From caba15583af54e8a9ec14162b53b845d1bdb0637 Mon Sep 17 00:00:00 2001
From: ducoterra <git@ducoterra.net>
Date: Fri, 20 Oct 2023 00:02:41 -0400
Subject: [PATCH] add k3s arch

---
 arch/k3s.md | 65 +++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 65 insertions(+)
 create mode 100644 arch/k3s.md

diff --git a/arch/k3s.md b/arch/k3s.md
new file mode 100644
index 0000000..7baedad
--- /dev/null
+++ b/arch/k3s.md
@@ -0,0 +1,65 @@
+# K3S Cluster
+
+## Cluster Setup
+
+1. Install wireguard
+
+    ```bash
+    pacman -S wireguard-tools linux-headers
+    ```
+
+2. Assign static IPs to each node
+
+    /etc/dhcpcd.conf
+
+    ```conf
+    ...
+    interface enp1s0
+    static ip_address=192.168.122.51/24  # 52, 53
+    static routers=192.168.122.1
+    static domain_name_servers=192.168.122.1
+    ```
+
+## K3S Installation
+
+1. Generate a secure token
+
+    ```bash
+    umask 077
+    k3s token generate > token.txt
+    export SECRET=$(cat token.txt)
+    ```
+
+2. Create the cluster
+
+    ```bash
+    curl -sfL https://get.k3s.io | K3S_TOKEN=$SECRET sh -s - server \
+        --cluster-init \
+        --flannel-backend=wireguard-native \
+        --disable=traefik \
+        --secrets-encryption \
+        --tls-san=192.168.122.51
+    ```
+
+3. Join each server node
+
+    ```bash
+    curl -sfL https://get.k3s.io | K3S_TOKEN=$SECRET sh -s - server \
+        --server https://192.168.122.51:6443 \
+        --flannel-backend=wireguard-native \
+        --disable=traefik \
+        --secrets-encryption \
+        --tls-san=192.168.122.52
+    ```
+
+4. Copy the kube config at /etc/rancher/k3s/k3s.yaml to YOUR computer at ~/.kube/dev-config
+
+    ```bash
+    export KUBECONFIG=~/.kube/dev-config
+    ```
+
+5. Modify the dev-config file's `server` attribute, replace with your IP/hostname
+
+## Secrets Encryption
+
+<https://docs.k3s.io/cli/secrets-encrypt>