joe/gitops
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Update readme with reset & update age key

Browse Source
This commit is contained in:
Joe Monk
2025-01-26 17:34:52 +00:00
parent 5ba5131dd6
commit 656081a30c
6 changed files with 113 additions and 22 deletions
Download Patch File Download Diff File Expand all files Collapse all files

24
readme.md
View File

@@ -10,15 +10,16 @@
- Grab the latest image from https://github.com/kairos-io/kairos/releases, the image should have the format `kairos-debian-bookworm-standard-amd64-generic-v3.1.1-k3sv1.30.2+k3s1`.
The main things we're looking for are the latest debian, standard, amd64, then the versions of kairos (v3.1.1) and k3s (1.30.2).
- Update the image at https://gitea.home.joemonk.co.uk/joe/kairos-custom to the latest kairos image and build it if additional tooling is needed in the image
- Burn to usb
- Rufus can struggle with the image, Ventoy worked perfectly using the live image launch
- Boot from usb, live install and go to the config webui
- If doing the firebat and it doesn't boot into bios or the drive, in grub press `c` then type `fwsetup` to reboot into bios
- Rufus struggles with the image, Ventoy worked perfectly using the live image launch
- Add the public keys to the config (from ~/.ssh - `ssh-keygen -t ed25519 -C "joemonk@hotmail.co.uk"`)
- Update the image at https://gitea.home.joemonk.co.uk/joe/kairos-custom to the latest kairos image and build it
- Update the image in the kairos-config to reflect that build
- Put the kairos-config in, check the shutdown button and let it install
- Remove the usb, ssh in with using the specific private key (i.e. from ~/.ssh - `ssh -i ./kairos kairos@192.168.1.101` or add the following to ~/.ssh/config to just use `ssh 192.168.1.101`)
- Update the image in the kairos-config to reflect the image being used, as well as any ssh keys or additional changes needed
- Put the kairos-config in, check shutdown and let it install
- Remove the usb & start the machine, wait for full boot
- ssh in with using the specific private key added in the config (i.e. from ~/.ssh - `ssh -i ./kairos kairos@192.168.1.101` or add the following to ~/.ssh/config to just use `ssh 192.168.1.101`)
```
Host 192.168.1.101
@@ -31,7 +32,7 @@ Host 192.168.1.101
Go to https://gitea.home.joemonk.co.uk/joe/kairos-custom and add the new packages to the dockerfile
This image will be built when pushed
Follow the steps to upgrade/reinstall with the new image in the config - or just upgrade the image as per the docs (not tested yet)
Follow the steps to upgrade/reinstall with the new image in the config - or just upgrade the image to the new image
## Upgrading
@@ -39,7 +40,12 @@ SSH into the server and run `sudo kairos-agent upgrade --source oci:gitea.home.j
## Reset
Reboot to the recovery image with `kairos-agent bootentry --select statereset` to clear all data.
A full reset is a bit of a pain, as as far as I can tell, the "normal" reset keeps the current k8s state and data, which is probably not why we're after resetting.
> :warning: This *will* delete everything.
First of all, ensure the system-update-controller is installed on kairos (run from server/pc with kairos context) - `kubectl apply -k github.com/rancher/system-upgrade-controller`
You can then modify the `kairos-reset.yaml` to include the latest images, and `kairos-config.yaml`, and apply it with `cat reset.yaml | kubectl apply -f -`
This should then take a few minutes to reset the machine and reboot, meaning we can ssh in, grab the kubeconfig and re-bootstrap flux to reinstall everything.
## Kubectl
@@ -64,7 +70,7 @@ kubectl create secret generic sops-age \
Delete age.agekey after sending it to the cluster.
Then update the encryption with `sops updatekeys -y apps/gluetun/secret.yaml`.
In fish you can updatekeys in every secret
In fish you can updatekeys in every secret (can just change to the bash equivalent if using bash)
`for file in $(grep --include="*.yaml" -lr "sops:"); sops updatekeys -y $file; end`
### Using sops
@@ -93,7 +99,7 @@ We need to point a dns server to the server so we can access things via hostname
- Make sure Services > UnboundDNS is active and working
- In overrides, add the host as `*`, domain as `k3s` and value as the ip address of the server
You should be able to access `http://traefik.k3s:9000/dashboard#/` (at the time of writing, looking to route this properly)
You should be able to access `http://traefik.k3s/dashboard#/` (at the time of writing, looking to route this properly)
## Grafana