You cannot select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
Go to file
Renovate Bot f812c0ef10
ci/woodpecker/pr/woodpecker Pipeline is pending Details
ci/woodpecker/push/woodpecker Pipeline is pending Details
Update Helm release reloader to v1.0.25
7 hours ago
apps upgrade headscale 8 hours ago
hack try to improve the debug pod 2 months ago
system Update Helm release reloader to v1.0.25 7 hours ago
.envrc cleanup for single node k3s zurrli 5 months ago
.gitignore new config for monitoring 5 months ago
.sops.yaml configure sops 8 months ago
.woodpecker.yml add woodpecker config 2 months ago add note about K8up backup config 5 months ago
renovate.json new try with new regex 7 hours ago

GitOps for tbrnt Zurrli

Repo structure

  • Each subdirectory is a namespace
  • _apps is the meta directory for Argo CD apps


Secrets are encrypted using SOPS and age. Argo CD uses KSOPS and kustomize.

Install sops and age packages on Arch Linux.

Public key: age1dfk8euu7afvw7ge5l2qek45z23hdq5anjd56cy4d7kcsf0e0e5pqfjylx8

The installation and configuration happens in a kustomize patch in argocd/.

A good helper to work with SOPS encrypted secrets is vscode-sops.

The age key needs to be stored at $HOME/.config/sops/age/keys.txt


Create a normal secret with a .sops.yaml file ending. Encrypt it with:

sops --encrypt --in-place secret.sops.yaml

Create a kustomize configuration to generate the secret:


kind: ksops
  name: secret-generator
  - ./secret.sops.yaml


  - ./secret-generator.yaml

Argo CD


sudo -E kubefwd svc -n argocd and then https://argocd-server/


kubectl port-forward svc/argocd-server -n argocd 8080:443 and then https://localhost:8080/


  • K3s is kept up-to-date using System Upgrade Controller (SUC). See system/system-upgrade-controller/plan.yaml.
  • The OS is kept up-to-date using unattended upgrades and kured. See system/kube-system/unattended-upgrades.yaml.


Kubernetes native - K8up

K8up has a global configuration in system/apps/k8up.yaml. To access the storage destination which is only available in the tailnet, a Kyverno policy injects Tailscale into the backup Pods. See system/k8up.

Host level

There is a full filesystem backup done on the host using BorgMatic. See /etc/borgmatic/config.yaml for the configuration.

Bootstrap GitOps

kubectl create ns argocd
kubectl -n argocd create secret generic sops-age --from-file=$HOME/.config/sops/age/keys.txt
kubectl -n argocd apply -f
kubectl -n argocd get pods -l -o name | cut -d'/' -f 2
kubectl -n argocd get secret argocd-initial-admin-secret -o jsonpath="{.data.password}" | base64 -d; echo
argocd login argocd-server

kubectl apply -f system/apps/appprojects.yaml
kubectl apply -f system/apps/_root.yaml

Bootstrap K3s

Using k3sup.

k3sup install \
--host \
--tls-san \
--k3s-extra-args '\
  --flannel-backend=none \
  --disable-network-policy \
  --cluster-cidr=,2001:cafe:42:0::/56 \

Then install Cilium:

cilium install --helm-set ipv6.enabled=true
cilium status