.taskfiles/talos/taskfile.yaml

---
# yaml-language-server: $schema=https://taskfile.dev/schema.json
version: "3"

vars:
  TALOS_CONTROLLER:
    sh: talosctl config info --output json | jq --raw-output '.endpoints[]' | shuf -n 1

tasks:
  generate:
    desc: Generate Talos machine configurations
    dir: "{{.TALOS_DIR}}"
    env:
      VAULT: 'Homelab'
    cmds:
      - op run --env-file="./op.env" -- talhelper genconfig
    sources:
      - talconfig.yaml
      - talsecret.yaml
    generates:
      - clusterconfig/*.yaml
      - clusterconfig/talosconfig

  apply-config:
    desc: Apply Talos config on a node
    dir: "{{.TALOS_DIR}}"
    cmds:
      - task: generate
      - task: wait_for_health
        vars: { TIMEOUT: 30s }
      - talhelper gencommand apply -n {{.node}} | bash
    requires:
      vars: ["node"]

  upgrade-talos:
    desc: Upgrade Talos on a node
    dir: "{{.TALOS_DIR}}"
    cmds:
      - task: generate
      - task: wait_for_health
        vars: { TIMEOUT: 30s }
      - talhelper gencommand upgrade -n {{.node}} --extra-flags=--stage | bash
    requires:
      vars: ["node"]

  upgrade-k8s:
    desc: Upgrade Kubernetes
    dir: "{{.TALOS_DIR}}"
    cmds:
      - task: generate
      - task: wait_for_health
        vars: { TIMEOUT: 30s }
      - talosctl -n {{.TALOS_CONTROLLER}} etcd snapshot etcd.backup
      - talhelper gencommand upgrade-k8s | bash

  wait_for_health:
    internal: True
    desc: Wait for services in cluster to be healthy
    cmds:
      # Ensure CephCluster is healthy
      # - kubectl -n rook-ceph wait --for jsonpath='{.status.ceph.health}'='HEALTH_OK' --timeout {{ .TIMEOUT | default "30s" }} cephcluster rook-ceph
      # Ensure CloudNative-PG cluster has 3 ready instances
      - kubectl -n databases wait --for jsonpath='{.status.readyInstances}'='3' --timeout {{ .TIMEOUT | default "30s" }} cluster postgres16
      - kubectl -n databases wait --for jsonpath='{.status.readyInstances}'='3' --timeout {{ .TIMEOUT | default "30s" }} cluster postgres17

  bootstrap:
    desc: Bootstrap Talos

    cmds:
      - task: :talos:generate
      - task: :talos:bootstrap-apply-config
      - task: :talos:bootstrap-etcd
      - task: :talos:kubeconfig
      - task: :talos:bootstrap-core-apps

  bootstrap-apply-config:
    desc: Apply Talos config on all nodes
    dir: "{{.TALOS_DIR}}"
    cmds:
      - talhelper gencommand apply --extra-flags=--insecure | bash

  bootstrap-etcd:
    desc: Bootstrap etcd
    cmds:
      - until talosctl --nodes {{.TALOS_CONTROLLER}} bootstrap; do sleep 10; done

  talosconfig:
    desc: Get an updated version of talosconfig
    cmds:
      - cp infrastructure/talos/clusterconfig/talosconfig ~/.talos/config

  kubeconfig:
    desc: Get an updated version of kubeconfig with updated/rotated certificates
    cmds:
      - talosctl kubeconfig ~/.kube/configs/mainframe -n {{.TALOS_CONTROLLER}}
      - kubectl config rename-context admin@mainframe mainframe

  bootstrap-core-apps:
    desc: Bootstrap core helm apps
    vars:
      BOOTSTRAP_TEMPLATES:
        sh: ls {{.CLUSTER_DIR}}/bootstrap/secrets/*.j2
    env:
      VAULT: 'Homelab'
    cmds:
      - until kubectl wait --for=condition=Ready=False nodes --all --timeout=600s; do sleep 10; done
      - for: { var: BOOTSTRAP_TEMPLATES }
        cmd: >
          op run --env-file {{.CLUSTER_DIR}}/bootstrap/op.env --no-masking --
          minijinja-cli --env --trim-blocks --lstrip-blocks --autoescape=none {{.ITEM}}
          | kubectl apply --server-side --filename -
      - helmfile --file {{.CLUSTER_DIR}}/bootstrap/helmfile.yaml apply --skip-diff-on-install --suppress-diff
      - until kubectl wait --for=condition=Ready nodes --all --timeout=600s; do sleep 10; done

  write-talos-amd64-to-usb:
    desc: Write Talos image to USB drive to be used with Raspberry Pi 4
    silent: true
    cmds:
      - "curl -LOC - https://factory.talos.dev/image/dafae93fc4a2c32184af894f78c74d04f1ccabd000f0d2b2bb951628c97ac5c8/v1.9.3/metal-amd64.raw.xz && xz -d metal-amd64.raw.xz"
      - "diskutil list"
      - |
        echo "Path to USB drive:"
        read path;
        diskutil unmount ${path} || true
        diskutil unmountDisk ${path} || true
        echo "Writing image to: ${path}";
        sudo dd if=metal-amd64.raw of=${path} bs=4m && sync
      - "rm metal-amd64.raw"