add kubernetes
This commit is contained in:
parent
e06b83115f
commit
9ba3de5308
8 changed files with 138 additions and 6 deletions
10
.sops.yaml
10
.sops.yaml
|
@ -16,7 +16,7 @@ creation_rules:
|
|||
- *instance-20221213-1915
|
||||
- *vf2
|
||||
- *rainbow-resort
|
||||
- *lotte
|
||||
- *lotte
|
||||
- path_regex: secrets/nixos-8gb-fsn1-1\.yaml$
|
||||
key_groups:
|
||||
- age:
|
||||
|
@ -57,3 +57,11 @@ creation_rules:
|
|||
- age:
|
||||
- *rainbow-resort
|
||||
- *lotte
|
||||
- path_regex: secrets/kubernetes\.yaml$
|
||||
key_groups:
|
||||
- age:
|
||||
- *nixos-8gb-fsn1-1
|
||||
- *nas
|
||||
- *instance-20221213-1915
|
||||
- *rainbow-resort
|
||||
- *lotte
|
||||
|
|
|
@ -23,6 +23,7 @@
|
|||
./wireguard
|
||||
./zfs.nix
|
||||
./services/matrix-sliding-sync.nix
|
||||
./services/kubernetes.nix
|
||||
];
|
||||
|
||||
boot.initrd.availableKernelModules = ["xhci_pci" "virtio_pci" "usbhid"];
|
||||
|
|
|
@ -4,6 +4,7 @@
|
|||
lib,
|
||||
nixos-hardware,
|
||||
nixpkgs,
|
||||
pkgs,
|
||||
...
|
||||
} @ args: {
|
||||
networking.hostName = "nas";
|
||||
|
@ -38,6 +39,7 @@
|
|||
./services/mautrix-signal.nix
|
||||
./services/synapse.nix
|
||||
./services/heisenbridge.nix
|
||||
./services/kubernetes.nix
|
||||
];
|
||||
|
||||
hardware.cpu.amd.updateMicrocode = true;
|
||||
|
@ -207,4 +209,9 @@
|
|||
];
|
||||
};
|
||||
system.autoUpgrade.allowReboot = true;
|
||||
virtualisation.docker = {
|
||||
enable = true;
|
||||
enableNvidia = true;
|
||||
};
|
||||
environment.systemPackages = with pkgs; [docker runc];
|
||||
}
|
||||
|
|
|
@ -1,5 +0,0 @@
|
|||
_: {
|
||||
imports = [
|
||||
./nixos-8gb-fsn1-1.nix
|
||||
];
|
||||
}
|
|
@ -33,6 +33,7 @@
|
|||
./services/initrd-ssh.nix
|
||||
./wireguard
|
||||
./zfs.nix
|
||||
./services/kubernetes.nix
|
||||
];
|
||||
|
||||
boot.initrd.availableKernelModules = ["ata_piix" "virtio_pci" "virtio_scsi" "xhci_pci" "sd_mod" "sr_mod"];
|
||||
|
|
|
@ -18,6 +18,7 @@
|
|||
nixos-hardware.nixosModules.common-gpu-amd
|
||||
nixos-hardware.nixosModules.common-pc-ssd
|
||||
./users/remote-build.nix
|
||||
./services/kubernetes.nix
|
||||
];
|
||||
hardware.cpu.amd.updateMicrocode = true;
|
||||
boot.initrd.availableKernelModules = ["nvme" "xhci_pci" "ahci" "usb_storage" "usbhid" "sd_mod" "sr_mod" "k10temp"];
|
||||
|
@ -102,4 +103,5 @@
|
|||
home-manager.users.darkkirb._module.args.withNSFW = lib.mkForce true;
|
||||
system.autoUpgrade.allowReboot = true;
|
||||
services.prometheus.exporters.node.enabledCollectors = ["drm"];
|
||||
services.k3s.role = lib.mkForce "agent";
|
||||
}
|
||||
|
|
60
config/services/kubernetes.nix
Normal file
60
config/services/kubernetes.nix
Normal file
|
@ -0,0 +1,60 @@
|
|||
{
|
||||
config,
|
||||
pkgs,
|
||||
...
|
||||
}: let
|
||||
nodeIPs = {
|
||||
instance-20221213-1915 = "100.99.173.107";
|
||||
nixos-8gb-fsn1-1 = "100.119.226.33";
|
||||
nas = "100.99.129.7";
|
||||
rainbow-resort = "100.115.217.35";
|
||||
};
|
||||
in {
|
||||
sops.secrets."k3s/token" = {
|
||||
sopsFile = ../../secrets/kubernetes.yaml;
|
||||
};
|
||||
|
||||
services.k3s = rec {
|
||||
enable = true;
|
||||
role = "server";
|
||||
tokenFile = config.sops.secrets."k3s/token".path;
|
||||
clusterInit = config.networking.hostName == "instance-20221213-1915";
|
||||
serverAddr =
|
||||
if clusterInit
|
||||
then ""
|
||||
else "https://100.99.173.107:6443";
|
||||
extraFlags =
|
||||
if config.networking.hostName == "rainbow-resort"
|
||||
then "--container-runtime-endpoint unix:///run/containerd/containerd.sock --advertise-address ${nodeIPs.${config.networking.hostName}} --node-ip ${nodeIPs.${config.networking.hostName}} --node-external-ip ${nodeIPs.${config.networking.hostName}} --flannel-iface tailscale0"
|
||||
else "--tls-san ${config.networking.hostName}.int.chir.rs --container-runtime-endpoint unix:///run/containerd/containerd.sock --advertise-address ${nodeIPs.${config.networking.hostName}} --node-ip ${nodeIPs.${config.networking.hostName}} --node-external-ip ${nodeIPs.${config.networking.hostName}} --flannel-iface tailscale0 --cluster-cidr=10.42.0.0/16 --service-cidr=10.43.0.0/16";
|
||||
};
|
||||
virtualisation.containerd = {
|
||||
enable = true;
|
||||
settings = let
|
||||
fullCNIPlugins = pkgs.buildEnv {
|
||||
name = "full-cni";
|
||||
paths = with pkgs; [
|
||||
cni-plugins
|
||||
cni-plugin-flannel
|
||||
];
|
||||
};
|
||||
in {
|
||||
plugins."io.containerd.grpc.v1.cri".cni = {
|
||||
bin_dir = "${fullCNIPlugins}/bin";
|
||||
conf_dir = "/var/lib/rancher/k3s/agent/etc/cni/net.d/";
|
||||
};
|
||||
# Optionally set private registry credentials here instead of using /etc/rancher/k3s/registries.yaml
|
||||
# plugins."io.containerd.grpc.v1.cri".registry.configs."registry.example.com".auth = {
|
||||
# username = "";
|
||||
# password = "";
|
||||
# };
|
||||
};
|
||||
};
|
||||
environment.systemPackages = [pkgs.nfs-utils];
|
||||
services.openiscsi = {
|
||||
enable = true;
|
||||
name = "${config.networking.hostName}-initiatorhost";
|
||||
};
|
||||
boot.supportedFilesystems = ["nfs"];
|
||||
services.rpcbind.enable = true;
|
||||
}
|
58
secrets/kubernetes.yaml
Normal file
58
secrets/kubernetes.yaml
Normal file
|
@ -0,0 +1,58 @@
|
|||
k3s:
|
||||
token: ENC[AES256_GCM,data:ZbmIV5uATQsJyhhvO+2v3wpwJ0K3wLuDk993Ahmg5HI=,iv:8mlFqHfwVpJDeXkOv30nIqYnk/DIpdBev6+uIC4qnRM=,tag:Mjn3zUDOmBXgS2ZglCX03Q==,type:str]
|
||||
sops:
|
||||
kms: []
|
||||
gcp_kms: []
|
||||
azure_kv: []
|
||||
hc_vault: []
|
||||
age:
|
||||
- recipient: age1273ps5thcy70ckdt0270s2nysqgu48t38pq3wq975v3y7mf4eavsw38wsl
|
||||
enc: |
|
||||
-----BEGIN AGE ENCRYPTED FILE-----
|
||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBPbi9BT28zVFRsZkJVUVNo
|
||||
dFNTaXgrZ0lTRUNGMFFRcm5TZFk5dWNZVmpvCjBXM3dLb0wyUjVWL1dCTU1wc0ZU
|
||||
TW9ML1dvV1lRVXVXclNSemJ5UFRiczgKLS0tIHhxaHh4VjFZeVZSOTVxdEdla0tn
|
||||
RWtSc0hNQ3JyQVN1Y3VlaWREMFlQRGcK2hJtMszUZuJ7gambY5FrvvbPbV4fWPok
|
||||
MrWe3FtwkRmBTOpzCYnTOA54FJQggnCZoCJYsL4phrD5NALWuvFKew==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
- recipient: age1c7y687sxh428wk34s8ws6kemu62mggafpt40rmanevgkuj5xa59q6f7tlc
|
||||
enc: |
|
||||
-----BEGIN AGE ENCRYPTED FILE-----
|
||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBGRzdyT0hmNFV5T2RZVzhS
|
||||
TWZKd2NFZFJPbHN6cGEyQXE3ZDc2elk2TnlrCjdXSEhJSi9PZjR1NVlwbkxFYWpv
|
||||
MWNYVmQrOTVYTmR4U3pOVHZUbG5rK0kKLS0tIGFkWkRQb1VNRXlJaHJ0eWVNa2Iy
|
||||
bEFPc0h2ZElDalVkaStTQmFheEhVVUUKLcHTs0i9JDPGaS6sW88fvElj1aAVU3di
|
||||
CIhGyP1LBXwpSajR/R8b1sxBeQt7ZnEDxM/OOJoFyOfz2cQb3t1TVA==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
- recipient: age1elra3uklw8rmwkevqms2l4tsd06d5utqda9d2w4qvqpz898uzuesugxkhc
|
||||
enc: |
|
||||
-----BEGIN AGE ENCRYPTED FILE-----
|
||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBuVTJJNWxyNXN2ZUw5aDZv
|
||||
dGxyTnR2UDExS2xnVFFPcnRQWXdoc0ZJZWk4CkxvR3A1YWMvdzBybE5MSFZEenU4
|
||||
YVpyWjlKQ1FJWDVYVUhkWGRsOEg2aG8KLS0tIGp1YjFkZUlBVWg2M2xULzBZc1FP
|
||||
dFZJK0JNUytWZmgxdnBVdU80RS9NMm8KXGVtZu/5xpCdrYe/6NB631Q8NHJGbuZT
|
||||
GOjiqjqHLnW51I7OA53W90fIweZxdkAsjh69kqCNXxv6iOc1nn5u0w==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
- recipient: age19vzypddhexvvsf8xylstxc9znnkd8rxmamhjlt7elvz4j3zaf5tqqura6f
|
||||
enc: |
|
||||
-----BEGIN AGE ENCRYPTED FILE-----
|
||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBEY0ErTkM2MmhiUWhzQ0Vt
|
||||
dWE5Mll2K1hDVC9qaWU2RWVic3BhdDNPMnpBCndaZXRWZVZaQTFFQm1WRlRpd2Js
|
||||
aTlWeGJNV0lqZzhWOHcrREFWMzBFZTgKLS0tIEdFZzV0QUh4R2ZFWElSOEVjU09Q
|
||||
K0FFWlhEekQ0UEZzSXdsbG13VElmcnMKviWBzh+YuubOjHjzsI6Eb6ghC05olASI
|
||||
4nePmwr3jZbetLyxok1EHtreWw4K/uHH4MU3qQzPGu109TluVbX4Zg==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
- recipient: age1tltjgexkp5fz3rum4j0k66ty5q4u8ptvkgkepumd20zal24g2qfs5xgw76
|
||||
enc: |
|
||||
-----BEGIN AGE ENCRYPTED FILE-----
|
||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBZS0p0VWNTUWhhRytaTW81
|
||||
QXhCanNvZ2NkSVlublJsZE16VUJacDJSSXg4CjdqRHR6QWZHN24xS3cvYWxLQXNX
|
||||
OUJiQVRNTHlpSVhvSmZjUEV3MWc5Mk0KLS0tIG9IVTFEQjdreVJ4T211MGpJUE56
|
||||
L1BXT2dsMStUdG5va2l1QVA5WkxOZ2MKqbxMIRio6LAPOMQZiEiGvmx1LFMX3R5U
|
||||
3Bgmvp/kw7l6OltzVhDdlBIHRkK2hBV9nDjJ21OqmgESoCGexdSv1g==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
lastmodified: "2024-05-23T13:01:52Z"
|
||||
mac: ENC[AES256_GCM,data:u7eN9J0SQzRsa9Fj+fyqrXKbn2CDvRuMt2Quc7kj7SsCScp80xf2jR+ThgTtBZyhYvnC2JD9LfXvz3WbOhhL1lwZ3P85EWOWUdiYak2vOwRP3vUTRgXCltW5bGoYEX8HUXD5cbE6NKsfW1AJcfNTJdu/1gkw9sPe2CXywgtHfbc=,iv:qKMAyyBm52rSe7j9csidU1O9r9qXY0puiOBR8IDL/Wg=,tag:ydf9W3LKoOpT8X7U45VASA==,type:str]
|
||||
pgp: []
|
||||
unencrypted_suffix: _unencrypted
|
||||
version: 3.8.1
|
Loading…
Reference in a new issue