prettysunflower/infra
1
Fork 0
Code Issues 1 Pull Requests 1 Actions Packages Projects Releases Wiki Activity

The great reset, we moved infra into two clusters (sekibanki et seija)

Browse Source
This commit is contained in:
prettysunflower
2025-07-16 10:39:09 -04:00
parent 68f1108c2d
commit 1df5459f70
145 changed files with 2431 additions and 576 deletions
Download Patch File Download Diff File Expand all files Collapse all files

45
infra/README.md Normal file
View File

@@ -0,0 +1,45 @@
# Infra
The cluster is formed by three Proxmox hosts, hosting in total 6 Talos virtual machines. All of them are linked through Wireguard and kubespan. They're also connected to Tailscale to allow accessing other hosts.
## Host `yuyuko`
The main server. It also contains most of the computer power and most of the storage (a ZFS array with 64.56 TiB of raw storage!). This is also the most painful to upgrade things on / reboot due to... reasons.
**Location**: Montréal (Home)
**Virtual machines**:
- yukari (controlplane)
- Address: 10.0.0.240
- ran (worker)
- Address: 10.0.0.241
### Internal gateway `suika`
Outside of the Kubernetes cluster is the `suika` virtual machine. I didn't want to fiddle around _too_ much with MetalLB and Load Balancers, so this virtual machine runs NGINX as a way to provide HTTPS service to the cluster with more memorable names (because ``.
## Host `niwatori`
The 30$ eBay computer. It's mainly there to provide some redundency and a bit of storage (a 1TB SSD is in there)
**Location**: Montréal (Home)
**Virtual machines**:
- fujiwara-no-mokou (worker)
- Address: 10.0.0.245
## Host `yuuma`
Hetzner's server auctions are great! This is my offsite server to provide a stable endpoint in Europe.
**Location**: Falkenstein
**Virtual machines**:
- yukari (controlplane)
- Address: 10.0.0.240
- ran (worker)
- Address: 10.0.0.241
### External gateway `okina`
Outside of the Kubernetes cluster is the `okina` virtual machine. Same reasons as for `suika`, but for outside people to my infra. It runs Caddy to do that.

8
infra/clusterconfig/.gitignore vendored
View File

@@ -1,8 +0,0 @@
yakumo-yukari.yaml
yakumo-byakuren.yaml
yakumo-tojiko.yaml
yakumo-chen.yaml
yakumo-ran.yaml
yakumo-fujiwara-no-moukou.yaml
talosconfig
yakumo-wagasakihime.yaml

3
infra/create_new_bucket.sh
View File

@@ -1,3 +0,0 @@
garage bucket create books
garage bucket allow --read --write --owner books --key k8s
garage bucket allow --read --write books --key prettysunflower

3
infra/init_seaweed.sh
View File

@@ -1,3 +0,0 @@
git clone https://github.com/seaweedfs/seaweedfs-csi-driver.git
helm install --set storageClassName="seaweedfs-keiki" --set seaweedfsFiler="100.79.209.9:8888" seaweedfs-csi-keiki-driver ./seaweedfs-csi-driver/deploy/helm/seaweedfs-csi-driver --namespace="kube-system"
helm install --set driverName="seaweedfs-csi-keiki-driver" --set storageClassName="seaweedfs-keiki" --set seaweedfsFiler="100.79.209.9:8888" seaweedfs-csi-keiki-driver ./seaweedfs-csi-driver/deploy/helm/seaweedfs-csi-driver --namespace="kube-system"

4
infra/seija/clusterconfig/.gitignore vendored Normal file
View File

@@ -0,0 +1,4 @@
seija-fulgora.yaml
seija-gleba.yaml
seija-vulcanus.yaml
talosconfig

401
infra/seija/csi/hcloud-csi.yaml Normal file
View File

@@ -0,0 +1,401 @@
---
# Source: hcloud-csi/templates/controller/serviceaccount.yaml
apiVersion: v1
kind: ServiceAccount
metadata:
name: hcloud-csi-controller
namespace: "kube-system"
labels:
app.kubernetes.io/name: hcloud-csi
app.kubernetes.io/instance: hcloud-csi
app.kubernetes.io/component: controller
automountServiceAccountToken: true
---
# Source: hcloud-csi/templates/core/storageclass.yaml
kind: StorageClass
apiVersion: storage.k8s.io/v1
metadata:
name: hcloud-volumes
annotations:
storageclass.kubernetes.io/is-default-class: "true"
provisioner: csi.hetzner.cloud
volumeBindingMode: WaitForFirstConsumer
allowVolumeExpansion: true
reclaimPolicy: "Delete"
---
# Source: hcloud-csi/templates/controller/clusterrole.yaml
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: hcloud-csi-controller
labels:
app.kubernetes.io/name: hcloud-csi
app.kubernetes.io/instance: hcloud-csi
app.kubernetes.io/component: controller
rules:
# attacher
- apiGroups: [""]
resources: [persistentvolumes]
verbs: [get, list, watch, update, patch]
- apiGroups: [""]
resources: [nodes]
verbs: [get, list, watch]
- apiGroups: [csi.storage.k8s.io]
resources: [csinodeinfos]
verbs: [get, list, watch]
- apiGroups: [storage.k8s.io]
resources: [csinodes]
verbs: [get, list, watch]
- apiGroups: [storage.k8s.io]
resources: [volumeattachments]
verbs: [get, list, watch, update, patch]
- apiGroups: [storage.k8s.io]
resources: [volumeattachments/status]
verbs: [patch]
# provisioner
- apiGroups: [""]
resources: [secrets]
verbs: [get, list]
- apiGroups: [""]
resources: [persistentvolumes]
verbs: [get, list, watch, create, delete, patch]
- apiGroups: [""]
resources: [persistentvolumeclaims, persistentvolumeclaims/status]
verbs: [get, list, watch, update, patch]
- apiGroups: [storage.k8s.io]
resources: [storageclasses]
verbs: [get, list, watch]
- apiGroups: [""]
resources: [events]
verbs: [list, watch, create, update, patch]
- apiGroups: [snapshot.storage.k8s.io]
resources: [volumesnapshots]
verbs: [get, list]
- apiGroups: [snapshot.storage.k8s.io]
resources: [volumesnapshotcontents]
verbs: [get, list]
# resizer
- apiGroups: [""]
resources: [pods]
verbs: [get, list, watch]
# node
- apiGroups: [""]
resources: [events]
verbs: [get, list, watch, create, update, patch]
---
# Source: hcloud-csi/templates/controller/clusterrolebinding.yaml
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: hcloud-csi-controller
labels:
app.kubernetes.io/name: hcloud-csi
app.kubernetes.io/instance: hcloud-csi
app.kubernetes.io/component: controller
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: hcloud-csi-controller
subjects:
- kind: ServiceAccount
name: hcloud-csi-controller
namespace: "kube-system"
---
# Source: hcloud-csi/templates/controller/service.yaml
apiVersion: v1
kind: Service
metadata:
name: hcloud-csi-controller-metrics
namespace: "kube-system"
labels:
app.kubernetes.io/name: hcloud-csi
app.kubernetes.io/instance: hcloud-csi
app.kubernetes.io/component: controller
spec:
ports:
- name: metrics
port: 9189
selector:
app.kubernetes.io/name: hcloud-csi
app.kubernetes.io/instance: hcloud-csi
app.kubernetes.io/component: controller
---
# Source: hcloud-csi/templates/node/service.yaml
apiVersion: v1
kind: Service
metadata:
name: hcloud-csi-node-metrics
namespace: "kube-system"
labels:
app.kubernetes.io/name: hcloud-csi
app.kubernetes.io/instance: hcloud-csi
app.kubernetes.io/component: node
spec:
ports:
- name: metrics
port: 9189
selector:
app.kubernetes.io/name: hcloud-csi
app.kubernetes.io/instance: hcloud-csi
app.kubernetes.io/component: node
---
# Source: hcloud-csi/templates/node/daemonset.yaml
apiVersion: apps/v1
kind: DaemonSet
metadata:
name: hcloud-csi-node
namespace: "kube-system"
labels:
app.kubernetes.io/name: hcloud-csi
app.kubernetes.io/instance: hcloud-csi
app.kubernetes.io/component: node
app: hcloud-csi
spec:
updateStrategy:
type: RollingUpdate
selector:
matchLabels:
app: hcloud-csi
template:
metadata:
labels:
app.kubernetes.io/name: hcloud-csi
app.kubernetes.io/instance: hcloud-csi
app.kubernetes.io/component: node
app: hcloud-csi
spec:
affinity:
nodeAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
nodeSelectorTerms:
- matchExpressions:
- key: instance.hetzner.cloud/is-root-server
operator: NotIn
values:
- "true"
tolerations:
- effect: NoExecute
operator: Exists
- effect: NoSchedule
operator: Exists
- key: CriticalAddonsOnly
operator: Exists
securityContext:
fsGroup: 1001
initContainers:
containers:
- name: csi-node-driver-registrar
image: registry.k8s.io/sig-storage/csi-node-driver-registrar:v2.7.0
imagePullPolicy: IfNotPresent
args:
- --kubelet-registration-path=/var/lib/kubelet/plugins/csi.hetzner.cloud/socket
volumeMounts:
- name: plugin-dir
mountPath: /run/csi
- name: registration-dir
mountPath: /registration
resources:
limits: {}
requests: {}
- name: liveness-probe
image: registry.k8s.io/sig-storage/livenessprobe:v2.9.0
imagePullPolicy: IfNotPresent
volumeMounts:
- mountPath: /run/csi
name: plugin-dir
resources:
limits: {}
requests: {}
- name: hcloud-csi-driver
image: docker.io/hetznercloud/hcloud-csi-driver:v2.5.1 # x-release-please-version
imagePullPolicy: IfNotPresent
command: [/bin/hcloud-csi-driver-node]
volumeMounts:
- name: kubelet-dir
mountPath: /var/lib/kubelet
mountPropagation: "Bidirectional"
- name: plugin-dir
mountPath: /run/csi
- name: device-dir
mountPath: /dev
securityContext:
privileged: true
env:
- name: CSI_ENDPOINT
value: unix:///run/csi/socket
- name: METRICS_ENDPOINT
value: "0.0.0.0:9189"
- name: ENABLE_METRICS
value: "true"
ports:
- containerPort: 9189
name: metrics
- name: healthz
protocol: TCP
containerPort: 9808
resources:
limits: {}
requests: {}
livenessProbe:
failureThreshold: 5
initialDelaySeconds: 10
periodSeconds: 2
successThreshold: 1
timeoutSeconds: 3
httpGet:
path: /healthz
port: healthz
volumes:
- name: kubelet-dir
hostPath:
path: /var/lib/kubelet
type: Directory
- name: plugin-dir
hostPath:
path: /var/lib/kubelet/plugins/csi.hetzner.cloud/
type: DirectoryOrCreate
- name: registration-dir
hostPath:
path: /var/lib/kubelet/plugins_registry/
type: Directory
- name: device-dir
hostPath:
path: /dev
type: Directory
---
# Source: hcloud-csi/templates/controller/deployment.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
name: hcloud-csi-controller
namespace: "kube-system"
labels:
app.kubernetes.io/name: hcloud-csi
app.kubernetes.io/instance: hcloud-csi
app.kubernetes.io/component: controller
app: hcloud-csi-controller
spec:
replicas: 1
strategy:
type: RollingUpdate
selector:
matchLabels:
app: hcloud-csi-controller
template:
metadata:
labels:
app.kubernetes.io/name: hcloud-csi
app.kubernetes.io/instance: hcloud-csi
app.kubernetes.io/component: controller
app: hcloud-csi-controller
spec:
serviceAccountName: hcloud-csi-controller
securityContext:
fsGroup: 1001
initContainers:
containers:
- name: csi-attacher
image: registry.k8s.io/sig-storage/csi-attacher:v4.1.0
imagePullPolicy: IfNotPresent
resources:
limits: {}
requests: {}
args:
- --default-fstype=ext4
volumeMounts:
- name: socket-dir
mountPath: /run/csi
- name: csi-resizer
image: registry.k8s.io/sig-storage/csi-resizer:v1.7.0
imagePullPolicy: IfNotPresent
resources:
limits: {}
requests: {}
volumeMounts:
- name: socket-dir
mountPath: /run/csi
- name: csi-provisioner
image: registry.k8s.io/sig-storage/csi-provisioner:v3.4.0
imagePullPolicy: IfNotPresent
resources:
limits: {}
requests: {}
args:
- --feature-gates=Topology=true
- --default-fstype=ext4
volumeMounts:
- name: socket-dir
mountPath: /run/csi
- name: liveness-probe
image: registry.k8s.io/sig-storage/livenessprobe:v2.9.0
imagePullPolicy: IfNotPresent
resources:
limits: {}
requests: {}
volumeMounts:
- mountPath: /run/csi
name: socket-dir
- name: hcloud-csi-driver
image: docker.io/hetznercloud/hcloud-csi-driver:v2.5.1 # x-release-please-version
imagePullPolicy: IfNotPresent
command: [/bin/hcloud-csi-driver-controller]
env:
- name: CSI_ENDPOINT
value: unix:///run/csi/socket
- name: METRICS_ENDPOINT
value: "0.0.0.0:9189"
- name: ENABLE_METRICS
value: "true"
- name: KUBE_NODE_NAME
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: spec.nodeName
- name: HCLOUD_TOKEN
valueFrom:
secretKeyRef:
name: hcloud
key: token
resources:
limits: {}
requests: {}
ports:
- name: metrics
containerPort: 9189
- name: healthz
protocol: TCP
containerPort: 9808
livenessProbe:
failureThreshold: 5
initialDelaySeconds: 10
periodSeconds: 2
successThreshold: 1
timeoutSeconds: 3
httpGet:
path: /healthz
port: healthz
volumeMounts:
- name: socket-dir
mountPath: /run/csi
volumes:
- name: socket-dir
emptyDir: {}
---
# Source: hcloud-csi/templates/core/csidriver.yaml
apiVersion: storage.k8s.io/v1
kind: CSIDriver
metadata:
name: csi.hetzner.cloud
spec:
attachRequired: true
fsGroupPolicy: File
podInfoOnMount: true
volumeLifecycleModes:
- Persistent

3
infra/seija/csi/kustomization.yaml Normal file
View File

@@ -0,0 +1,3 @@
resources:
- secrets.yaml
- hcloud-csi.yaml

22
infra/seija/csi/secrets.sops.yaml Normal file
View File

@@ -0,0 +1,22 @@
apiVersion: v1
kind: Secret
metadata:
name: hcloud
namespace: kube-system
stringData:
token: ENC[AES256_GCM,data:CqEok5/IsGRdab1LULB9iere2rjZY8L68k8CWa+FHyl72foxt28zPD/1DvlfPzodBzx3VRE+LRgRhhf6RI3wdg==,iv:23kcSWaKIylLLrqML30c7DDC0wI4cGgFtNIxuxqtTrQ=,tag:m4Zn7aOusfMcqEfQtA+Dyw==,type:str]
sops:
age:
- recipient: age1r0tjhg6uexyj0p7fp0ftv5h7r7e3ptzkk2797pznfvrvsm576u0s37yyaw
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBmWTlBa3NsazVQYjVHMEk1
eW5PUjl4K01ZZ1pTSmg2YWxSUkVZSmswczBFCnQ2N2pudmhTUVNIaFVPenZXamx1
S3kxeXB5TUdCQ2hhYkRRYzc5VU02S1kKLS0tIHVEWGowSFE1aXRnVzkyVFY3NWlM
OVRxNzNoZ016QVVTakswbDhLYmp2bEUKHS9TOqjU9n82LtbBtKTVsKtTlEvrtyGz
+9MGRvCGQydbf6qZO/OLfiMRbPmgcnVovvb1a0NeWjXSR3r4uc+OUw==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2025-07-16T14:35:28Z"
mac: ENC[AES256_GCM,data:IX1iQajPzcUXRHwRdbxPz0eXL5PoVNzIxPYL18De/+Wn6Vu0V5DDJbxK7bLd3Wnv66KBsZzpnrqRY/eu9HZ1bv8RE2dHVjXu07zDD1uu+yek2v0RpeChs0eovaogeBztPlJoyNg7sbwdDoMSWyWlqHe0TozgjEyVeZ9JCwIrDXw=,iv:UZk6JnZ5NLNVx22hzoULAXfjhvzxS6t5ZOY66hRGWQQ=,tag:VmNwnTx0RLtODOrWxu+f1Q==,type:str]
encrypted_regex: ^(data|stringData)$
version: 3.10.2

28
infra/seija/csi/test.yaml Normal file
View File

@@ -0,0 +1,28 @@
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: csi-pvc
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 10Gi
storageClassName: hcloud-volumes
---
kind: Pod
apiVersion: v1
metadata:
name: my-csi-app
spec:
containers:
- name: my-frontend
image: busybox
volumeMounts:
- mountPath: "/data"
name: my-csi-volume
command: [ "sleep", "1000000" ]
volumes:
- name: my-csi-volume
persistentVolumeClaim:
claimName: csi-pvc

21
infra/seija/tailscale.patch.sops.yaml Normal file
View File

@@ -0,0 +1,21 @@
apiVersion: ENC[AES256_GCM,data:uI18BwMBL54=,iv:ZSGmHuHUMCqi2SHW50PSH+NnJO1+hoECwUQtaWsSrPg=,tag:ZziftWKJwa3MUsMpNefOQw==,type:str]
kind: ENC[AES256_GCM,data:5V20Tgezvlxgb0kAQD8BfF1XWA3tLQ==,iv:zsqIXN+mlt244DMXmP2Pia3o89lcgYuL/htl5KW2Zn0=,tag:4QNn2oh+3s+KXEGjToqccw==,type:str]
name: ENC[AES256_GCM,data:1pcGqvBlP9Ac,iv:MxjPSVNREt4y+2OP431CDsV6eYJyFuM5KRJmjIfU1II=,tag:/iyAlxNQdIvid9+dx9hX4g==,type:str]
environment:
- ENC[AES256_GCM,data:7TFf83OkFQ7IKpaB8cXcPn5RgRicEjlNZW8wIJyuRfccofhSIyG7V/hVEz6yWGE4a2JHQS/1uLdqT+vFHClr/tlq3E39uBii,iv:6qkmu/vW3/LeXjWanyQs7xYuGOlm2qJMIMC/ASivaWo=,tag:3r1FuTCRXOAfn44rYfYOng==,type:str]
- ENC[AES256_GCM,data:ZUh+YUH69xeNHlEgfotvVp56PmlvFRD9xLo/qnEVL6+YbYu79A==,iv:pZVUahrl13V/CkfdcOPMnn3SGiNgbPc1GZ9FQKKwFGQ=,tag:n/HQN21jGrQpy3FSVO95eA==,type:str]
sops:
age:
- recipient: age1r0tjhg6uexyj0p7fp0ftv5h7r7e3ptzkk2797pznfvrvsm576u0s37yyaw
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBRMGdkamh3amNUaXRKSDRS
MElWZ2dKQ28rbU9xY3NIM0lSVUZWNzBkT2dVCnZqcDNwV2pSRGVPUXFTd1VSZUpt
YWdBR1lQTmRUaCtFWFJMUE1Dd3JROWMKLS0tIHJUSUt6VVpmWEcxOWRLT2MyZ2hV
cGhzT204cmJRdWFwTTV6ZDJoY0xyZHcK3f/Y2MDGjjL7LUoVJV7POZYR6D8jrsxn
g9ZRQfbw24W4NYoYXI1bJttG5u0LVw9Bw5IYYIDVa1XsyH2km8EMSA==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2025-07-16T13:05:51Z"
mac: ENC[AES256_GCM,data:5lVkH9qeurFzrwLoaB2P2CYxifToiA5cQvTJhUV+yCoLREwiu1uBsD1Dhr4m9YsXu/Lvhe54iEUF6bCVO5bKKqSoA5NpJYAms/9hPptmSaGFYmfpIITcvTbnYkByCDyjx45LyFaeexr6tUdfm6C9c9pA1JoFaZC4TPI+L3dvPtk=,iv:gjqyzhevuhpYMM/HjXaa2hfiVGxzH97Gu35CesLoVLk=,tag:8lZUnRl4QLetxR7/lZsrpw==,type:str]
unencrypted_suffix: _unencrypted
version: 3.10.2

67
infra/talconfig.yaml → infra/seija/talconfig.yaml
View File

@@ -1,14 +1,14 @@
---
clusterName: yakumo
talosVersion: v1.10.4
kubernetesVersion: v1.33.1
endpoint: https://10.0.15.33:6443
domain: yakumo.prettysunflower.moe
allowSchedulingOnControlPlanes: false
clusterName: seija
talosVersion: v1.10.5
kubernetesVersion: v1.33.2
endpoint: https://10.11.0.2:6443
domain: seija.prettysunflower.moe
allowSchedulingOnControlPlanes: true
clusterPodNets:
- 10.244.0.0/16
- 10.215.0.0/16
clusterSvcNets:
- 10.96.0.0/12
- 10.216.0.0/16
patches:
- |-
- op: add
@@ -19,56 +19,27 @@ patches:
path: /machine/features/hostDNS
value:
forwardKubeDNSToHost: false
- op: add
path: /machine/network
value:
nameservers:
- 100.96.226.96
nodes:
- hostname: yukari
ipAddress: 10.0.0.240
- hostname: fulgora
ipAddress: 10.11.0.2
controlPlane: true
arch: amd64
installDisk: /dev/sda
nodeLabels:
location: yul
- hostname: byakuren
ipAddress: 10.0.15.33
- hostname: gleba
ipAddress: 10.11.0.3
controlPlane: true
arch: amd64
installDisk: /dev/sda
nodeLabels:
location: fsn
- hostname: tojiko
ipAddress: 10.0.15.35
- hostname: vulcanus
ipAddress: 10.11.0.4
controlPlane: true
arch: amd64
installDisk: /dev/sda
nodeLabels:
location: fsn
- hostname: chen
ipAddress: 10.0.15.32
controlPlane: false
arch: amd64
installDisk: /dev/sda
nodeLabels:
location: fsn
- hostname: ran
ipAddress: 10.0.0.241
controlPlane: false
arch: amd64
installDisk: /dev/sda
nodeLabels:
location: yul
- hostname: fujiwara-no-moukou
ipAddress: 10.0.0.245
controlPlane: false
arch: amd64
installDisk: /dev/sda
nodeLabels:
location: yul
- hostname: wagasakihime
ipAddress: 192.168.19.133
controlPlane: false
arch: amd64
installDisk: /dev/sda
nodeLabels:
location: gva
controlPlane:
extraManifests:

38
infra/seija/talsecret.sops.yaml Normal file
View File

File diff suppressed because one or more lines are too long

7
infra/sekibanki/clusterconfig/.gitignore vendored Normal file
View File

@@ -0,0 +1,7 @@
seija-fulgora.yaml
seija-gleba.yaml
seija-vulcanus.yaml
talosconfig
sekibanki-fulgora.yaml
sekibanki-gleba.yaml
sekibanki-vulcanus.yaml

14
infra/sekibanki/storageclass.yaml Normal file
View File

@@ -0,0 +1,14 @@
apiVersion: storage.k8s.io/v1
kind: StorageClass
metadata:
name: nfs-csi
provisioner: nfs.csi.k8s.io
parameters:
server: 100.126.243.21
share: /mnt/yuyuko/k8s
reclaimPolicy: Delete
volumeBindingMode: Immediate
allowVolumeExpansion: true
mountOptions:
- nfsvers=4.1
- nolock

21
infra/sekibanki/tailscale.patch.sops.yaml Normal file
View File

@@ -0,0 +1,21 @@
apiVersion: ENC[AES256_GCM,data:JtbVO8dJx3k=,iv:n6WiYmMWkJaHDDs6AHqpOf2XTgn51P5RLm7QGXq/0II=,tag:acoR8HtwZznCQgOTUgM+2g==,type:str]
kind: ENC[AES256_GCM,data:HAV4diOt/z6mpOWkKnPvZhi7/2hJkQ==,iv:Mu4CPHT4kNbxOT/H4XWeT7Plk/eUBGRvNHw9nxWgw3g=,tag:dQyMj081Yc8IhCDD9JdjJw==,type:str]
name: ENC[AES256_GCM,data:7L5d+0wWwbj4,iv:g1eVngZ2oy5oTDtwvsEijn1teWFwtCqrN9/Vxw7Yzmg=,tag:hr/PSHHKu/IFfYsRV0jVJA==,type:str]
environment:
- ENC[AES256_GCM,data:1Ysk3JMsRz1/AG9hL8gqeasn6ZI+aME+ZW2KexCumIpHX2VaA9pLURHp+MVu74y8uZN1osrnIY5xnX/UTK0uyDscHTYQDYHf,iv:rx8cbpaTkcitqO2BITvTeegG26u9RPSlaci8YW8LOLA=,tag:JYFRq0/OappD52gnsIpAYw==,type:str]
- ENC[AES256_GCM,data:fq0Bztl5pIo1PF1Sk+XTw2QJ1BQ1Yxrc2SCBQnbbQRq8jLkYlg==,iv:vviBnVDWnTB7/nJk17JRx0fbU4ko48rtplztDo2rHwc=,tag:072S1LtCfYAK73gxx7hO4g==,type:str]
sops:
age:
- recipient: age1r0tjhg6uexyj0p7fp0ftv5h7r7e3ptzkk2797pznfvrvsm576u0s37yyaw
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA0aisrWVdLd1lMWVVMbGZS
QWdyekxGUHYwRGpCaWh3angySkZ2MXZ0Q3djCllLZ1NwdVdFcTJSVTlHR3VYNGJK
SEZLeXNzd3ZWWGNXUnlCaXBDRmF6VXcKLS0tIG9rTDZYOVdybG52YmI1QUpJMWdu
MmFHRTZEVG9YdVpjSEdmaFhIUWZMWWsKYOrmAJy6+XzkbK2fuW0AyqUlMFW3lZd4
yg7eTI6idbKe4sDg0NjNH64DRfz/+3kQaj8e2H6Y7VIAz5yqVkI3nw==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2025-07-16T13:05:20Z"
mac: ENC[AES256_GCM,data:lgFyiUEMxBfA5C/6TMJrq2hSUx0l0IKG2yDHglBqIkqO1YoeOLgbJXq4cPE3B5f+mtx0CDaQh8/C0lcbH7QcfnLv3rqJo5cmRNEdN5RhBrQ2Z9I8fRcnZIOiz2Ze09CHDBCsGWQgfge003z3E5Q73R/+lArjYMY/JRagzosRKKg=,iv:NQ4xWYdmUB8yMGAe337ojA1fLEMbv8pZSY7N1ze9VPY=,tag:r8bRD7a53YhNnM7EOS0IgQ==,type:str]
unencrypted_suffix: _unencrypted
version: 3.10.2

61
infra/sekibanki/talconfig.yaml Normal file
View File

@@ -0,0 +1,61 @@
---
clusterName: sekibanki
talosVersion: v1.10.5
kubernetesVersion: v1.33.2
endpoint: https://10.0.0.32:6443
domain: sekibanki.prettysunflower.moe
allowSchedulingOnControlPlanes: true
clusterPodNets:
- 10.217.0.0/16
clusterSvcNets:
- 10.218.0.0/16
patches:
- |-
- op: add
path: /machine/network/kubespan
value:
enabled: true
- op: add
path: /machine/features/hostDNS
value:
forwardKubeDNSToHost: false
nodes:
- hostname: fulgora
ipAddress: 10.0.0.32
controlPlane: true
arch: amd64
installDisk: /dev/sda
- hostname: gleba
ipAddress: 10.0.0.30
controlPlane: true
arch: amd64
installDisk: /dev/sda
- hostname: vulcanus
ipAddress: 10.0.0.33
controlPlane: true
arch: amd64
installDisk: /dev/sda
controlPlane:
extraManifests:
- tailscale.patch.yaml
schematic:
customization:
systemExtensions:
officialExtensions:
- siderolabs/iscsi-tools
- siderolabs/qemu-guest-agent
- siderolabs/tailscale
- siderolabs/util-linux-tools
worker:
extraManifests:
- tailscale.patch.yaml
schematic:
customization:
systemExtensions:
officialExtensions:
- siderolabs/iscsi-tools
- siderolabs/qemu-guest-agent
- siderolabs/tailscale
- siderolabs/util-linux-tools

38
infra/sekibanki/talsecret.sops.yaml Normal file
View File

File diff suppressed because one or more lines are too long

13
infra/sekibanki/test_nfs.yaml Normal file
View File

@@ -0,0 +1,13 @@
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: pvc-nfs-dynamic
namespace: default
spec:
accessModes:
- ReadWriteMany
resources:
requests:
storage: 10Gi
storageClassName: nfs-csi

21
infra/tailscale.patch.sops.yaml
View File

@@ -1,21 +0,0 @@
apiVersion: ENC[AES256_GCM,data:ah3WtiHrAcg=,iv:uYIKkCkdmwwaggRo55d5u0CYKXZZ1SGt54sdJpfcrZY=,tag:Kd9T+MGR7/jeXc9jf0eGcQ==,type:str]
kind: ENC[AES256_GCM,data:7c7dbqKfqFY/kvcanIMiiSemkik1pw==,iv:RO9GFhFH53ysNZy3KAxS80SyXmMJsU0piOwLrciPjoo=,tag:RPxSMv6gFurgPGRAf31RjQ==,type:str]
name: ENC[AES256_GCM,data:3y37jr57H28J,iv:ApWTMC82qfjCu6wmoTYpWHhodRtQrABpl9S5yMDBvT8=,tag:lIbtTOuMH6IQ9n/y2K8E5g==,type:str]
environment:
- ENC[AES256_GCM,data:gFTe0n7FZ5SxOS4zFq3cU1ZWeFhQ/MZpQlxXo0XMsbsT1KDpVHJcOGwpX7iKb7OLfBfusfgDOBm2OyDorpJRft76Bur6N4ra,iv:j2zvvWpzRZ7PQmlIMA1aJA1zSWkELHcc0k/rVano42A=,tag:wC8VcxC3BmyU+Na5TUeqEw==,type:str]
- ENC[AES256_GCM,data:rXQnctDqQ1pAyQkMmoagpWyzNwvJ5gi7+GkNRsSbH1yCImHf,iv:aU1DDR7i/uW7KBvaZgaR3cge/DkywKibaidWm3eevCI=,tag:Zc2r0cL76DIu7N27KMN7Zg==,type:str]
sops:
age:
- recipient: age1r0tjhg6uexyj0p7fp0ftv5h7r7e3ptzkk2797pznfvrvsm576u0s37yyaw
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBlelhjZjR5cGE0OTdVY044
Z2h0VWwxNzBYdHNFbnRHNzRpVnducE1JdUdJCmdnRzlySVdBeUNjc2swbzBRL2g1
dHhqQU02d1VZajBVcVE0K21UaWUyVnMKLS0tIE8xUFFweTFaY2x2ekVQTUNtSExP
V0Q0UkJNdHd4QWg5VzI2aXlEWU1jSTAKap0c3sraAXRKXFiKm+na07wNF1WB4670
1qfTyDBYGO/O8UL99FlmvKllRFSF6LjQPG9EOdP58g/r1kftI04ubA==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2025-05-29T22:50:57Z"
mac: ENC[AES256_GCM,data:Ym0eCUDUPXPi5uK9GuAD8zB+TUlGPo8ByDx7YmJHQTD6nCsfsWcXHYXXr4Rrmk5K5DBhyslhUKZnJXtj00ObyaNOo8umopPn+Y/AFSyI0drdj2ZjwlB9ocSIfLAGubggJsJ8JMPKz609vT3hGHGPKO0d3DzFRM2NJLNEb6VH2CY=,iv:1i0zZi2WdEl3U9zbVadbTw5smIFAzSavWveXlq/qZ/Q=,tag:0yimyUW8A7KczPS8hipsGw==,type:str]
unencrypted_suffix: _unencrypted
version: 3.10.2

38
infra/talsecret.sops.yaml
View File

File diff suppressed because one or more lines are too long

29
infra/tigrisfs.yaml Normal file
View File

@@ -0,0 +1,29 @@
apiVersion: v1
kind: Secret
metadata:
name: tigris-s3-secret
namespace: kube-system
stringData:
accessKeyID: tid_GsNqXtWmklNUqliOVxEukmEFmBLoIaxNvDIlQHDXmKqNghvKwv
secretAccessKey: tsec_A-r53r0ktXNrW-vKqZjSlgX1JboZzGv6zzYrjcb3ySn+BjnNV3dffm05WSLYcG+Zo2c+OC
endpoint: https://t3.storage.dev
---
kind: StorageClass
apiVersion: storage.k8s.io/v1
metadata:
name: tigris
provisioner: ca.gmem.s3.csi
parameters:
mounter: tigrisfs
# you can set mount options here, for example limit memory cache size (recommended)
options: "--memory-limit 1000 --dir-mode 0777 --file-mode 0666"
# to use an existing bucket, specify it here:
#bucket: some-existing-bucket
csi.storage.k8s.io/provisioner-secret-name: tigris-s3-secret
csi.storage.k8s.io/provisioner-secret-namespace: kube-system
csi.storage.k8s.io/controller-publish-secret-name: tigris-s3-secret
csi.storage.k8s.io/controller-publish-secret-namespace: kube-system
csi.storage.k8s.io/node-stage-secret-name: tigris-s3-secret
csi.storage.k8s.io/node-stage-secret-namespace: kube-system
csi.storage.k8s.io/node-publish-secret-name: tigris-s3-secret
csi.storage.k8s.io/node-publish-secret-namespace: kube-system