From 656081a30cae2b9dffa87e37ead84321eed5655e Mon Sep 17 00:00:00 2001 From: Joe Monk Date: Sun, 26 Jan 2025 17:34:52 +0000 Subject: [PATCH] Update readme with reset & update age key --- .gitignore | 1 + .sops.yaml | 2 +- apps/gluetun/secret.yaml | 22 +++++------ kairos-config.yaml | 1 - kairos-reset.yaml | 85 ++++++++++++++++++++++++++++++++++++++++ readme.md | 24 +++++++----- 6 files changed, 113 insertions(+), 22 deletions(-) create mode 100644 .gitignore create mode 100644 kairos-reset.yaml diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..ee85f41 --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +*.agekey \ No newline at end of file diff --git a/.sops.yaml b/.sops.yaml index 21f2fcc..743b11c 100644 --- a/.sops.yaml +++ b/.sops.yaml @@ -5,4 +5,4 @@ creation_rules: # kairos age: >- age1ntfcrf5fz43da6k9h4um06u8mejjsqg005jm6rwmt9wff949s58qqwx8tv, - age1zm48vge8cpu8jwpxqc0tpgrwjqee0amhpmrla0dl8vzh08efu4fqwwcqax + age1tuwkrnucc6a7eplpthm980z20lq6tnxjqkarfskwsyv9t3gxxc9qw5vj7x diff --git a/apps/gluetun/secret.yaml b/apps/gluetun/secret.yaml index ee52a5b..fcd838c 100644 --- a/apps/gluetun/secret.yaml +++ b/apps/gluetun/secret.yaml @@ -19,20 +19,20 @@ sops: - recipient: age1ntfcrf5fz43da6k9h4um06u8mejjsqg005jm6rwmt9wff949s58qqwx8tv enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBkc2Z0Qm0yUDczYVN1b2Y3 - TTFJSSt3Ry9tOUpmM3o1ajdPZThVYXBpZFhzCjRKQ1R0OU1qMHdEV1NXTlE1VzR2 - VTNKaytmR0ZpbCtiRnRkVFhxTm4yckUKLS0tIEtXcXV3V21FSW04azNyNzZwRGls - Y3JsOFZMWVVlN0Y4SURDZ0k2L3VPaDQKvKWVSM8XXEt+rhboqm/p/tSO2Gf7SAUw - T2dUdoIeB/Lpx0+4bD9yRXydsCNcp5RxyQ/8bqc5VRgVta1Jl+g9AA== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBJMEN6dm1PTmFKbG9qRHha + MmZyRndIVStDMWFMNGw0WVNHNW9UQ050RFJRClNZc0Y1UUMzZVhtTTRuclNBT3d1 + K3J5VmQxSUpLeExKNzJsQjJHZjJ2Y1EKLS0tIEFWbWlCMWpqL3BKeVRzaTIwTmJW + UDZaNDhEd0NQdHk5MUYrNG5xR2F4NzQKeswlMX0DSp2TBGMg8og0vsjqWpqdILhI + wDeMFO9+lNt61lpv0T+1DMQkqBApGuUiMQ8kh5vzUenAl+kE0ov7tw== -----END AGE ENCRYPTED FILE----- - - recipient: age1zm48vge8cpu8jwpxqc0tpgrwjqee0amhpmrla0dl8vzh08efu4fqwwcqax + - recipient: age1tuwkrnucc6a7eplpthm980z20lq6tnxjqkarfskwsyv9t3gxxc9qw5vj7x enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBHb2FSa1d2L0JGbDlyRlp1 - ejZUU082emppOTRlaU1nSVZmVHBOSWV5SHhnCmlpZFV1cnRsME4wdVhvSjJZT0J5 - QWJCTVgxSnowSXFBV3RrR3RtaUhuZmcKLS0tIDFuaXl3NjZBNUhNSEN6Z2hZN2xq - ZDV4bU5VaU9EczhubVlLUTFhQWREaXMKNqUwgOhAu++if1cdGyMRZaGjfjoSxa8L - ZBcKsKlb0btyoCNuZkLQizkmNVe+HnKSfXGq5hce6ADr62+fEVaNlA== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBOUnNveHVWMDc4WXhjR2xz + RW5WUGViVHczd2VoVFEzajZoRkJNdGJJQldjCjE0MGtGYnhLaFpseitDOWJBK1JE + RHRUcmhodEgvOTAxbzd1UlRQYlZzQnMKLS0tIHZJUTZpSzBaYms5S3BJOE4wZ3FZ + VnBZWWUyM0xVa1kwWkJyZWVJY0orSlkKwMGLI+iBSKrkrJdca+2yp0ZmeNMPgPGr + 4dK9OxPAjwXx7caK+bv+wMsAHeledga7F4KNYLXN8OhGOiF0Bi7HtA== -----END AGE ENCRYPTED FILE----- lastmodified: "2025-01-24T20:18:44Z" mac: ENC[AES256_GCM,data:cqLdb0hR4KUyxZpkXoezREg5+pLxiD080+AIMKDe4uT8MxNRdBfj7d+e9reCbi4Ev9Z1Os3Ds2B/IaS5xIbiS5xm9b1FhIoOogJkIKY3YbkU2ifnvtrddQua9S3X0/JD/fJ6Dp4OFsS6cIWccahdR9plbMTXW5Ex/MZdiId6oUU=,iv:CDpY2i6QMyvvenGlxvdYYtf4p5RVd/ALndxlDnk/7cQ=,tag:IF7DmCc0tMsLTaIub+c2hQ==,type:str] diff --git a/kairos-config.yaml b/kairos-config.yaml index e634cfc..fd5d974 100644 --- a/kairos-config.yaml +++ b/kairos-config.yaml @@ -7,7 +7,6 @@ install: reset: reboot: true reset-persistent: true - reset-oem: true users: - name: "kairos" diff --git a/kairos-reset.yaml b/kairos-reset.yaml new file mode 100644 index 0000000..cb079aa --- /dev/null +++ b/kairos-reset.yaml @@ -0,0 +1,85 @@ +--- +apiVersion: v1 +kind: Secret +metadata: + name: custom-script + namespace: system-upgrade +type: Opaque +stringData: + config.yaml: | + #cloud-config + + install: + poweroff: true + image: quay.io/kairos/debian:bookworm-standard-amd64-generic-v3.3.0-k3sv1.32.0-k3s1 + + reset: + reboot: true + reset-persistent: true + + users: + - name: "kairos" + passwd: "kairos" + groups: + - "admin" + ssh_authorized_keys: + - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAjAjv9cWzwoJhTlzdrDw47eIg9t51vMbXbf0he96mRK joemonk@hotmail.co.uk" # VSCode Container + - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFOzNQet/Vm/EXU8GR0D4I+QYIPiGL5rCKPgDPhjWKIU joemonk@hotmail.co.uk" # Laptop + + # Enable K3s on the node. + k3s: + enabled: true # Set to true to enable K3s. + args: + - --disable=local-storage + + stages: + boot: + - name: "Setup hostname" + hostname: "kairos" + - name: "Setup dns" + dns: + nameservers: + - 192.168.1.1 + add-config-file.sh: | + #!/bin/sh + set -e + if diff /host/run/system-upgrade/secrets/custom-script/config.yaml /host/oem/90_custom.yaml >/dev/null; then + echo config present + exit 0 + fi + # we can't cp, that's a symlink! + cat /host/run/system-upgrade/secrets/custom-script/config.yaml > /host/oem/90_custom.yaml + grub2-editenv /host/oem/grubenv set next_entry=statereset + sync + + mount --rbind /host/dev /dev + mount --rbind /host/run /run + nsenter -i -m -t 1 -- reboot + exit 1 +--- +apiVersion: upgrade.cattle.io/v1 +kind: Plan +metadata: + name: reset-and-reconfig + namespace: system-upgrade +spec: + concurrency: 2 + # This is the version (tag) of the image. + version: "bookworm-standard-amd64-generic-v3.3.0-k3sv1.32.0-k3s1" + nodeSelector: + matchExpressions: + - { key: kubernetes.io/hostname, operator: Exists } + serviceAccountName: system-upgrade + cordon: false + upgrade: + # Here goes the image which is tied to the flavor being used. + # Currently can pick between opensuse and alpine + image: quay.io/kairos/debian:bookworm-standard-amd64-generic-v3.3.0-k3sv1.32.0-k3s1 + command: + - "/bin/bash" + - "-c" + args: + - bash /host/run/system-upgrade/secrets/custom-script/add-config-file.sh + secrets: + - name: custom-script + path: /host/run/system-upgrade/secrets/custom-script diff --git a/readme.md b/readme.md index 54d0ba9..d0186e2 100644 --- a/readme.md +++ b/readme.md @@ -10,15 +10,16 @@ - Grab the latest image from https://github.com/kairos-io/kairos/releases, the image should have the format `kairos-debian-bookworm-standard-amd64-generic-v3.1.1-k3sv1.30.2+k3s1`. The main things we're looking for are the latest debian, standard, amd64, then the versions of kairos (v3.1.1) and k3s (1.30.2). + - Update the image at https://gitea.home.joemonk.co.uk/joe/kairos-custom to the latest kairos image and build it if additional tooling is needed in the image - Burn to usb + - Rufus can struggle with the image, Ventoy worked perfectly using the live image launch - Boot from usb, live install and go to the config webui - If doing the firebat and it doesn't boot into bios or the drive, in grub press `c` then type `fwsetup` to reboot into bios - - Rufus struggles with the image, Ventoy worked perfectly using the live image launch - Add the public keys to the config (from ~/.ssh - `ssh-keygen -t ed25519 -C "joemonk@hotmail.co.uk"`) -- Update the image at https://gitea.home.joemonk.co.uk/joe/kairos-custom to the latest kairos image and build it -- Update the image in the kairos-config to reflect that build -- Put the kairos-config in, check the shutdown button and let it install -- Remove the usb, ssh in with using the specific private key (i.e. from ~/.ssh - `ssh -i ./kairos kairos@192.168.1.101` or add the following to ~/.ssh/config to just use `ssh 192.168.1.101`) +- Update the image in the kairos-config to reflect the image being used, as well as any ssh keys or additional changes needed +- Put the kairos-config in, check shutdown and let it install +- Remove the usb & start the machine, wait for full boot +- ssh in with using the specific private key added in the config (i.e. from ~/.ssh - `ssh -i ./kairos kairos@192.168.1.101` or add the following to ~/.ssh/config to just use `ssh 192.168.1.101`) ``` Host 192.168.1.101 @@ -31,7 +32,7 @@ Host 192.168.1.101 Go to https://gitea.home.joemonk.co.uk/joe/kairos-custom and add the new packages to the dockerfile This image will be built when pushed -Follow the steps to upgrade/reinstall with the new image in the config - or just upgrade the image as per the docs (not tested yet) +Follow the steps to upgrade/reinstall with the new image in the config - or just upgrade the image to the new image ## Upgrading @@ -39,7 +40,12 @@ SSH into the server and run `sudo kairos-agent upgrade --source oci:gitea.home.j ## Reset -Reboot to the recovery image with `kairos-agent bootentry --select statereset` to clear all data. +A full reset is a bit of a pain, as as far as I can tell, the "normal" reset keeps the current k8s state and data, which is probably not why we're after resetting. +> :warning: This *will* delete everything. + +First of all, ensure the system-update-controller is installed on kairos (run from server/pc with kairos context) - `kubectl apply -k github.com/rancher/system-upgrade-controller` +You can then modify the `kairos-reset.yaml` to include the latest images, and `kairos-config.yaml`, and apply it with `cat reset.yaml | kubectl apply -f -` +This should then take a few minutes to reset the machine and reboot, meaning we can ssh in, grab the kubeconfig and re-bootstrap flux to reinstall everything. ## Kubectl @@ -64,7 +70,7 @@ kubectl create secret generic sops-age \ Delete age.agekey after sending it to the cluster. Then update the encryption with `sops updatekeys -y apps/gluetun/secret.yaml`. -In fish you can updatekeys in every secret +In fish you can updatekeys in every secret (can just change to the bash equivalent if using bash) `for file in $(grep --include="*.yaml" -lr "sops:"); sops updatekeys -y $file; end` ### Using sops @@ -93,7 +99,7 @@ We need to point a dns server to the server so we can access things via hostname - Make sure Services > UnboundDNS is active and working - In overrides, add the host as `*`, domain as `k3s` and value as the ip address of the server -You should be able to access `http://traefik.k3s:9000/dashboard#/` (at the time of writing, looking to route this properly) +You should be able to access `http://traefik.k3s/dashboard#/` (at the time of writing, looking to route this properly) ## Grafana