* To-do
** Perhaps use overlay for /etc for speedup
#+begin_src nix
  system.etc.overlay.enable = true;
#+end_src
** read https://nixos.org/manual/nixos/stable/
** Performance for mini pc
#+begin_src nix
  security.pam.loginLimits = [
    { domain = "@users"; item = "rtprio"; type = "-"; value = 1; }
  ];
#+end_src
* IP Ranges
|               | IPv4                        | IPv6                                    |
|---------------+-----------------------------+-----------------------------------------|
| Pod           | 10.200.0.0/16               | 2620:11f:7001:7:ffff:eeee::/96          |
| Service       | 10.197.0.0/16               | fd00:3e42:e349::/112                    |
| Node          | 10.215.1.0/24               | 2620:11f:7001:7:ffff:ffff:0ad7:0100/120 |
| Load Balancer | 74.80.180.139-74.80.180.142 | 2620:11f:7001:7:ffff:dddd::/96          |
* Healthcheck
** Check cilium status
#+begin_src bash
  kubectl -n kube-system exec ds/cilium -- cilium-dbg status --verbose
  kubectl -n kube-system exec ds/cilium -- cilium-dbg status | grep KubeProxyReplacement
#+end_src
** Check connectivity
#+begin_src bash
  cilium connectivity test
#+end_src
** Show dropped packets
#+begin_src bash
  kubectl -n kube-system exec ds/cilium -- cilium-dbg monitor --type drop
#+end_src
** Install flux
#+begin_src bash
  nix shell 'nixpkgs#fluxcd'

  flux bootstrap git \
    --url=ssh://git@<host>/<org>/<repository> \
    --branch=main \
    --private-key-file=<path/to/private.key> \
    --password=<key-passphrase> \
    --path=clusters/my-cluster
#+end_src

#+begin_src bash
  nix shell 'nixpkgs#kubernetes-helm'

  helm template --dry-run=server flux-operator oci://ghcr.io/controlplaneio-fluxcd/charts/flux-operator \
    --namespace flux-system \
    --create-namespace
#+end_src

#+begin_src text
  apiVersion: fluxcd.controlplane.io/v1
  kind: FluxInstance
  metadata:
    name: flux
    namespace: flux-system
    annotations:
      fluxcd.controlplane.io/reconcileEvery: "1h"
      fluxcd.controlplane.io/reconcileTimeout: "5m"
  spec:
    distribution:
      version: "2.x"
      registry: "ghcr.io/fluxcd"
      artifact: "oci://ghcr.io/controlplaneio-fluxcd/flux-operator-manifests"
    components:
      - source-controller
      - kustomize-controller
      - helm-controller
      - notification-controller
      - image-reflector-controller
      - image-automation-controller
    cluster:
      type: kubernetes
      size: medium
      multitenant: false
      networkPolicy: true
      domain: "cluster.local"
    kustomize:
      patches:
        - target:
            kind: Deployment
          patch: |
            - op: replace
              path: /spec/template/spec/nodeSelector
              value:
                kubernetes.io/os: linux
            - op: add
              path: /spec/template/spec/tolerations
              value:
                - key: "CriticalAddonsOnly"
                  operator: "Exists"
    sync:
      kind: OCIRepository
      url: "oci://ghcr.io/my-org/my-fleet-manifests"
      ref: "latest"
      path: "clusters/my-cluster"
      pullSecret: "ghcr-auth"
#+end_src

#+begin_src text
  apiVersion: fluxcd.controlplane.io/v1
  kind: FluxInstance
  metadata:
    name: flux
    namespace: flux-system
  spec:
    distribution:
      version: "2.7.x"
      registry: "ghcr.io/fluxcd"
    sync:
      kind: GitRepository
      url: "ssh://git@10.215.1.210:22/repos/mrmanager"
      ref: "refs/heads/nix"
      path: "clusters/my-cluster"
      pullSecret: "flux-system"
#+end_src

#+begin_src bash
  flux create secret git flux-system \
    --url=https://gitlab.com/my-org/my-fleet.git \
    --username=git \
    --password=$GITLAB_TOKEN
#+end_src