Note
The code included in this repository is not meant to be run as-is. It's merely a collection of infrastructure code and Kubernetes manifests that are used to deploy the toot.community Kubernetes cluster. You will need to adapt the code to your own needs and environment.
This repository contains the complete infrastructure-as-code setup for deploying a production Kubernetes cluster on Hetzner Cloud. The project uses:
- OpenTofu/Terraform - Infrastructure provisioning and management
- Talos Linux - Kubernetes-optimized operating system
- Packer - Custom OS image building
- ArgoCD - GitOps continuous deployment
- 1Password Connect - Secrets management
- Helm Charts - Application packaging (Mastodon, Varnish)
- Task - Build automation via platform/Taskfile.yml
The infrastructure follows GitOps principles with ArgoCD managing application deployments from the manifests/ directory.
platform/- OpenTofu infrastructure code for Hetzner Cloud resourcespacker/- Talos Linux image building configurationmanifests/- Kubernetes applications and cluster bootstrap configurationscharts/- Custom Helm charts for Mastodon and Varnishplatform/configs/- Environment-specific configuration files
Build a custom Talos Linux image for Hetzner Cloud using Packer:
cd packer
packer build .Note the image ID from the output and update it in
configs/production.tfvars
Install OpenTofu first, then provision the Hetzner Cloud infrastructure:
cd platform
task plan # Review planned changes
task apply # Deploy infrastructureThis creates the Kubernetes cluster, networking, storage, and security groups as defined in the OpenTofu configuration files.
After infrastructure deployment, bootstrap the cluster with essential services:
cd platform
task get-kubeconfig # Download cluster access credentials
task get-talosconfig # Download Talos management credentials
cd ../
# Setup 1Password Connect for secrets management
kubectl create namespace op-connect
kubectl create --namespace op-connect secret generic op-credentials --from-literal=1password-credentials.json="$(op read 'op://toot.community/toot.community Production on Hetzner Credentials File/1password-credentials.json' | base64 -w 0)"
kubectl create --namespace op-connect secret generic onepassword-token --from-literal=token="$(op read 'op://toot.community/put37jzwsy6wtsfydfdwvpdaxm/credential')"
# Setup Hetzner Cloud integration
kubectl create --namespace kube-system secret generic hcloud \
--from-literal=network="$(op read 'op://toot.community/6r6v2bqh6dhuunbn6nri4bw3sa/network')" \
--from-literal=token="$(op read 'op://toot.community/6r6v2bqh6dhuunbn6nri4bw3sa/token')" \
--from-literal=robot-user="$(op read 'op://toot.community/6r6v2bqh6dhuunbn6nri4bw3sa/robot-user')" \
--from-literal=robot-password="$(op read 'op://toot.community/6r6v2bqh6dhuunbn6nri4bw3sa/robot-password')"
# Deploy core cluster services via ArgoCD
kustomize build --enable-helm --load-restrictor=LoadRestrictionsNone manifests/cluster-bootstrap | kubectl apply -f -
# Run the command again after ArgoCD and 1Password CRDs are createdThis bootstrap process installs:
- 1Password Connect for secure secrets management
- ArgoCD for GitOps deployments
- Core networking (Cilium)
- Certificate management (cert-manager)
- Other essential cluster services defined in the manifests
![@renovate[bot]](https://avatars.githubusercontent.com/in/2740?s=64&v=4){kind=small}
