{"id":13820011,"url":"https://github.com/cozystack/talm","last_synced_at":"2026-02-07T22:08:11.457Z","repository":{"id":237751321,"uuid":"795171572","full_name":"cozystack/talm","owner":"cozystack","description":"Manage Talos Linux the GitOps Way!","archived":false,"fork":false,"pushed_at":"2025-05-08T12:43:29.000Z","size":2205,"stargazers_count":261,"open_issues_count":16,"forks_count":11,"subscribers_count":5,"default_branch":"main","last_synced_at":"2025-05-08T13:42:52.179Z","etag":null,"topics":["hacktoberfest","helm","kubernetes","linux","talos","talos-linux"],"latest_commit_sha":null,"homepage":"","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mpl-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/cozystack.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null}},"created_at":"2024-05-02T18:09:54.000Z","updated_at":"2025-05-08T12:51:21.000Z","dependencies_parsed_at":"2024-05-20T21:46:45.761Z","dependency_job_id":"de0c36ff-182d-45f9-84ec-313b9d05323f","html_url":"https://github.com/cozystack/talm","commit_stats":null,"previous_names":["aenix-io/talm","cozystack/talm"],"tags_count":41,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cozystack%2Ftalm","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cozystack%2Ftalm/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cozystack%2Ftalm/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cozystack%2Ftalm/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/cozystack","download_url":"https://codeload.github.com/cozystack/talm/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":254488451,"owners_count":22079430,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["hacktoberfest","helm","kubernetes","linux","talos","talos-linux"],"created_at":"2024-08-04T08:00:56.949Z","updated_at":"2026-02-07T22:08:10.957Z","avatar_url":"https://github.com/cozystack.png","language":"Go","readme":"# Talm\n\nManage Talos the GitOps Way!\n\nTalm is just like Helm, but for Talos Linux\n\n## Features\n\nWhile developing Talm, we aimed to achieve the following goals:\n\n- **Automatic Discovery**: In a bare-metal environment, each server may vary\nslightly in aspects such as disks and network interfaces.\nTalm enables discovery of node information, which is then used to generate patches.\n\n- **Ease of Customization**: You can customize templates to create your unique\nconfiguration based on your environment. The templates use the standard\nGo templates syntax, enhanced with widely-known Helm templating logic.\n\n- **GitOps Friendly**: The patches generated do not contain sensitive data,\nallowing them to be stored in Git in an unencrypted, open format. For scenarios\nrequiring complete configurations, the `--full` option allows the obtain\na complete config that can be used for matchbox and other solutions.\n\n- **Simplicity of Use**: You no longer need to pass connection options for each\nspecific server; they are saved along with the templating results into\na separate file. This allows you to easily apply one or multiple files in batch\nusing a syntax similar to `kubectl apply -f node1.yaml -f node2.yaml`.\n\n- **Compatibility with talosctl**: We strive to maintain compatibility with the upstream\nproject in patches and configurations. The configurations you obtain can be used\nwith the official tools like talosctl and Omni.\n\n\n## Installation\n\n### Homebrew\nFor macOS and Linux users, the recommended way to install talm is with Homebrew.\n\n\n```bash\nbrew install talm\n```\n\n### Binary\n\nDownload binary from Github [releases page](https://github.com/cozystack/talm/releases/latest)\n\nOr use simple script to install it:\n```bash\ncurl -sSL https://github.com/cozystack/talm/raw/refs/heads/main/hack/install.sh | sh -s\n```\n\n## Getting Started\n\nCreate new project\n```bash\nmkdir newcluster\ncd newcluster\ntalm init -p cozystack -N myawesomecluster\n```\n\nBoot Talos Linux node, let's say it has address `1.2.3.4`\n\nGather node information:\n```bash\ntalm -n 1.2.3.4 -e 1.2.3.4 template -t templates/controlplane.yaml -i \u003e nodes/node1.yaml\n```\n\nEdit `nodes/node1.yaml` file:\n```yaml\n# talm: nodes=[\"1.2.3.4\"], endpoints=[\"1.2.3.4\"], templates=[\"templates/controlplane.yaml\"]\nmachine:\n    network:\n        # -- Discovered interfaces:\n        # enx9c6b0047066c:\n        #   name: enp193s0f0\n        #   mac:9c:6b:00:47:06:6c\n        #   bus:0000:c1:00.0\n        #   driver:bnxt_en\n        #   vendor: Broadcom Inc. and subsidiaries\n        #   product: BCM57414 NetXtreme-E 10Gb/25Gb RDMA Ethernet Controller)\n        # enx9c6b0047066d:\n        #   name: enp193s0f1\n        #   mac:9c:6b:00:47:06:6d\n        #   bus:0000:c1:00.1\n        #   driver:bnxt_en\n        #   vendor: Broadcom Inc. and subsidiaries\n        #   product: BCM57414 NetXtreme-E 10Gb/25Gb RDMA Ethernet Controller)\n        interfaces:\n            - interface: enx9c6b0047066c\n              addresses:\n                - 1.2.3.4/26\n              routes:\n                - network: 0.0.0.0/0\n                  gateway: 1.2.3.1\n        nameservers:\n            - 8.8.8.8\n            - 8.8.4.4\n    install:\n        # -- Discovered disks:\n        # /dev/nvme0n1:\n        #    model: SAMSUNG MZQL21T9HCJR-00A07\n        #    serial: S64GNE0RB00153\n        #    wwid: eui.3634473052b001530025384500000001\n        #    size: 1.75 TB\n        # /dev/nvme1n1:\n        #    model: SAMSUNG MZQL21T9HCJR-00A07\n        #    serial: S64GNE0R811820\n        #    wwid: eui.36344730528118200025384500000001\n        #    size: 1.75 TB\n        disk: /dev/nvme0n1\n    type: controlplane\ncluster:\n    clusterName: talm\n    controlPlane:\n        endpoint: https://192.168.0.1:6443\n```\n\nApply config:\n```bash\ntalm apply -f nodes/node1.yaml -i\n```\n\nUpgrade node:\n```bash\ntalm upgrade -f nodes/node1.yaml\n```\n\nShow diff:\n```bash\ntalm apply -f nodes/node1.yaml --dry-run\n```\n\nRe-template and update generated file in place (this will overwrite it):\n```\ntalm template -f nodes/node1.yaml -I\n```\n\n## Using talosctl commands\n\nTalm offers a similar set of commands to those provided by talosctl.\nHowever, you can specify the --file option for them.\n\nFor example, to run a dashboard for three nodes:\n\n```\ntalm dashboard -f node1.yaml -f node2.yaml -f node3.yaml\n```\n\n## Customization\n\nYou're free to edit template files in `./templates` directory.\n\nAll the [Helm](https://helm.sh/docs/chart_template_guide/functions_and_pipelines/) and [Sprig](https://masterminds.github.io/sprig/) functions are supported, including lookup for talos resources!\n\nLookup function example:\n\n```helm\n{{ lookup \"nodeaddresses\" \"network\" \"default\" }}\n```\n\n\\- is equivalent to:\n\n```bash\ntalosctl get nodeaddresses --namespace=network default\n```\n\n\nQuerying disks map example:\n\n```helm\n{{ range .Disks }}{{ if .system_disk }}{{ .device_name }}{{ end }}{{ end }}\n```\n\n\\- will return the system disk device name\n\n\n## Encryption\n\nTalm provides built-in encryption support using [age](https://age-encryption.org/) encryption. Sensitive files are encrypted with their values stored in SOPS format (`ENC[AGE,data:...]`), while YAML keys remain unencrypted for better readability.\n\n### Encrypting Files\n\nTo encrypt all sensitive files (secrets.yaml, talosconfig, kubeconfig):\n\n```bash\ntalm init --encrypt\n# or\ntalm init -e\n```\n\nThis command will:\n- Generate `talm.key` if it doesn't exist\n- Encrypt `secrets.yaml` → `secrets.encrypted.yaml`\n- Encrypt `talosconfig` → `talosconfig.encrypted`\n- Encrypt `kubeconfig` → `kubeconfig.encrypted` (if exists)\n- Update `.gitignore` with sensitive files\n\n### Decrypting Files\n\nTo decrypt all encrypted files:\n\n```bash\ntalm init --decrypt\n# or\ntalm init -d\n```\n\nThis command will:\n- Decrypt `secrets.encrypted.yaml` → `secrets.yaml`\n- Decrypt `talosconfig.encrypted` → `talosconfig`\n- Decrypt `kubeconfig.encrypted` → `kubeconfig` (if exists)\n- Update `.gitignore` with sensitive files\n\n### Key Management\n\nThe `talm.key` file is generated in age keygen format and contains:\n- Creation timestamp\n- Public key (for sharing)\n- Private key (keep secure!)\n\n**Important**: Always backup your `talm.key` file! Without it, you won't be able to decrypt your encrypted secrets. The key file is automatically added to `.gitignore` to prevent accidental commits.\n\nEncrypted files (`*.encrypted.yaml`, `*.encrypted`) can be safely committed to Git, while plain files (`secrets.yaml`, `talosconfig`, `kubeconfig`, `talm.key`) are ignored.\n","funding_links":[],"categories":["Table of Contents","Go"],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcozystack%2Ftalm","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fcozystack%2Ftalm","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcozystack%2Ftalm/lists"}