Pythoner6
diff --git a/‎.github/workflows/demo.yaml
+9-1 b/‎.github/workflows/demo.yaml
+9-1
diff --git a/‎cue.mod/pkg/pythoner6.dev/c8s/c8s.cue
+159 b/‎cue.mod/pkg/pythoner6.dev/c8s/c8s.cue
+159
diff --git a/‎flake.nix
+5-15 b/‎flake.nix
+5-15
diff --git a/‎k8s/cert-manager/cert-manager.cue
+10-13 b/‎k8s/cert-manager/cert-manager.cue
+10-13
diff --git a/‎k8s/cilium/cilium.cue
+61-67 b/‎k8s/cilium/cilium.cue
+61-67
@@ -16,6 +16,8 @@ jobs:
         uses: cachix/install-nix-action@v23
         with:
           nix_path: nixpkgs=channel:nixos-23.11
+      - name: Nix Cache
+        uses: DeterminateSystems/magic-nix-cache-action@main
       - name: Build manifests
         run: nix build .#ociImages
       - name: Push to registry
@@ -34,4 +36,10 @@ jobs:
           for chart in "${charts[@]}"; do
             skopeo copy --dest-tls-verify "oci:$chart" "docker://$BASE_URL/charts/$(get_chart_name "$chart"):$(get_chart_version "$chart")"
           done
-          skopeo copy --dest-tls-verify oci:result/apps "docker://$BASE_URL/netserv"
+          readarray -t apps <<< "$(find result/apps -maxdepth 1 -mindepth 1 -type d)"
+          for app in "${apps[@]}"; do
+            if [[ "$app" != "root" ]]; then
+              skopeo copy --dest-tls-verify "oci:$app" "docker://$BASE_URL/netserv/$(get_chart_name "$app")"
+            fi
+          done
+          skopeo copy --dest-tls-verify "oci:result/apps/root" "docker://$BASE_URL/netserv/$(get_chart_name "result/apps/root")"
@@ -0,0 +1,159 @@
+package c8s
+
+import (
+  "encoding/yaml"
+
+  corev1 "k8s.io/api/core/v1"
+  helmrepository "source.toolkit.fluxcd.io/helmrepository/v1beta2"
+  ocirepository "source.toolkit.fluxcd.io/ocirepository/v1beta2"
+  kustomizationv1 "kustomize.toolkit.fluxcd.io/kustomization/v1"
+)
+
+
+#Ref: {
+  #obj: {
+    apiVersion: string
+    kind: string
+    metadata: {
+      name: string
+      namespace?: string
+      ...
+    }
+    ...
+  }
+  apiVersion: #obj.apiVersion
+  kind: #obj.kind
+  if #obj.metadata.namespace != _|_ {
+    namespace: #obj.metadata.namespace
+  }
+  name: #obj.metadata.name
+}
+
+#DepRef: {
+  #obj: { 
+    metadata: {
+      name: string
+      namespace?: string
+      ...
+    }
+    ...
+  }
+  if #obj.metadata.namespace != _|_ {
+    namespace: #obj.metadata.namespace
+  }
+  name: #obj.metadata.name
+}
+
+ChartsDef=#Charts: {
+  #in: string
+  #repo: #Ref.#obj
+  for name, tag in yaml.Unmarshal(#in) & {[_]: string} {
+    (name): {
+      chart: name
+      version: tag
+      sourceRef: #Ref & {#obj: #repo}
+    }
+  }
+}
+
+#Namespace: corev1.#Namespace & {
+  #name: string
+  metadata: name: #name
+}
+
+#Resources: this={
+  #namespace: #Namespace
+  #asList: [for _, resource in this {resource}]
+  [Name=!~"^[_#]"]: {
+    metadata: {
+      namespace: string | *#namespace.metadata.name
+      name: string | *Name
+      ...
+    }
+    ...
+  }
+}
+
+#Kustomization: {
+  _#appName: string
+  #fullName: [if #name == "$default" {_#appName}, "\(_#appName)-\(#name)"][0]
+  #name: string
+  #namespace: #Namespace
+  #defaultResourceNamespace: #Namespace
+  #dependsOn: [...#Kustomization]
+  [!~"^[_#]"]: #Resources & {#namespace: _ | *#defaultResourceNamespace}
+}
+
+#Kustomizations: this={
+  #appName: string
+  #defaultKustomizationNamespace: #Namespace
+  #defaultResourceNamepsace: #Namespace
+  [Name=!~"^[_#]"]: #Kustomization & {
+    _#appName: #appName
+    #name: _ | *Name
+    #namespace: _ | *#defaultKustomizationNamespace
+    #defaultResourceNamespace: this.#defaultResourceNamespace
+  }
+}
+
+
+#FluxResources: #Resources & {
+  #namespace: #Namespace
+  #kustomizations: #Kustomizations
+  #repo: string
+  #appName: string
+  #digests: { [string]: string }
+  for kname, kustomization in #kustomizations {
+    repo="repository:\(kname)": ocirepository.#OCIRepository & {
+      metadata: {
+        "name": kustomization.#fullName
+        namespace: kustomization.#namespace.metadata.name
+      }
+      spec: {
+        url: "oci://\(#repo)/\(metadata.name)"
+        interval: string | *"24h"
+      }
+    }
+    "kustomization:\(kname)": kustomizationv1.#Kustomization & {
+      metadata: {
+        "name": kustomization.#fullName
+        namespace: kustomization.#namespace.metadata.name
+      }
+      spec: {
+        path: "./"
+        interval: _ | *"10m0s"
+        prune: _ | *true
+        sourceRef: #Ref & {#obj: repo}
+        dependsOn: [for dep in kustomization.#dependsOn {name: dep.#fullName, namespace: dep.#namespace.metadata.name}]
+        wait: _ | *true
+      }
+    }
+  }
+}
+
+#Default: this={
+  #appName: string
+  #defaultKustomizationNamespace: #Namespace
+  #defaultResourceNamespace: #Namespace
+  #repo: string
+  #charts: string
+  #chartsRepo: helmrepository.#HelmRepository
+
+  #Charts: ChartsDef & {
+    #in: #charts
+    #repo: #chartsRepo
+  }
+
+  kustomizations: #Kustomizations & {
+    #appName: this.#appName
+    #defaultKustomizationNamespace: this.#defaultKustomizationNamespace
+    #defaultResourceNamespace: this.#defaultResourceNamespace
+  }
+
+  #fluxResources: #FluxResources & {
+    #repo: this.#repo
+    #kustomizations: kustomizations
+    #appName: this.#appName
+    #namespace: #defaultKustomizationNamespace
+  }
+}
@@ -104,29 +104,19 @@
         default = manifests;
         manifests = cue.synth {
           name = "netserv";
-          #src = ./.;
-          #src = let x = lib.sources.sourceByRegex ./. [
-          #  #''^k8s/.*\.cue$''
-          #  #''^cue.mod/.*\.cue$''
-          #  #''^[^/]*\.cue$''
-          #  ''^.*\.cue$''
-          #  ''^k8s$''
-          #]; in builtins.trace x x;
-          #src = lib.cleanSourceWith {
-          #  filter = path: type: if type == "directory" then true else ;
-          #  src = ./.;
-          #};
-          src = lib.sources.sourceFilesBySuffices ./. [".cue"];
+          #src = lib.sources.sourceFilesBySuffices ./. [".cue"];
+          src = ./.;
           appsSubdir = "k8s";
+          rootAppName = "root";
           inherit charts;
           extraDefinitions = [ 
             (cue.fromCrds "flux-crds" flux-manifests) 
             (cue.fromCrds "cilium-crds" cilium-crds) 
             (cue.fromCrds "gateway-crds" gateway-crds)
           ];
           extraManifests = {
-            flux-components."flux-components.yaml" = flux-manifests;
-            cilium."crds.yaml" = gateway-crds;
+            flux.components."flux-components.yaml" = flux-manifests;
+            cilium.gateway-crds."crds.yaml" = gateway-crds;
           };
         };
         ociImages = cue.images {
 
@@ -8,22 +8,19 @@ import (
 appName: "cert-manager"
 
 kustomizations: {
-  helm: "manifest.yaml": {
-    clusterResources: ns: #AppNamespace
-    resources: {
-      (appName): helmrelease.#HelmRelease & {
-        spec: {
-          chart: spec: #Charts[appName]
-          interval: "10m0s"
-          values: installCRDs: true
-        }
+  helm: "release": {
+    ns: #AppNamespace
+    (appName): helmrelease.#HelmRelease & {
+      spec: {
+        chart: spec: #Charts[appName]
+        interval: "10m0s"
+        values: installCRDs: true
       }
     }
   }
-  $default: _dependsOn: [helm]
-  $default: "issuers.yaml": {
-    namespace: #AppNamespace
-    clusterResources: "self-signed": clusterissuer.#ClusterIssuer & {
+  $default: #dependsOn: [helm]
+  $default: "issuers": {
+    "self-signed": clusterissuer.#ClusterIssuer & {
       spec: selfSigned: {}
     }
   }
 
@@ -1,7 +1,7 @@
 package netserv
 
 import (
-  "encoding/yaml"
+  //"encoding/yaml"
 
   helmrelease "helm.toolkit.fluxcd.io/helmrelease/v2beta2"
   bgppolicy   "cilium.io/ciliumbgppeeringpolicy/v2alpha1"
@@ -10,79 +10,73 @@ import (
 
 appName: "cilium"
 
-kustomizations: "gateway-crds": {
-  _extraManifests: yaml.Unmarshal(extraManifests)
-}
+kustomizations: "gateway-crds": {}
 
-kustomizations: helm: _dependsOn: [kustomizations."gateway-crds"]
-kustomizations: helm: "manifest.yaml": {
-  resources: {
-    (appName): helmrelease.#HelmRelease & {
-      metadata: namespace: "kube-system"
-      spec: {
-        chart: spec: #Charts[appName]
-        interval: "10m0s"
-        values: {
-          bgpControlPlane: enabled: true
-          hubble: {
-            tls: auto: method: "cronJob"
-            relay: enabled: true
-            ui: enabled: true
-          }
-          clustermesh: apiserver: tls: auto: method: "cronJob"
-          ipam: mode: "kubernetes"
-          kubeProxyReplacement: true
-          l7Proxy: true
-          gatewayAPI: enabled: true
-          rolloutCiliumPods: true
-          operator: {
-            rolloutPods: true
-          }
-          ingressController: enabled: false
+kustomizations: helm: #dependsOn: [kustomizations."gateway-crds"]
+kustomizations: helm: "release": {
+  (appName): helmrelease.#HelmRelease & {
+    metadata: namespace: "kube-system"
+    spec: {
+      chart: spec: #Charts[appName]
+      interval: "10m0s"
+      values: {
+        bgpControlPlane: enabled: true
+        hubble: {
+          tls: auto: method: "cronJob"
+          relay: enabled: true
+          ui: enabled: true
+        }
+        clustermesh: apiserver: tls: auto: method: "cronJob"
+        ipam: mode: "kubernetes"
+        kubeProxyReplacement: true
+        l7Proxy: true
+        gatewayAPI: enabled: true
+        rolloutCiliumPods: true
+        operator: {
+          rolloutPods: true
+        }
+        ingressController: enabled: false
 
-          // Required for Talos
-          securityContext: capabilities: {
-            ciliumAgent: ["CHOWN","KILL","NET_ADMIN","NET_RAW","IPC_LOCK","SYS_ADMIN","SYS_RESOURCE","DAC_OVERRIDE","FOWNER","SETGID","SETUID"]
-            cleanCiliumState: ["NET_ADMIN","SYS_ADMIN","SYS_RESOURCE"]
-          }
-          cgroup: {
-            autoMount: enabled: false
-            hostRoot: "/sys/fs/cgroup"
-          }
-          // Use Talos' kubeprism endpoint
-          k8sServiceHost: "localhost"
-          k8sServicePort: 7445
+        // Required for Talos
+        securityContext: capabilities: {
+          ciliumAgent: ["CHOWN","KILL","NET_ADMIN","NET_RAW","IPC_LOCK","SYS_ADMIN","SYS_RESOURCE","DAC_OVERRIDE","FOWNER","SETGID","SETUID"]
+          cleanCiliumState: ["NET_ADMIN","SYS_ADMIN","SYS_RESOURCE"]
+        }
+        cgroup: {
+          autoMount: enabled: false
+          hostRoot: "/sys/fs/cgroup"
         }
+        // Use Talos' kubeprism endpoint
+        k8sServiceHost: "localhost"
+        k8sServicePort: 7445
       }
     }
   }
 }
 
-kustomizations: bgp: _dependsOn: [kustomizations.helm]
-kustomizations: bgp: "manifest.yaml": {
-  clusterResources: {
-    "default-pool": ippool.#CiliumLoadBalancerIPPool & {
-      spec: blocks: [{cidr: "10.16.3.0/24"}]
-    }
-    default: bgppolicy.#CiliumBGPPeeringPolicy & { spec: {
-      nodeSelector: matchLabels: #DefaultBGPPolicyLabels
-      virtualRouters: [{
-        localASN: 64514
-        exportPodCIDR: false
-        serviceSelector: matchExpressions: [{key: "bgp", operator: "NotIn", values: ["disabled"]}]
-        neighbors: [{
-          peerAddress: "10.16.2.2/32"
-          peerASN: 64512
-          eBGPMultihopTTL: 10
-          connectRetryTimeSeconds: 120
-          holdTimeSeconds: 90
-          keepAliveTimeSeconds: 30
-          gracefulRestart: {
-            enabled: true
-            restartTimeSeconds: 120
-          }
-        }]
-      }]
-    }}
+kustomizations: bgp: #dependsOn: [kustomizations.helm]
+kustomizations: bgp: "manifest": {
+  "default-pool": ippool.#CiliumLoadBalancerIPPool & {
+    spec: blocks: [{cidr: "10.16.3.0/24"}]
   }
+  default: bgppolicy.#CiliumBGPPeeringPolicy & { spec: {
+    nodeSelector: matchLabels: #DefaultBGPPolicyLabels
+    virtualRouters: [{
+      localASN: 64514
+      exportPodCIDR: false
+      serviceSelector: matchExpressions: [{key: "bgp", operator: "NotIn", values: ["disabled"]}]
+      neighbors: [{
+        peerAddress: "10.16.2.2/32"
+        peerASN: 64512
+        eBGPMultihopTTL: 10
+        connectRetryTimeSeconds: 120
+        holdTimeSeconds: 90
+        keepAliveTimeSeconds: 30
+        gracefulRestart: {
+          enabled: true
+          restartTimeSeconds: 120
+        }
+      }]
+    }]
+  }}
 }