From f1b2e3b27c952baeb64f50bc3b49475bfb42eee1 Mon Sep 17 00:00:00 2001
From: Devin Buhl <devin@buhl.casa>
Date: Sun, 5 Jan 2025 08:45:43 -0500
Subject: [PATCH] feat: update config options and taskfiles

Signed-off-by: Devin Buhl <devin@buhl.casa>
---
 .github/tests/config-talos.yaml               |  7 +-
 .taskfiles/talos/Taskfile.yaml                | 26 ++----
 README.md                                     |  2 +-
 config.sample.yaml                            | 83 +++++++++----------
 .../webhooks/app/github/secret.sops.yaml.j2   |  2 +-
 .../kubernetes/flux/config/cluster.yaml.j2    |  4 +-
 6 files changed, 55 insertions(+), 69 deletions(-)

diff --git a/.github/tests/config-talos.yaml b/.github/tests/config-talos.yaml
index dc60f3d0582..fb8b0d7d91f 100644
--- a/.github/tests/config-talos.yaml
+++ b/.github/tests/config-talos.yaml
@@ -25,9 +25,10 @@ tls_sans: ["fake"]
 age_pubkey: $TEMPLATE_AGE_PUBLIC_KEY
 bgp:
   enabled: false
-github_address: https://github.com/onedr0p/cluster-template
-github_branch: main
-github_webhook_token: fake
+github:
+  address: https://github.com/onedr0p/cluster-template
+  branch: main
+  webhook_token: fake
 cloudflare:
   enabled: true
   domain: fake
diff --git a/.taskfiles/talos/Taskfile.yaml b/.taskfiles/talos/Taskfile.yaml
index 86fb16178ad..c58ec1d3ff1 100644
--- a/.taskfiles/talos/Taskfile.yaml
+++ b/.taskfiles/talos/Taskfile.yaml
@@ -34,8 +34,8 @@ tasks:
     requires:
       vars: [HOSTNAME]
     preconditions:
-      - talosctl --nodes {{.HOSTNAME}} get machineconfig &>/dev/null
-      - talosctl config info &>/dev/null
+      - talosctl --nodes {{.HOSTNAME}} get machineconfig
+      - talosctl config info
       - test -f {{.TALHELPER_CLUSTER_DIR}}/{{.CLUSTER_NAME}}-{{.HOSTNAME}}.yaml
       - test -f {{.TALOSCONFIG}}
       - which talosctl yq
@@ -43,10 +43,8 @@ tasks:
   upgrade-node:
     desc: Upgrade Talos on a single node [HOSTNAME=required]
     cmds:
-      - task: down
       - talosctl --nodes {{.HOSTNAME}} upgrade --image="factory.talos.dev/installer{{if eq .TALOS_SECUREBOOT "true"}}-secureboot{{end}}/{{.TALOS_SCHEMATIC_ID}}:{{.TALOS_VERSION}}" --timeout=10m
       - talosctl --nodes {{.HOSTNAME}} health --wait-timeout=10m --server=false
-      - task: up
     vars:
       TALOS_SCHEMATIC_ID:
         sh: kubectl get node {{.HOSTNAME}} --output=jsonpath='{.metadata.annotations.extensions\.talos\.dev/schematic}'
@@ -58,8 +56,8 @@ tasks:
       vars: [HOSTNAME]
     preconditions:
       - curl -fsSL -o /dev/null --fail https://github.com/siderolabs/talos/releases/tag/{{.TALOS_VERSION}}
-      - talosctl --nodes {{.HOSTNAME}} get machineconfig &>/dev/null
-      - talosctl config info &>/dev/null
+      - talosctl --nodes {{.HOSTNAME}} get machineconfig
+      - talosctl config info
       - test -f {{.TALOSCONFIG}}
       - which kubectl talosctl yq
 
@@ -73,8 +71,8 @@ tasks:
         sh: yq '.kubernetesVersion' {{.TALHELPER_CONFIG_FILE}}
     preconditions:
       - curl -fsSL -o /dev/null --fail https://github.com/siderolabs/kubelet/releases/tag/{{.KUBERNETES_VERSION}}
-      - talosctl --nodes {{.KUBERNETES_CONTROLLER}} get machineconfig &>/dev/null
-      - talosctl config info &>/dev/null
+      - talosctl --nodes {{.KUBERNETES_CONTROLLER}} get machineconfig
+      - talosctl config info
       - test -f {{.TALOSCONFIG}}
       - which talosctl yq
 
@@ -85,15 +83,3 @@ tasks:
     cmd: talhelper gencommand reset --config-file {{.TALHELPER_CONFIG_FILE}} --out-dir {{.TALHELPER_CLUSTER_DIR}} --extra-flags="--reboot {{- if eq .CLI_FORCE false }} --system-labels-to-wipe STATE --system-labels-to-wipe EPHEMERAL{{ end }} --graceful=false --wait=false" | bash
   preconditions:
     - which talhelper
-
-  down:
-    internal: true
-    cmd: flux --namespace flux-system suspend kustomization --all
-    preconditions:
-      - which flux
-
-  up:
-    internal: true
-    cmd: flux --namespace flux-system resume kustomization --all
-    preconditions:
-      - which flux
diff --git a/README.md b/README.md
index 0e7d9af3f0c..a811e9a0f16 100644
--- a/README.md
+++ b/README.md
@@ -216,7 +216,7 @@ By default Flux will periodically check your git repository for changes. In orde
     https://flux-webhook.${cloudflare.domain}/hook/12ebd1e363c641dc3c2e430ecf3cee2b3c7a5ac9e1234506f6f5f3ce1230e123
     ```
 
-3. Navigate to the settings of your repository on Github, under "Settings/Webhooks" press the "Add webhook" button. Fill in the webhook URL and your `github_webhook_token` secret in `config.yaml`, Content type: `application/json`, Events: Choose Just the push event, and save.
+3. Navigate to the settings of your repository on Github, under "Settings/Webhooks" press the "Add webhook" button. Fill in the webhook URL and your `${github.webhook_token}` secret in `config.yaml`, Content type: `application/json`, Events: Choose Just the push event, and save.
 
 ## 💥 Reset
 
diff --git a/config.sample.yaml b/config.sample.yaml
index 8874d68e71e..328bfc1e1bd 100644
--- a/config.sample.yaml
+++ b/config.sample.yaml
@@ -1,7 +1,7 @@
 ---
 
 #
-# 1. (REQUIRED) Cluster details - Cluster represents the Kubernetes cluster layer and any additional customizations
+# (REQUIRED) Cluster details - Cluster represents the Kubernetes cluster layer and any additional customizations
 #
 
 # (REQUIRED) Cluster name; affects Cilium and Talos
@@ -25,12 +25,12 @@ node_inventory: []
   #   mtu: ""             # (OPTIONAL) MTU for the NIC. DEFAULT: 1500
   # ...
 
-# (REQUIRED) The DNS servers to use for the cluster nodes.
+# (REQUIRED) The DNS servers to use for the cluster nodes. (DEFAULT: Cloudflare DNS)
 dns_servers:
   - "1.1.1.1"
   - "1.0.0.1"
 
-# (REQUIRED) The NTP servers to use for the cluster nodes.
+# (REQUIRED) The NTP servers to use for the cluster nodes. (DEFAULT: Cloudflare NTP)
 ntp_servers:
   - "162.159.200.1"
   - "162.159.200.123"
@@ -89,51 +89,38 @@ bgp:
   # If you want to use IPv6 check the advanced flags below
   advertised_network: ""
 
-# (OPTIONAL) Secureboot and TPM-based disk encryption
-#   Ref: https://www.talos.dev/v1.8/talos-guides/install/bare-metal-platforms/secureboot
-secureboot:
-  # (OPTIONAL) Enable secureboot on UEFI systems. Not supported on x86 platforms in BIOS mode.
-  enabled: false
-  # (OPTIONAL) Enable TPM-based disk encryption. Requires TPM 2.0
-  encrypt_disk: false
-
 # (OPTIONAL) Change Cilium load balancer mode
 #   Ref: https://docs.cilium.io/en/stable/network/kubernetes/kubeproxy-free/
 loadbalancer_mode: "dsr"
 
-#
-# 2. (REQUIRED) Flux details - Flux is used to manage the cluster configuration.
-#
-
-# (REQUIRED) GitHub repository URL
-#   For a public repo use the 'https://' URL (e.g. "https://github.com/onedr0p/cluster-template.git")
-#   For a private repo use the 'ssh://' URL (e.g. "ssh://git@github.com/onedr0p/cluster-template.git")
-#     If using a private repo make sure to following the instructions with the 'github_private_key' option below.
-github_address: ""
-
-# (REQUIRED) GitHub repository branch
-github_branch: "main"
-
-# (REQUIRED) Token for GitHub push-based sync
-# 1. Generate a new token with the following command:
-#    > openssl rand -hex 16
-# 2. Copy the token and paste it below
-github_webhook_token: ""
-
-# (OPTIONAL) Private key for Flux to access the GitHub repository
-#   1. Generate a new key with the following command:
-#      > ssh-keygen -t ecdsa -b 521 -C "github-deploy-key" -f github-deploy.key -q -P ""
-#   2. Make sure to paste public key from "github-deploy.key.pub" into
-#      the deploy keys section of your GitHub repository settings.
-#   3. Uncomment and paste the private key below
-#   4. Optionally set your repository on GitHub to private
-# github_private_key: |
-#   -----BEGIN OPENSSH PRIVATE KEY-----
-#   ...
-#   -----END OPENSSH PRIVATE KEY-----
+# (REQUIRED) GitHub details for Flux - Flux is used to manage the cluster configuration.
+github:
+  # (REQUIRED) GitHub repository URL
+  #   For a public repo use the 'https://' URL (e.g. "https://github.com/onedr0p/cluster-template.git")
+  #   For a private repo use the 'ssh://' URL (e.g. "ssh://git@github.com/onedr0p/cluster-template.git")
+  #     If using a private repo make sure to following the instructions with the 'github_private_key' option below.
+  address: ""
+  # (REQUIRED) GitHub repository branch
+  branch: "main"
+  # (REQUIRED) Token for GitHub push-based sync
+  # 1. Generate a new token with the following command:
+  #    > openssl rand -hex 16
+  # 2. Copy the token and paste it below
+  webhook_token: ""
+  # (OPTIONAL) Private key for Flux to access the GitHub repository
+  #   1. Generate a new key with the following command:
+  #      > ssh-keygen -t ecdsa -b 521 -C "github-deploy-key" -f github-deploy.key -q -P ""
+  #   2. Make sure to paste public key from "github-deploy.key.pub" into
+  #      the deploy keys section of your GitHub repository settings.
+  #   3. Uncomment and paste the private key below
+  #   4. Optionally set your repository on GitHub to private
+  # private_key: |
+  #   -----BEGIN OPENSSH PRIVATE KEY-----
+  #   ...
+  #   -----END OPENSSH PRIVATE KEY-----
 
 #
-# 3. (OPTIONAL) Cloudflare details - Cloudflare is used for DNS, TLS certificates and tunneling.
+# (OPTIONAL) Cloudflare details - Cloudflare is used for DNS, TLS certificates and tunneling.
 #
 
 cloudflare:
@@ -192,6 +179,18 @@ cloudflare:
     #   in your nodes host network that is NOT being used. This is announced over L2.
     ingress_vip: ""
 
+#
+# (ADVANCED) Here be dragons - Advanced settings for the brave
+#
+
+# (OPTIONAL) Secureboot and TPM-based disk encryption
+#   Ref: https://www.talos.dev/v1.9/talos-guides/install/bare-metal-platforms/secureboot
+secureboot:
+  # (OPTIONAL) Enable secureboot on UEFI systems. Not supported on x86 platforms in BIOS mode.
+  enabled: false
+  # (OPTIONAL) Enable TPM-based disk encryption. Requires TPM 2.0
+  encrypt_disk: false
+
 # (OPTIONAL) Feature gates are used to enable experimental features
 feature_gates:
   # Enable Dual Stack IPv4 first
diff --git a/templates/config/kubernetes/apps/flux-system/webhooks/app/github/secret.sops.yaml.j2 b/templates/config/kubernetes/apps/flux-system/webhooks/app/github/secret.sops.yaml.j2
index 1ada489784c..ba68848aa7c 100644
--- a/templates/config/kubernetes/apps/flux-system/webhooks/app/github/secret.sops.yaml.j2
+++ b/templates/config/kubernetes/apps/flux-system/webhooks/app/github/secret.sops.yaml.j2
@@ -4,4 +4,4 @@ kind: Secret
 metadata:
   name: github-webhook-token-secret
 stringData:
-  token: "#{ github_webhook_token }#"
+  token: "#{ github.webhook_token }#"
diff --git a/templates/config/kubernetes/flux/config/cluster.yaml.j2 b/templates/config/kubernetes/flux/config/cluster.yaml.j2
index 2ebe74b27ca..c0065d76f2f 100644
--- a/templates/config/kubernetes/flux/config/cluster.yaml.j2
+++ b/templates/config/kubernetes/flux/config/cluster.yaml.j2
@@ -6,13 +6,13 @@ metadata:
   namespace: flux-system
 spec:
   interval: 30m
-  url: "#{ github_address }#"
+  url: "#{ github.address }#"
   #% if github_private_key %#
   secretRef:
     name: github-deploy-key
   #% endif %#
   ref:
-    branch: "#{ github_branch | default('main', true) }#"
+    branch: "#{ github.branch | default('main', true) }#"
   ignore: |
     # exclude all
     /*