Go to file
Renovate Bot 3737ead6fa Update docker.io/renovate/renovate Docker tag to v37.89.6 2023-12-10 18:44:04 +00:00
apps Update docker.io/renovate/renovate Docker tag to v37.89.6 2023-12-10 18:44:04 +00:00
hack noop 2023-10-22 21:06:03 +02:00
system Merge pull request 'Update ghcr.io/tailscale/tailscale Docker tag to v1.54.0' (#406) from renovate/ghcr.io-tailscale-tailscale-1.x into main 2023-12-03 15:10:18 +00:00
.envrc cleanup for single node k3s zurrli 2022-12-23 21:00:08 +01:00
.gitignore new authkey for k8up 2023-10-06 22:31:03 +02:00
.sops.yaml configure sops 2022-10-05 20:27:52 +02:00
README.md replace kyverno with jspolicy 2023-10-06 22:15:27 +02:00
backup.yaml replace kyverno with jspolicy 2023-10-06 22:15:27 +02:00
renovate.json automerge miniflux updates 2023-11-21 21:54:18 +01:00


GitOps for tbrnt Zurrli

Repo structure

  • Each subdirectory is a namespace
  • _apps is the meta directory for Argo CD apps


Secrets are encrypted using SOPS and age. Argo CD uses KSOPS and kustomize.

Install sops and age packages on Arch Linux.

Public key: age1dfk8euu7afvw7ge5l2qek45z23hdq5anjd56cy4d7kcsf0e0e5pqfjylx8

The installation and configuration happens in a kustomize patch in argocd/.

A good helper to work with SOPS encrypted secrets is vscode-sops.

The age key needs to be stored at $HOME/.config/sops/age/keys.txt


Create a normal secret with a .sops.yaml file ending. Encrypt it with:

sops --encrypt --in-place secret.sops.yaml

Create a kustomize configuration to generate the secret:


apiVersion: viaduct.ai/v1
kind: ksops
  name: secret-generator
  - ./secret.sops.yaml


  - ./secret-generator.yaml

Argo CD


sudo -E kubefwd svc -n argocd and then https://argocd-server/


kubectl port-forward svc/argocd-server -n argocd 8080:443 and then https://localhost:8080/


  • K3s is kept up-to-date using System Upgrade Controller (SUC). See system/system-upgrade-controller/plan.yaml.
  • The OS is kept up-to-date using unattended upgrades and kured. See system/kube-system/unattended-upgrades.yaml.


Kubernetes native - K8up

K8up has a global configuration in system/apps/k8up.yaml. To access the storage destination which is only available in the tailnet, a Jspolicy policy injects Tailscale into the backup Pods. See system/k8up.

Host level

There is a full filesystem backup done on the host using BorgMatic. See /etc/borgmatic/config.yaml for the configuration.

Bootstrap GitOps

kubectl create ns argocd
kubectl -n argocd create secret generic sops-age --from-file=$HOME/.config/sops/age/keys.txt
kubectl -n argocd apply -f https://raw.githubusercontent.com/argoproj/argo-cd/stable/manifests/install.yaml
kubectl -n argocd get pods -l app.kubernetes.io/name=argocd-server -o name | cut -d'/' -f 2
kubectl -n argocd get secret argocd-initial-admin-secret -o jsonpath="{.data.password}" | base64 -d; echo
argocd login argocd-server

kubectl apply -f system/apps/appprojects.yaml
kubectl apply -f system/apps/_root.yaml

Bootstrap K3s

Using k3sup.

k3sup install \
--host zurrli.tbrnt.ch \
--tls-san zurrli.tbrnt.ch \
--k3s-extra-args '\
  --flannel-backend=none \
  --disable-network-policy \
  --cluster-cidr=,2001:cafe:42:0::/56 \

Then install Cilium: https://docs.cilium.io/en/v1.12/gettingstarted/k3s/

cilium install --helm-set ipv6.enabled=true
cilium status