darkkirb/nixos-config
1
0
Fork 0
Code Issues 1 Pull requests 2 Projects Releases Packages Wiki Activity Actions

add kubernetes

Browse source
This commit is contained in:
Charlotte 🦝 Delenk 2024-05-23 14:06:26 +01:00
parent e06b83115f
commit 9ba3de5308
8 changed files with 138 additions and 6 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

10
.sops.yaml
View file

@ -16,7 +16,7 @@ creation_rules:
- *instance-20221213-1915
- *vf2
- *rainbow-resort
- *lotte
- *lotte
- path_regex: secrets/nixos-8gb-fsn1-1\.yaml$
key_groups:
- age:
@ -57,3 +57,11 @@ creation_rules:
- age:
- *rainbow-resort
- *lotte
- path_regex: secrets/kubernetes\.yaml$
key_groups:
- age:
- *nixos-8gb-fsn1-1
- *nas
- *instance-20221213-1915
- *rainbow-resort
- *lotte

1
config/instance-20221213-1915.nix
View file

@ -23,6 +23,7 @@
./wireguard
./zfs.nix
./services/matrix-sliding-sync.nix
./services/kubernetes.nix
];
boot.initrd.availableKernelModules = ["xhci_pci" "virtio_pci" "usbhid"];

7
config/nas.nix
View file

@ -4,6 +4,7 @@
lib,
nixos-hardware,
nixpkgs,
pkgs,
...
} @ args: {
networking.hostName = "nas";
@ -38,6 +39,7 @@
./services/mautrix-signal.nix
./services/synapse.nix
./services/heisenbridge.nix
./services/kubernetes.nix
];
hardware.cpu.amd.updateMicrocode = true;
@ -207,4 +209,9 @@
];
};
system.autoUpgrade.allowReboot = true;
virtualisation.docker = {
enable = true;
enableNvidia = true;
};
environment.systemPackages = with pkgs; [docker runc];
}

5
config/nixos-8gb-fsn1-1-arm64.nix
View file

@ -1,5 +0,0 @@
_: {
imports = [
./nixos-8gb-fsn1-1.nix
];
}

1
config/nixos-8gb-fsn1-1.nix
View file

@ -33,6 +33,7 @@
./services/initrd-ssh.nix
./wireguard
./zfs.nix
./services/kubernetes.nix
];
boot.initrd.availableKernelModules = ["ata_piix" "virtio_pci" "virtio_scsi" "xhci_pci" "sd_mod" "sr_mod"];

2
config/rainbow-resort.nix
View file

@ -18,6 +18,7 @@
nixos-hardware.nixosModules.common-gpu-amd
nixos-hardware.nixosModules.common-pc-ssd
./users/remote-build.nix
./services/kubernetes.nix
];
hardware.cpu.amd.updateMicrocode = true;
boot.initrd.availableKernelModules = ["nvme" "xhci_pci" "ahci" "usb_storage" "usbhid" "sd_mod" "sr_mod" "k10temp"];
@ -102,4 +103,5 @@
home-manager.users.darkkirb._module.args.withNSFW = lib.mkForce true;
system.autoUpgrade.allowReboot = true;
services.prometheus.exporters.node.enabledCollectors = ["drm"];
services.k3s.role = lib.mkForce "agent";
}

60
config/services/kubernetes.nix Normal file
View file

@ -0,0 +1,60 @@
{
config,
pkgs,
...
}: let
nodeIPs = {
instance-20221213-1915 = "100.99.173.107";
nixos-8gb-fsn1-1 = "100.119.226.33";
nas = "100.99.129.7";
rainbow-resort = "100.115.217.35";
};
in {
sops.secrets."k3s/token" = {
sopsFile = ../../secrets/kubernetes.yaml;
};
services.k3s = rec {
enable = true;
role = "server";
tokenFile = config.sops.secrets."k3s/token".path;
clusterInit = config.networking.hostName == "instance-20221213-1915";
serverAddr =
if clusterInit
then ""
else "https://100.99.173.107:6443";
extraFlags =
if config.networking.hostName == "rainbow-resort"
then "--container-runtime-endpoint unix:///run/containerd/containerd.sock --advertise-address ${nodeIPs.${config.networking.hostName}} --node-ip ${nodeIPs.${config.networking.hostName}} --node-external-ip ${nodeIPs.${config.networking.hostName}} --flannel-iface tailscale0"
else "--tls-san ${config.networking.hostName}.int.chir.rs --container-runtime-endpoint unix:///run/containerd/containerd.sock --advertise-address ${nodeIPs.${config.networking.hostName}} --node-ip ${nodeIPs.${config.networking.hostName}} --node-external-ip ${nodeIPs.${config.networking.hostName}} --flannel-iface tailscale0 --cluster-cidr=10.42.0.0/16 --service-cidr=10.43.0.0/16";
};
virtualisation.containerd = {
enable = true;
settings = let
fullCNIPlugins = pkgs.buildEnv {
name = "full-cni";
paths = with pkgs; [
cni-plugins
cni-plugin-flannel
];
};
in {
plugins."io.containerd.grpc.v1.cri".cni = {
bin_dir = "${fullCNIPlugins}/bin";
conf_dir = "/var/lib/rancher/k3s/agent/etc/cni/net.d/";
};
# Optionally set private registry credentials here instead of using /etc/rancher/k3s/registries.yaml
# plugins."io.containerd.grpc.v1.cri".registry.configs."registry.example.com".auth = {
# username = "";
# password = "";
# };
};
};
environment.systemPackages = [pkgs.nfs-utils];
services.openiscsi = {
enable = true;
name = "${config.networking.hostName}-initiatorhost";
};
boot.supportedFilesystems = ["nfs"];
services.rpcbind.enable = true;
}

58
secrets/kubernetes.yaml Normal file
View file

@ -0,0 +1,58 @@
k3s:
token: ENC[AES256_GCM,data:ZbmIV5uATQsJyhhvO+2v3wpwJ0K3wLuDk993Ahmg5HI=,iv:8mlFqHfwVpJDeXkOv30nIqYnk/DIpdBev6+uIC4qnRM=,tag:Mjn3zUDOmBXgS2ZglCX03Q==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age1273ps5thcy70ckdt0270s2nysqgu48t38pq3wq975v3y7mf4eavsw38wsl
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBPbi9BT28zVFRsZkJVUVNo
dFNTaXgrZ0lTRUNGMFFRcm5TZFk5dWNZVmpvCjBXM3dLb0wyUjVWL1dCTU1wc0ZU
TW9ML1dvV1lRVXVXclNSemJ5UFRiczgKLS0tIHhxaHh4VjFZeVZSOTVxdEdla0tn
RWtSc0hNQ3JyQVN1Y3VlaWREMFlQRGcK2hJtMszUZuJ7gambY5FrvvbPbV4fWPok
MrWe3FtwkRmBTOpzCYnTOA54FJQggnCZoCJYsL4phrD5NALWuvFKew==
-----END AGE ENCRYPTED FILE-----
- recipient: age1c7y687sxh428wk34s8ws6kemu62mggafpt40rmanevgkuj5xa59q6f7tlc
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBGRzdyT0hmNFV5T2RZVzhS
TWZKd2NFZFJPbHN6cGEyQXE3ZDc2elk2TnlrCjdXSEhJSi9PZjR1NVlwbkxFYWpv
MWNYVmQrOTVYTmR4U3pOVHZUbG5rK0kKLS0tIGFkWkRQb1VNRXlJaHJ0eWVNa2Iy
bEFPc0h2ZElDalVkaStTQmFheEhVVUUKLcHTs0i9JDPGaS6sW88fvElj1aAVU3di
CIhGyP1LBXwpSajR/R8b1sxBeQt7ZnEDxM/OOJoFyOfz2cQb3t1TVA==
-----END AGE ENCRYPTED FILE-----
- recipient: age1elra3uklw8rmwkevqms2l4tsd06d5utqda9d2w4qvqpz898uzuesugxkhc
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBuVTJJNWxyNXN2ZUw5aDZv
dGxyTnR2UDExS2xnVFFPcnRQWXdoc0ZJZWk4CkxvR3A1YWMvdzBybE5MSFZEenU4
YVpyWjlKQ1FJWDVYVUhkWGRsOEg2aG8KLS0tIGp1YjFkZUlBVWg2M2xULzBZc1FP
dFZJK0JNUytWZmgxdnBVdU80RS9NMm8KXGVtZu/5xpCdrYe/6NB631Q8NHJGbuZT
GOjiqjqHLnW51I7OA53W90fIweZxdkAsjh69kqCNXxv6iOc1nn5u0w==
-----END AGE ENCRYPTED FILE-----
- recipient: age19vzypddhexvvsf8xylstxc9znnkd8rxmamhjlt7elvz4j3zaf5tqqura6f
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBEY0ErTkM2MmhiUWhzQ0Vt
dWE5Mll2K1hDVC9qaWU2RWVic3BhdDNPMnpBCndaZXRWZVZaQTFFQm1WRlRpd2Js
aTlWeGJNV0lqZzhWOHcrREFWMzBFZTgKLS0tIEdFZzV0QUh4R2ZFWElSOEVjU09Q
K0FFWlhEekQ0UEZzSXdsbG13VElmcnMKviWBzh+YuubOjHjzsI6Eb6ghC05olASI
4nePmwr3jZbetLyxok1EHtreWw4K/uHH4MU3qQzPGu109TluVbX4Zg==
-----END AGE ENCRYPTED FILE-----
- recipient: age1tltjgexkp5fz3rum4j0k66ty5q4u8ptvkgkepumd20zal24g2qfs5xgw76
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBZS0p0VWNTUWhhRytaTW81
QXhCanNvZ2NkSVlublJsZE16VUJacDJSSXg4CjdqRHR6QWZHN24xS3cvYWxLQXNX
OUJiQVRNTHlpSVhvSmZjUEV3MWc5Mk0KLS0tIG9IVTFEQjdreVJ4T211MGpJUE56
L1BXT2dsMStUdG5va2l1QVA5WkxOZ2MKqbxMIRio6LAPOMQZiEiGvmx1LFMX3R5U
3Bgmvp/kw7l6OltzVhDdlBIHRkK2hBV9nDjJ21OqmgESoCGexdSv1g==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2024-05-23T13:01:52Z"
mac: ENC[AES256_GCM,data:u7eN9J0SQzRsa9Fj+fyqrXKbn2CDvRuMt2Quc7kj7SsCScp80xf2jR+ThgTtBZyhYvnC2JD9LfXvz3WbOhhL1lwZ3P85EWOWUdiYak2vOwRP3vUTRgXCltW5bGoYEX8HUXD5cbE6NKsfW1AJcfNTJdu/1gkw9sPe2CXywgtHfbc=,iv:qKMAyyBm52rSe7j9csidU1O9r9qXY0puiOBR8IDL/Wg=,tag:ydf9W3LKoOpT8X7U45VASA==,type:str]
pgp: []
unencrypted_suffix: _unencrypted
version: 3.8.1