Update readme with reset & update age key

.gitignore

@@ -0,0 +1 @@
+*.agekey

.sops.yaml

@@ -5,4 +5,4 @@ creation_rules:
     # kairos
     age: >-
       age1ntfcrf5fz43da6k9h4um06u8mejjsqg005jm6rwmt9wff949s58qqwx8tv,
-      age1zm48vge8cpu8jwpxqc0tpgrwjqee0amhpmrla0dl8vzh08efu4fqwwcqax
+      age1tuwkrnucc6a7eplpthm980z20lq6tnxjqkarfskwsyv9t3gxxc9qw5vj7x

apps/gluetun/secret.yaml

@@ -19,20 +19,20 @@ sops:
         - recipient: age1ntfcrf5fz43da6k9h4um06u8mejjsqg005jm6rwmt9wff949s58qqwx8tv
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBkc2Z0Qm0yUDczYVN1b2Y3
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBJMEN6dm1PTmFKbG9qRHha
-            TTFJSSt3Ry9tOUpmM3o1ajdPZThVYXBpZFhzCjRKQ1R0OU1qMHdEV1NXTlE1VzR2
+            MmZyRndIVStDMWFMNGw0WVNHNW9UQ050RFJRClNZc0Y1UUMzZVhtTTRuclNBT3d1
-            VTNKaytmR0ZpbCtiRnRkVFhxTm4yckUKLS0tIEtXcXV3V21FSW04azNyNzZwRGls
+            K3J5VmQxSUpLeExKNzJsQjJHZjJ2Y1EKLS0tIEFWbWlCMWpqL3BKeVRzaTIwTmJW
-            Y3JsOFZMWVVlN0Y4SURDZ0k2L3VPaDQKvKWVSM8XXEt+rhboqm/p/tSO2Gf7SAUw
+            UDZaNDhEd0NQdHk5MUYrNG5xR2F4NzQKeswlMX0DSp2TBGMg8og0vsjqWpqdILhI
-            T2dUdoIeB/Lpx0+4bD9yRXydsCNcp5RxyQ/8bqc5VRgVta1Jl+g9AA==
+            wDeMFO9+lNt61lpv0T+1DMQkqBApGuUiMQ8kh5vzUenAl+kE0ov7tw==
             -----END AGE ENCRYPTED FILE-----
-        - recipient: age1zm48vge8cpu8jwpxqc0tpgrwjqee0amhpmrla0dl8vzh08efu4fqwwcqax
+        - recipient: age1tuwkrnucc6a7eplpthm980z20lq6tnxjqkarfskwsyv9t3gxxc9qw5vj7x
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBHb2FSa1d2L0JGbDlyRlp1
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBOUnNveHVWMDc4WXhjR2xz
-            ejZUU082emppOTRlaU1nSVZmVHBOSWV5SHhnCmlpZFV1cnRsME4wdVhvSjJZT0J5
+            RW5WUGViVHczd2VoVFEzajZoRkJNdGJJQldjCjE0MGtGYnhLaFpseitDOWJBK1JE
-            QWJCTVgxSnowSXFBV3RrR3RtaUhuZmcKLS0tIDFuaXl3NjZBNUhNSEN6Z2hZN2xq
+            RHRUcmhodEgvOTAxbzd1UlRQYlZzQnMKLS0tIHZJUTZpSzBaYms5S3BJOE4wZ3FZ
-            ZDV4bU5VaU9EczhubVlLUTFhQWREaXMKNqUwgOhAu++if1cdGyMRZaGjfjoSxa8L
+            VnBZWWUyM0xVa1kwWkJyZWVJY0orSlkKwMGLI+iBSKrkrJdca+2yp0ZmeNMPgPGr
-            ZBcKsKlb0btyoCNuZkLQizkmNVe+HnKSfXGq5hce6ADr62+fEVaNlA==
+            4dK9OxPAjwXx7caK+bv+wMsAHeledga7F4KNYLXN8OhGOiF0Bi7HtA==
             -----END AGE ENCRYPTED FILE-----
     lastmodified: "2025-01-24T20:18:44Z"
     mac: ENC[AES256_GCM,data:cqLdb0hR4KUyxZpkXoezREg5+pLxiD080+AIMKDe4uT8MxNRdBfj7d+e9reCbi4Ev9Z1Os3Ds2B/IaS5xIbiS5xm9b1FhIoOogJkIKY3YbkU2ifnvtrddQua9S3X0/JD/fJ6Dp4OFsS6cIWccahdR9plbMTXW5Ex/MZdiId6oUU=,iv:CDpY2i6QMyvvenGlxvdYYtf4p5RVd/ALndxlDnk/7cQ=,tag:IF7DmCc0tMsLTaIub+c2hQ==,type:str]

kairos-config.yaml

@@ -7,7 +7,6 @@ install:
 reset:
   reboot: true
   reset-persistent: true
-  reset-oem: true
 
 users:
 - name: "kairos"

kairos-reset.yaml

@@ -0,0 +1,85 @@
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: custom-script
+  namespace: system-upgrade
+type: Opaque
+stringData:
+  config.yaml: |
+    #cloud-config
+
+    install:
+      poweroff: true
+      image: quay.io/kairos/debian:bookworm-standard-amd64-generic-v3.3.0-k3sv1.32.0-k3s1
+
+    reset:
+      reboot: true
+      reset-persistent: true
+
+    users:
+    - name: "kairos"
+      passwd: "kairos"
+      groups:
+      - "admin"
+      ssh_authorized_keys:
+      - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAjAjv9cWzwoJhTlzdrDw47eIg9t51vMbXbf0he96mRK joemonk@hotmail.co.uk" # VSCode Container
+      - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFOzNQet/Vm/EXU8GR0D4I+QYIPiGL5rCKPgDPhjWKIU joemonk@hotmail.co.uk" # Laptop
+
+    # Enable K3s on the node.
+    k3s:
+      enabled: true                         # Set to true to enable K3s.
+      args:
+      - --disable=local-storage
+
+    stages:
+      boot:
+      - name: "Setup hostname"
+        hostname: "kairos"
+      - name: "Setup dns"
+        dns:
+          nameservers:
+          - 192.168.1.1
+  add-config-file.sh: |
+    #!/bin/sh
+    set -e
+    if diff /host/run/system-upgrade/secrets/custom-script/config.yaml /host/oem/90_custom.yaml >/dev/null; then
+        echo config present
+        exit 0
+    fi
+    # we can't cp, that's a symlink!
+    cat /host/run/system-upgrade/secrets/custom-script/config.yaml > /host/oem/90_custom.yaml
+    grub2-editenv /host/oem/grubenv set next_entry=statereset
+    sync
+
+    mount --rbind /host/dev /dev
+    mount --rbind /host/run /run
+    nsenter -i -m -t 1 -- reboot
+    exit 1    
+---
+apiVersion: upgrade.cattle.io/v1
+kind: Plan
+metadata:
+  name: reset-and-reconfig
+  namespace: system-upgrade
+spec:
+  concurrency: 2
+  # This is the version (tag) of the image.
+  version: "bookworm-standard-amd64-generic-v3.3.0-k3sv1.32.0-k3s1"
+  nodeSelector:
+    matchExpressions:
+      - { key: kubernetes.io/hostname, operator: Exists }
+  serviceAccountName: system-upgrade
+  cordon: false
+  upgrade:
+    # Here goes the image which is tied to the flavor being used.
+    # Currently can pick between opensuse and alpine
+    image: quay.io/kairos/debian:bookworm-standard-amd64-generic-v3.3.0-k3sv1.32.0-k3s1
+    command:
+      - "/bin/bash"
+      - "-c"
+    args:
+      - bash /host/run/system-upgrade/secrets/custom-script/add-config-file.sh
+  secrets:
+    - name: custom-script
+      path: /host/run/system-upgrade/secrets/custom-script

readme.md

@@ -10,15 +10,16 @@
 
 - Grab the latest image from https://github.com/kairos-io/kairos/releases, the image should have the format `kairos-debian-bookworm-standard-amd64-generic-v3.1.1-k3sv1.30.2+k3s1`.
   The main things we're looking for are the latest debian, standard, amd64, then the versions of kairos (v3.1.1) and k3s (1.30.2).
+  - Update the image at https://gitea.home.joemonk.co.uk/joe/kairos-custom to the latest kairos image and build it if additional tooling is needed in the image
 - Burn to usb
+  -  Rufus can struggle with the image, Ventoy worked perfectly using the live image launch
 - Boot from usb, live install and go to the config webui
   - If doing the firebat and it doesn't boot into bios or the drive, in grub press `c` then type `fwsetup` to reboot into bios
-  - Rufus struggles with the image, Ventoy worked perfectly using the live image launch
 - Add the public keys to the config (from ~/.ssh - `ssh-keygen -t ed25519 -C "joemonk@hotmail.co.uk"`)
-- Update the image at https://gitea.home.joemonk.co.uk/joe/kairos-custom to the latest kairos image and build it
+- Update the image in the kairos-config to reflect the image being used, as well as any ssh keys or additional changes needed
-- Update the image in the kairos-config to reflect that build
+- Put the kairos-config in, check shutdown and let it install
-- Put the kairos-config in, check the shutdown button and let it install
+- Remove the usb & start the machine, wait for full boot
-- Remove the usb, ssh in with using the specific private key (i.e. from ~/.ssh - `ssh -i ./kairos kairos@192.168.1.101` or add the following to ~/.ssh/config to just use `ssh 192.168.1.101`)
+- ssh in with using the specific private key added in the config (i.e. from ~/.ssh - `ssh -i ./kairos kairos@192.168.1.101` or add the following to ~/.ssh/config to just use `ssh 192.168.1.101`)
 
 ```
 Host 192.168.1.101
@@ -31,7 +32,7 @@ Host 192.168.1.101
 
 Go to https://gitea.home.joemonk.co.uk/joe/kairos-custom and add the new packages to the dockerfile  
 This image will be built when pushed  
-Follow the steps to upgrade/reinstall with the new image in the config - or just upgrade the image as per the docs (not tested yet)
+Follow the steps to upgrade/reinstall with the new image in the config - or just upgrade the image to the new image
 
 ## Upgrading
 
@@ -39,7 +40,12 @@ SSH into the server and run `sudo kairos-agent upgrade --source oci:gitea.home.j
 
 ## Reset
 
-Reboot to the recovery image with `kairos-agent bootentry --select statereset` to clear all data.
+A full reset is a bit of a pain, as as far as I can tell, the "normal" reset keeps the current k8s state and data, which is probably not why we're after resetting.  
+> :warning: This *will* delete everything.  
+
+First of all, ensure the system-update-controller is installed on kairos (run from server/pc with kairos context) - `kubectl apply -k github.com/rancher/system-upgrade-controller`  
+You can then modify the `kairos-reset.yaml` to include the latest images, and `kairos-config.yaml`, and apply it with `cat reset.yaml | kubectl apply -f -`  
+This should then take a few minutes to reset the machine and reboot, meaning we can ssh in, grab the kubeconfig and re-bootstrap flux to reinstall everything.
 
 ## Kubectl
 
@@ -64,7 +70,7 @@ kubectl create secret generic sops-age \
 Delete age.agekey after sending it to the cluster.  
 Then update the encryption with `sops updatekeys -y apps/gluetun/secret.yaml`.
 
-In fish you can updatekeys in every secret   
+In fish you can updatekeys in every secret (can just change to the bash equivalent if using bash)  
 `for file in $(grep --include="*.yaml" -lr "sops:"); sops updatekeys -y $file; end`
 
 ### Using sops
@@ -93,7 +99,7 @@ We need to point a dns server to the server so we can access things via hostname
 - Make sure Services > UnboundDNS is active and working
 - In overrides, add the host as `*`, domain as `k3s` and value as the ip address of the server
 
-You should be able to access `http://traefik.k3s:9000/dashboard#/` (at the time of writing, looking to route this properly)
+You should be able to access `http://traefik.k3s/dashboard#/` (at the time of writing, looking to route this properly)
 
 ## Grafana