dotcomscripts · buroa · Sep 2, 2025 · Sep 2, 2025 · Sep 2, 2025 · Sep 2, 2025
@@ -1,4 +1,5 @@
 ---
+# yaml-language-server: $schema=https://json.schemastore.org/github-workflow.json
 name: Flux Local
 
 on:

@@ -1,4 +1,5 @@
 ---
+# yaml-language-server: $schema=https://json.schemastore.org/github-workflow.json
 name: Image Pull
 
 on:

@@ -1,4 +1,5 @@
 ---
+# yaml-language-server: $schema=https://json.schemastore.org/github-workflow.json
 name: Label Sync
 
 on:

@@ -1,4 +1,5 @@
 ---
+# yaml-language-server: $schema=https://json.schemastore.org/github-workflow.json
 name: Labeler
 
 on:

@@ -1,4 +1,5 @@
 ---
+# yaml-language-server: $schema=https://json.schemastore.org/github-workflow.json
 name: Renovate
 
 on:

@@ -1,4 +1,5 @@
 ---
+# yaml-language-server: $schema=https://json.schemastore.org/github-workflow.json
 name: Tag
 
 on:

@@ -3,16 +3,17 @@
   packageRules: [
     {
       description: "1Password Connect Group",
-      groupName: "1Password Connnect",
+      groupName: "1password-connect",
       matchDatasources: ["docker"],
       matchPackageNames: ["/1password/"],
       group: {
         commitMessageTopic: "{{{groupName}}} group",
       },
+      minimumGroupSize: 2,
     },
     {
       description: "Actions Runner Controller Group",
-      groupName: "Actions Runner Controller",
+      groupName: "actions-runner-controller",
       matchDatasources: ["docker"],
       matchPackageNames: [
         "/gha-runner-scale-set-controller/",
@@ -21,63 +22,56 @@
       group: {
         commitMessageTopic: "{{{groupName}}} group",
       },
+      minimumGroupSize: 2,
     },
     {
-      description: "Cert-Manager Group",
-      groupName: "Cert-Manager",
-      matchDatasources: ["docker"],
-      matchPackageNames: ["/cert-manager/"],
-      group: {
-        commitMessageTopic: "{{{groupName}}} group",
-      },
-    },
-    {
-      description: "Cilium Group",
-      groupName: "Cilium",
-      matchDatasources: ["docker"],
-      matchPackageNames: ["/cilium/"],
-      group: {
-        commitMessageTopic: "{{{groupName}}} group",
-      },
-    },
-    {
-      description: "CoreDNS Group",
-      groupName: "CoreDNS",
+      description: "Flux Operator Group",
+      groupName: "flux-operator",
       matchDatasources: ["docker"],
-      matchPackageNames: ["/coredns/"],
+      matchPackageNames: ["/flux-operator/", "/flux-instance/"],
       group: {
         commitMessageTopic: "{{{groupName}}} group",
       },
+      minimumGroupSize: 2,
     },
     {
-      description: "External Secrets Operator Group",
-      groupName: "External Secrets Operator",
+      description: "Intel Device Plugins Group",
+      groupName: "intel-device-plugins",
       matchDatasources: ["docker"],
-      matchPackageNames: ["/external-secrets/"],
+      matchPackageNames: [
+        "/intel-device-plugins-operator/",
+        "/intel-device-plugins-gpu/",
+      ],
       group: {
         commitMessageTopic: "{{{groupName}}} group",
       },
+      minimumGroupSize: 2,
     },
     {
-      description: "Flux Operator Group",
-      groupName: "Flux Operator",
+      description: "Kubernetes Group",
+      groupName: "kubernetes",
       matchDatasources: ["docker"],
-      matchPackageNames: ["/flux-operator/", "/flux-instance/"],
+      matchPackageNames: [
+        "/kube-apiserver/",
+        "/kube-controller-manager/",
+        "/kube-proxy/",
+        "/kube-scheduler/",
+        "/kubelet/",
+      ],
       group: {
         commitMessageTopic: "{{{groupName}}} group",
       },
+      minimumGroupSize: 5,
     },
     {
-      description: "Intel Device Plugins Group",
-      groupName: "Intel-Device-Plugins",
+      description: "Talos Group",
+      groupName: "talos",
       matchDatasources: ["docker"],
-      matchPackageNames: [
-        "/intel-device-plugins-operator/",
-        "/intel-device-plugins-gpu/",
-      ],
+      matchPackageNames: ["/installer/", "/talosctl/"],
       group: {
         commitMessageTopic: "{{{groupName}}} group",
       },
+      minimumGroupSize: 2,
     },
   ],
 }
@@ -0,0 +1,17 @@
+{
+  $schema: "https://docs.renovatebot.com/renovate-schema.json",
+  packageRules: [
+    {
+      description: "Override Helmfile Dependency Name",
+      matchDatasources: ["docker"],
+      matchManagers: ["helmfile"],
+      overrideDepName: "{{packageName}}",
+    },
+    {
+      description: "Override Talos Installer Package Name",
+      matchDatasources: ["docker"],
+      matchPackageNames: ["/factory\\.talos\\.dev/"],
+      overridePackageName: "ghcr.io/siderolabs/installer",
+    },
+  ],
+}
@@ -4,12 +4,12 @@
     "config:recommended",
     "docker:enableMajor",
     "helpers:pinGitHubActionDigests",
-    "github>dotcomscripts/k8s-gitops//.renovate/allowedVersions.json5",
     "github>dotcomscripts/k8s-gitops//.renovate/autoMerge.json5",
     "github>dotcomscripts/k8s-gitops//.renovate/customManagers.json5",
     "github>dotcomscripts/k8s-gitops//.renovate/grafanaDashboards.json5",
     "github>dotcomscripts/k8s-gitops//.renovate/groups.json5",
     "github>dotcomscripts/k8s-gitops//.renovate/labels.json5",
+    "github>dotcomscripts/k8s-gitops//.renovate/overrides.json5",
     "github>dotcomscripts/k8s-gitops//.renovate/semanticCommits.json5",
     ":automergeBranch",
     ":dependencyDashboard",
@@ -22,12 +22,9 @@
   suppressNotifications: ["prEditedNotification", "prIgnoreNotification"],
   ignorePaths: ["**/resources/**"],
   flux: {
-    managerFilePatterns: ["/(^|/)kubernetes/.+\\.ya?ml$/"]
-  },
-  "helm-values": {
-    managerFilePatterns: ["/(^|/)kubernetes/.+\\.ya?ml$/"]
+    managerFilePatterns: ["/\\.yaml(?:\\.j2)?$/"],
   },
   kubernetes: {
-    managerFilePatterns: ["/(^|/)kubernetes/.+\\.ya?ml$/"]
+    managerFilePatterns: ["/\\.yaml(?:\\.j2)?$/"],
   },
 }
@@ -1,4 +1,5 @@
 ---
+# yaml-language-server: $schema=https://taskfile.dev/schema.json
 version: '3'
 
 tasks:
@@ -25,7 +26,8 @@ tasks:
       - defer: talosctl kubeconfig --nodes {{.RANDOM_CONTROLLER}} --force {{.KUBERNETES_DIR}}
       - until kubectl wait nodes --for=condition=Ready=False --all --timeout=10m; do sleep 5; done
       - op inject --in-file {{.BOOTSTRAP_DIR}}/secrets.yaml.tpl | kubectl apply --server-side --filename -
-      - helmfile --file {{.BOOTSTRAP_DIR}}/helmfile.yaml apply --skip-diff-on-install --suppress-diff
+      - helmfile --file {{.BOOTSTRAP_DIR}}/helmfile.d/00-crds.yaml template --quiet | kubectl apply --server-side --filename -
+      - helmfile --file {{.BOOTSTRAP_DIR}}/helmfile.d/01-apps.yaml sync --hide-notes
     vars:
       CONTEXT:
         sh: talosctl config info --output json | jq --raw-output '.context'
@@ -35,6 +37,7 @@ tasks:
       - op user get --me
       - talosctl config info
       - talosctl --nodes {{.RANDOM_CONTROLLER}} get machineconfig
-      - test -f {{.BOOTSTRAP_DIR}}/helmfile.yaml
+      - test -f {{.BOOTSTRAP_DIR}}/helmfile.d/00-crds.yaml
+      - test -f {{.BOOTSTRAP_DIR}}/helmfile.d/01-apps.yaml
       - test -f {{.BOOTSTRAP_DIR}}/secrets.yaml.tpl
       - which helmfile jq kubectl op talosctl
@@ -1,4 +1,5 @@
 ---
+# yaml-language-server: $schema=https://taskfile.dev/schema.json
 version: '3'
 
 tasks:
@@ -49,15 +50,3 @@ tasks:
         cmd: kubectl delete pods --all-namespaces --field-selector status.phase={{.ITEM.PHASE}} --ignore-not-found=true
     preconditions:
       - which kubectl
-
-  # https://docs.github.com/en/enterprise-cloud@latest/actions/hosting-your-own-runners/managing-self-hosted-runners-with-actions-runner-controller/deploying-runner-scale-sets-with-actions-runner-controller#upgrading-arc
-  upgrade-arc:
-    desc: Upgrade the ARC
-    cmds:
-      - helm -n actions-runner-system uninstall k8s-gitops-runner
-      - helm -n actions-runner-system uninstall actions-runner-controller
-      - sleep 5
-      - flux -n actions-runner-system reconcile hr actions-runner-controller
-      - flux -n actions-runner-system reconcile hr k8s-gitops-runner
-    preconditions:
-      - which flux helm
@@ -1,21 +1,14 @@
 ---
+# yaml-language-server: $schema=https://taskfile.dev/schema.json
 version: '3'
 
-vars:
-  SYSTEM_UPGRADE_KS: '{{.KUBERNETES_DIR}}/apps/system-upgrade/system-upgrade-controller/ks.yaml'
-
-env:
-  KUBERNETES_VERSION:
-    sh: yq '.spec.postBuild.substitute.KUBERNETES_VERSION | select(.)' {{.SYSTEM_UPGRADE_KS}}
-  TALOS_VERSION:
-    sh: yq '.spec.postBuild.substitute.TALOS_VERSION | select(.)' {{.SYSTEM_UPGRADE_KS}}
-
 tasks:
 
   apply-node:
-    desc: Apply Talos config to a node [NODE=required] [MODE=auto]
-    cmd: |-
-      minijinja-cli {{.TALOS_DIR}}/machineconfig.yaml.j2 | op inject \
+    desc: Apply Talos config to a node [NODE=required] [MODE={{.MODE}}]
+    cmd: |
+      minijinja-cli --define "machinetype={{.MACHINE_TYPE}}" {{.TALOS_DIR}}/machineconfig.yaml.j2 \
+        | op inject \
         | talosctl --nodes {{.NODE}} apply-config \
           --mode {{.MODE}} \
           --config-patch @{{.TALOS_DIR}}/{{.MACHINE_TYPE}}/{{.NODE}}.yaml \
@@ -28,21 +21,14 @@ tasks:
         sh: |-
           talosctl --nodes {{.NODE}} get machinetypes --output=jsonpath='{.spec}' 2> /dev/null \
             || basename $(find '{{.TALOS_DIR}}' -name '{{.NODE}}.yaml' -printf '%h')
-    env:
-      MACHINE_TYPE: '{{.MACHINE_TYPE}}'
-      TALOS_SCHEMATIC:
-        sh: |-
-          curl --silent -X POST --data-binary @{{.TALOS_DIR}}/schematic.yaml https://factory.talos.dev/schematics \
-            | jq --raw-output '.id'
     requires:
       vars: [NODE]
     preconditions:
       - op user get --me
       - talosctl config info
       - test -f {{.TALOS_DIR}}/machineconfig.yaml.j2
       - test -f {{.TALOS_DIR}}/{{.MACHINE_TYPE}}/{{.NODE}}.yaml
-      - test -f {{.TALOS_DIR}}/schematic.yaml
-      - which curl jq minijinja-cli op talosctl
+      - which minijinja-cli op talosctl
 
   upgrade-node:
     desc: Upgrade Talos on a single node [NODE=required]
@@ -61,19 +47,8 @@ tasks:
       - talosctl --nodes {{.NODE}} get machineconfig
       - which minijinja-cli talosctl yq
 
-  upgrade-k8s:
-    desc: Upgrade Kubernetes across the whole cluster
-    cmd: talosctl --nodes {{.RANDOM_CONTROLLER}} upgrade-k8s --to $KUBERNETES_VERSION
-    vars:
-      RANDOM_CONTROLLER:
-        sh: talosctl config info --output json | jq --raw-output '.endpoints[]' | shuf -n 1
-    preconditions:
-      - talosctl config info
-      - talosctl --nodes {{.RANDOM_CONTROLLER}} get machineconfig
-      - which jq talosctl
-
   reboot-node:
-    desc: Reboot Talos on a single node [NODE=required] [MODE=default]
+    desc: Reboot Talos on a single node [NODE=required] [MODE={{.MODE}}]
     cmd: talosctl --nodes {{.NODE}} reboot --mode={{.MODE}}
     vars:
       MODE: '{{.MODE | default "default"}}'
@@ -119,7 +94,7 @@ tasks:
       - talosctl --nodes {{.NODES}} get machineconfig
       - which jq talosctl
 
-  kubeconfig:
+  generate-kubeconfig:
     desc: Generate the kubeconfig for a Talos cluster
     cmd: talosctl kubeconfig --nodes {{.RANDOM_CONTROLLER}} --force {{.KUBERNETES_DIR}}
     vars:
@@ -129,3 +104,26 @@ tasks:
       - talosctl config info
       - talosctl --nodes {{.RANDOM_CONTROLLER}} get machineconfig
       - which jq talosctl
+
+  generate-iso:
+    desc: Generate a Talos ISO for a specific version [VERSION=required]
+    cmd: |
+      curl -L -o {{.TALOS_DIR}}/talos-{{.VERSION}}.iso \
+        https://factory.talos.dev/image/{{.TALOS_SCHEMATIC}}/{{.VERSION}}/metal-amd64.iso
+    vars:
+      TALOS_SCHEMATIC:
+        sh: task --silent talos:generate-schematic
+    requires:
+      vars: [VERSION]
+    preconditions:
+      - which curl task
+
+  generate-schematic:
+    desc: Generate a Talos schematic
+    cmd: |
+      minijinja-cli {{.TALOS_DIR}}/schematic.yaml.j2 \
+        | curl --silent -X POST --data-binary @- https://factory.talos.dev/schematics \
+        | jq --raw-output '.id'
+    preconditions:
+      - test -f {{.TALOS_DIR}}/schematic.yaml.j2
+      - which curl jq minijinja-cli
@@ -1,4 +1,5 @@
 ---
+# yaml-language-server: $schema=https://taskfile.dev/schema.json
 version: '3'
 
 # Taskfile used to manage certain VolSync tasks for a given application, limitations are as followed.