Home Infrastructure Cluster Manager

Manage a home Kubernetes infrastructure cluster using Talos Linux, Flux GitOps, SOPS encryption, and Task automation.

Overview

This skill helps you work with a home infrastructure repository based on the onedr0p/cluster-template pattern. The cluster uses:

**Talos Linux** as the Kubernetes operating system

**Flux** for GitOps-based cluster management

**SOPS** with Age for secrets encryption

**Task** (go-task) for automation

**Cilium** for CNI

**cert-manager** for certificates

**OpenEBS** for storage

Repository Structure

The repository follows this structure:

```

├── kubernetes/ # Kubernetes manifests managed by Flux

│ ├── apps/ # Application deployments

│ ├── bootstrap/ # Bootstrap configuration (Talos patches)

│ └── flux/ # Flux system configuration

├── talos/ # Talos Linux configuration

│ └── clusterconfig/ # Generated node configs

├── bootstrap/ # Bootstrap templates and scripts

│ ├── templates/ # Jinja2 templates for config generation

│ └── scripts/ # Bootstrap helper scripts

├── scripts/ # Utility scripts

├── .taskfiles/ # Task automation files

│ ├── bootstrap/ # Bootstrap tasks

│ ├── kubernetes/ # Kubernetes tasks

│ ├── talos/ # Talos tasks

│ └── workstation/ # Workstation setup tasks

└── .github/ # GitHub Actions workflows

```

Instructions

Environment Setup

1. **Initialize Configuration**

- Run `task init` to create `config.yaml` from `config.sample.yaml`

- Edit `config.yaml` with cluster-specific settings

- Ensure `age.key` exists for SOPS encryption (never commit unencrypted)

2. **Install Dependencies**

- Run `task workstation:brew` to install CLI tools via Homebrew

- Run `task workstation:venv` to setup Python virtual environment

- Verify `KUBECONFIG` points to `./kubeconfig` (managed by direnv)

3. **Validate Configuration**

- Run `task configure` to render and validate all configuration files

Cluster Operations

#### Initial Cluster Deployment

1. **Bootstrap Talos Cluster**

- Run `task bootstrap:talos` to deploy and bootstrap the Talos cluster

- This generates node configs and applies them to cluster nodes

2. **Install Flux**

- Run `task bootstrap:flux` to install Flux and sync to Git

- Flux will begin reconciling manifests from the `kubernetes/` directory

#### Node Management

**Regenerate Talos configs**: `task talos:generate-config`

**Apply config to specific node**: `task talos:apply-node HOSTNAME=<node>`

**Upgrade Talos on node**: `task talos:upgrade-node HOSTNAME=<node>`

**Upgrade Kubernetes version**: `task talos:upgrade-k8s`

**Reset cluster**: `task talos:reset` (maintenance mode)

#### Monitoring & Inspection

**View cluster resources**: `task kubernetes:resources`

**List all tasks**: `task --list`

Working with Secrets

All files matching `*.sops.*` are encrypted with SOPS/Age encryption.

1. **Edit encrypted secrets**:

```bash

sops <file>.sops.yaml

```

2. **Verify encryption before commit**:

- Ensure all secrets files are encrypted

- Check `.sops.yaml` for encryption rules

- Age key must be available at `./age.key`

Configuration Files

Key files to be aware of:

`config.yaml` - Main cluster configuration (generated, do not commit if contains secrets)

`talconfig.yaml` / `talhelper.yaml` - Talos cluster definitions

`kubernetes/flux/` - Flux kustomizations and sources

`.sops.yaml` - SOPS encryption rules

`age.key` - Age encryption key (must be protected)

GitHub Actions

The repository includes workflows for:

`labeler.yaml` - Auto-label pull requests

`label-sync.yaml` - Sync GitHub labels from config

`release.yaml` - Create monthly releases

`e2e.yaml` - End-to-end testing

Common Tasks

When the user requests cluster operations:

1. **Always check current context**: Verify you're in the repository root

2. **Use Task commands**: All operations should use `task` commands, not direct CLI calls

3. **Review before destructive operations**: Operations like `talos:reset` or node upgrades should be confirmed

4. **Check secrets encryption**: Before committing, verify all secrets files are encrypted

5. **Follow GitOps patterns**: Changes to applications should be made via manifests in `kubernetes/apps/`

Examples

**Example 1: Initial cluster setup**

```bash

task init

task configure

task workstation:brew

task workstation:venv

task bootstrap:talos

task bootstrap:flux

```

**Example 2: Upgrade a node**

```bash

task talos:upgrade-node HOSTNAME=control-01

```

**Example 3: Edit encrypted secret**

```bash

sops kubernetes/apps/media/sonarr/app/secret.sops.yaml

```

**Example 4: View cluster resources**

```bash

task kubernetes:resources

```

Important Notes

Python virtual environment is located in `.venv/`

This repo uses `mise` for tool version management in CI environments

Kubernetes manifests follow Flux conventions (HelmRelease, Kustomization)

CNI is Cilium, certificates via cert-manager, storage via OpenEBS

Always ensure `age.key` is present and protected

Never commit unencrypted secrets or the `age.key` file

The cluster uses direnv to set `KUBECONFIG=./kubeconfig`

Constraints

Do not modify files in `talos/clusterconfig/` manually - these are generated

Always use SOPS for editing encrypted secrets

Follow the repository's GitOps patterns - don't apply manifests directly with kubectl

Respect the Task automation - use defined tasks rather than raw commands

Maintain the directory structure conventions from onedr0p/cluster-template

Home Infrastructure Cluster Manager

Home Infrastructure Cluster Manager

Overview

Repository Structure

Instructions

Environment Setup

Cluster Operations

Working with Secrets

Configuration Files

GitHub Actions

Common Tasks

Examples

Important Notes

Constraints

Reviews (0)