notification.toolkit.fluxcd.io
resources: ["*"]
verbs:
- patch
- reconcile
- suspend
- resume
- download
- apiGroups:
- apps
resources:
- deployments
- statefulsets
- daemonsets
verbs:
- patch
- restart
- apiGroups:
- batch
resources:
- cronjobs
- jobs
verbs:
- create
- restart
- apiGroups:
- ""
resources:
- pods
verbs:
- delete
---
# Source: flux-operator/templates/admin-clusterrole.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: flux-operator
labels:
helm.sh/chart: flux-operator-0.48.0
helm.sh/chart: flux-operator-0.37.1
app.kubernetes.io/name: flux-operator
app.kubernetes.io/instance: flux-operator
app.kubernetes.io/version: "v0.48.0"
app.kubernetes.io/version: "v0.37.1"
app.kubernetes.io/managed-by: Helm
roleRef:
apiGroup: rbac.authorization.k8s.io
@@ -1952,10 +1834,10 @@ metadata:
name: flux-operator
namespace: flux-system
labels:
helm.sh/chart: flux-operator-0.48.0
helm.sh/chart: flux-operator-0.37.1
app.kubernetes.io/name: flux-operator
app.kubernetes.io/instance: flux-operator
app.kubernetes.io/version: "v0.48.0"
app.kubernetes.io/version: "v0.37.1"
app.kubernetes.io/managed-by: Helm
spec:
ports:
@@ -1978,10 +1860,10 @@ metadata:
name: flux-operator
namespace: flux-system
labels:
helm.sh/chart: flux-operator-0.48.0
helm.sh/chart: flux-operator-0.37.1
app.kubernetes.io/name: flux-operator
app.kubernetes.io/instance: flux-operator
app.kubernetes.io/version: "v0.48.0"
app.kubernetes.io/version: "v0.37.1"
app.kubernetes.io/managed-by: Helm
spec:
selector:
@@ -1995,10 +1877,10 @@ spec:
prometheus.io/port: "8080"
prometheus.io/path: "/metrics"
labels:
helm.sh/chart: flux-operator-0.48.0
helm.sh/chart: flux-operator-0.37.1
app.kubernetes.io/name: flux-operator
app.kubernetes.io/instance: flux-operator
app.kubernetes.io/version: "v0.48.0"
app.kubernetes.io/version: "v0.37.1"
app.kubernetes.io/managed-by: Helm
spec:
serviceAccountName: flux-operator
@@ -2024,7 +1906,7 @@ spec:
runAsNonRoot: true
seccompProfile:
type: RuntimeDefault
image: "ghcr.io/controlplaneio-fluxcd/flux-operator:v0.48.0"
image: "ghcr.io/controlplaneio-fluxcd/flux-operator:v0.37.1"
imagePullPolicy: "IfNotPresent"
ports:
- name: http-metrics

10
nix/kubernetes/keys/package/bootstrap-script/files/manifests/flux_instance.yaml
View File

@@ -5,13 +5,5 @@ metadata:
namespace: flux-system
spec:
distribution:
version: "2.8.x"
version: "2.7.x"
registry: "ghcr.io/fluxcd"
components:
- source-controller
- kustomize-controller
- helm-controller
- notification-controller
- image-automation-controller
- image-reflector-controller
# - source-watcher

4
nix/kubernetes/keys/package/bootstrap-script/package.nix
View File

@@ -35,10 +35,6 @@ let
"${k8s.cilium-manifest}/cilium.yaml"
"${k8s.coredns-manifest}/coredns.yaml"
./files/manifests/flux_namespace.yaml
#
# Generate with: helm template --dry-run=server flux-operator oci://ghcr.io/controlplaneio-fluxcd/charts/flux-operator --namespace flux-system --create-namespace
#
./files/manifests/flux.yaml
./files/manifests/flux_instance.yaml
]

6
nix/kubernetes/keys/package/k8s-ca/files/client-ca.conf
View File

@@ -120,7 +120,7 @@ extendedKeyUsage = clientAuth, serverAuth
keyUsage = critical, digitalSignature, keyEncipherment
nsCertType = client
nsComment = "worker0 Certificate"
subjectAltName = DNS:worker0, IP:127.0.0.1, IP:10.215.1.224, IP:2620:11f:7001:7:ffff:ffff:ad7:1e0
subjectAltName = DNS:worker0, IP:127.0.0.1
subjectKeyIdentifier = hash
[worker0_distinguished_name]
@@ -141,7 +141,7 @@ extendedKeyUsage = clientAuth, serverAuth
keyUsage = critical, digitalSignature, keyEncipherment
nsCertType = client
nsComment = "worker1 Certificate"
subjectAltName = DNS:worker1, IP:127.0.0.1, IP:10.215.1.225, IP:2620:11f:7001:7:ffff:ffff:ad7:1e1
subjectAltName = DNS:worker1, IP:127.0.0.1
subjectKeyIdentifier = hash
[worker1_distinguished_name]
@@ -162,7 +162,7 @@ extendedKeyUsage = clientAuth, serverAuth
keyUsage = critical, digitalSignature, keyEncipherment
nsCertType = client
nsComment = "worker2 Certificate"
subjectAltName = DNS:worker2, IP:127.0.0.1, IP:10.215.1.226, IP:2620:11f:7001:7:ffff:ffff:ad7:1e2
subjectAltName = DNS:worker2, IP:127.0.0.1
subjectKeyIdentifier = hash
[worker2_distinguished_name]

38
nix/kubernetes/keys/package/mrmanager-repo-secrets/package.nix
View File

@@ -58,25 +58,9 @@ let
};
};
"flux-system" = {
"registry-credentials" =
(generate_docker_secret {
username = builtins.readFile "${./secrets/flux-system/registry-credentials/username}";
password = builtins.readFile "${./secrets/flux-system/registry-credentials/password}";
email = builtins.readFile "${./secrets/flux-system/registry-credentials/email}";
})
// {
# "__annotations" = {
# "tekton.dev/docker-0" = "https://harbor.fizz.buzz";
# };
};
"webhook-token" = {
# This token is used for gitea webhooks
"token" = generate_key 64 "flux-system.webhook-token.token";
};
"harbor-webhook-token" = {
# This token is used for harbor webhooks
"token" = generate_key 64 "flux-system.harbor-webhook-token.token";
};
};
"gitea" = {
"gitea-env" = {
@@ -116,12 +100,6 @@ let
"ssh-privatekey" = (builtins.readFile "${./secrets/webhook-bridge/deployer-key/ssh-privatekey}");
"ssh-publickey" = (builtins.readFile "${./secrets/webhook-bridge/deployer-key/ssh-publickey}");
};
"gitea" = {
"token" = (builtins.readFile "${./secrets/webhook-bridge/gitea/token}");
};
"harbor-plain" = {
"config.json" = (builtins.readFile "${./secrets/webhook-bridge/harbor-plain/config.json}");
};
};
};
encrypted_secrets = (
@@ -156,7 +134,6 @@ let
## Utilities
inherit ((import ../../../functions/to_yaml.nix) { inherit pkgs; }) to_yaml;
inherit (pkgs.callPackage ../../contrib/base64/package.nix { inherit lib; }) toBase64;
generate_key =
len: name:
builtins.readFile (
@@ -191,21 +168,6 @@ let
"\\}"
]
json;
generate_docker_secret =
{
username,
password,
email,
}:
let
in
{
"__type" = "kubernetes.io/dockerconfigjson";
".dockerconfigjson" = builtins.toJSON {
inherit username password email;
"auth" = toBase64 "${username}:${password}";
};
};
## dex
get_dex_config =
client_id: