tags:

• homelab/kube

• Proxmox VE
• Two Virtual Machines
  • 4 Cores, 8Gb each
• Nix installed on your dev machine and flakes enabled
• direnv installed
• fluxcd cli

1. Clone this repository with submodules:

   git clone --recursive https://github.com/yourusername/homelab.git
   cd homelab

2. Allow direnv to activate the environment:

   direnv allow

   This will setup an environment and install all necessary tools that you need
3. Decrypt sensitive files:

   git secret reveal

Go to https://factory.talos.dev and follow the instructions. Select "Cloud Server" as the machine type and then "Nocloud" when selecting the cloud provider. For plugins you need siderolabs/qemu-guest-agent, siderolabs/intel-ucode and siderolabs/iscsi-tools. Download the iso and safe the the url under the heading "Initial Installation".

Now create your VMs (at least one worker node and one control-plane node) in PVE. Use the Image we downloaded previously as the iso. Also make sure to give at least the control-plane node a static IP, either in your routers settings or in PVE itself.

Make note of the IPs of the nodes we set up in the previous step. cd into homelab/talos and run the following commands:

talosctl gen config <cluster-name> https://<contro-plane-node-ip>:6443 --output-dir ./

This will create 3 files:

 .
├──  controlplane.yaml
├──  talosconfig
└──  worker.yaml

Open the controlplane.yaml and worker.yaml and replace the image url with the one that we saved when getting the talos iso:

    install:
        disk: /dev/sda 
        image: ghcr.io/siderolabs/installer:v1.9.5
        wipe: false

to

    install:
        disk: /dev/sda 
        image: factory.talos.dev/installer/376567988ad370138ad8b2698212367b8edcb69b5fd68c80be1f2ec7d603b4ba:v1.9.5
        wipe: false

Now we need to send these configs to our Talos VMs:

talosctl apply-config --insecure --nodes <control-plane-ip> --file ./controlplane.yaml

talosctl apply-config --insecure --nodes <worker-ip> --file ./worker.yaml

Next we need to set the API server

talosctl config endpoint <control-plane-ip>

talostl config node <control-plane-ip>

Now we need to bootstrap etcd

talosctl bootstrap

Lastly we can get the Kuberenetes config by running

talosctl kubeconfig .

which will create a kubeconfig file

The last step is to make sure that TALOSCONFIG and KUBECONFIG environment variables point to the files we just created. The provided flake provides a shell hook which does that automatically under the assumption that the files lie in $HOME/Developer/Homelab/talos/sol/. This may needs to be changed

Follow https://developer.1password.com/docs/k8s/k8s-operator/ to get the required credentials for setting up the 1password-operator.

Make sure you have the following secrets in your cluster (use something like Lens to create them):

Name: 1pass-operator Namespace: 1password Data: token: <token-generated-in-prev-step>

Name: 1pass-connect Namespace: 1password Data: 1password-credentials.json: <token-generated-in-prev-step>

Name: git-auth Namespace: flux-system Data: password: <github-pat>, username: <github-username>

All the other secrets will be synced from 1Password.

Run the following command to bootstrap fluxcd

flux bootstrap github \
  --token-auth \
  --owner=KuiprLab \
  --repository=homelab \
  --branch=main \
  --path=clusters/hl-sol-c1

You will need to authenticate with your GitHub username and token. This command will install fluxcd and then also start syncing the cluster to be in line with the repo

1. Use 1Password for storing and managing Kubernetes secrets:
   • Create a consistent naming scheme for secrets
   • Use the 1Password Kubernetes Operator to sync secrets to your cluster
   • Reference docs: https://developer.1password.com/docs/k8s/k8s-operator/
   • Helm charts: https://github.com/1Password/connect-helm-charts/tree/main/charts/connect
   • Management interface: https://my.1password.eu/developer-tools/infrastructure-secrets/connect

1. Use separate branches for development and production environments:

   • Development clusters sync from the dev branch
   • Production clusters sync from the main branch

2. Use consistent folder structures across environments to make comparisons and promotions easier

3. Consider using Kustomize overlays to reduce duplication between environments while maintaining environment-specific configurations