talexander/machine_setup
1
0
Fork 0
Code Issues Pull Requests Releases Activity
machine_setup/nix/kubernetes/keys/scope.nix

278 lines
8.8 KiB
Nix
Raw Normal View History

Add configs for a new kubernetes cluster on NixOS.
2025-11-30 14:32:36 -05:00
{
makeScope,
newScope,
callPackage,
Implement a generic helm templater package.
2025-12-29 21:41:23 -05:00
fetchFromGitHub,
Add configs for a new kubernetes cluster on NixOS.
2025-11-30 14:32:36 -05:00
lib,
}:
let
public_addresses = [
"74.80.180.138"
];
internal_addresses = [
# nc0
"10.215.1.221"
"2620:11f:7001:7:ffff:ffff:0ad7:01dd"
# nc1
"10.215.1.222"
"2620:11f:7001:7:ffff:ffff:0ad7:01de"
# nc2
"10.215.1.223"
"2620:11f:7001:7:ffff:ffff:0ad7:01df"
# nw0
"10.215.1.224"
"2620:11f:7001:7:ffff:ffff:0ad7:01e0"
# nw1
"10.215.1.225"
"2620:11f:7001:7:ffff:ffff:0ad7:01e1"
# nw2
"10.215.1.226"
"2620:11f:7001:7:ffff:ffff:0ad7:01e2"
];
all_hostnames = [
"10.197.0.1"
"10.0.0.1"
"127.0.0.1"
"kubernetes"
"kubernetes.default"
"kubernetes.default.svc"
"kubernetes.default.svc.cluster"
"kubernetes.svc.cluster.local"
]
++ public_addresses
++ internal_addresses;
Add controller proxy certs.
2025-12-14 14:48:53 -05:00
controllers = {
"controller0" = {
"internal_ips" = [
"10.215.1.221"
"2620:11f:7001:7:ffff:ffff:0ad7:01dd"
];
"external_ips" = [
"2620:11f:7001:7:ffff:ffff:0ad7:01dd"
];
};
"controller1" = {
"internal_ips" = [
"10.215.1.222"
"2620:11f:7001:7:ffff:ffff:0ad7:01de"
];
"external_ips" = [
"2620:11f:7001:7:ffff:ffff:0ad7:01de"
];
};
"controller2" = {
"internal_ips" = [
"10.215.1.223"
"2620:11f:7001:7:ffff:ffff:0ad7:01df"
];
"external_ips" = [
"2620:11f:7001:7:ffff:ffff:0ad7:01df"
];
};
};
Add configs for a new kubernetes cluster on NixOS.
2025-11-30 14:32:36 -05:00
in
makeScope newScope (
self:
let
additional_vars = {
Add controller proxy certs.
2025-12-14 14:48:53 -05:00
inherit all_hostnames controllers;
Add configs for a new kubernetes cluster on NixOS.
2025-11-30 14:32:36 -05:00
k8s = self;
};
in
{
ca = (callPackage ./package/k8s-ca/package.nix additional_vars);
Switch to generating certs with openssl.
2025-12-14 18:24:24 -05:00
keys = (
lib.genAttrs [
"admin"
"controller0"
"controller1"
"controller2"
"worker0"
"worker1"
"worker2"
"kube-proxy"
"kube-scheduler"
"kube-controller-manager"
"kube-api-server"
"service-accounts"
] (key_name: (callPackage ./package/tls-key/package.nix (additional_vars // { inherit key_name; })))
Add requestheader-client-ca.
2025-12-14 13:44:56 -05:00
);
Generate ssh keys for flux bootstrap.
2025-12-21 00:01:57 -05:00
ssh-keys = (
lib.genAttrs [
"flux_ssh_key"
] (key_name: (callPackage ./package/ssh-key/package.nix (additional_vars // { inherit key_name; })))
);
Generate pgp keys for sops.
2025-12-21 14:17:31 -05:00
pgp-keys = (
builtins.mapAttrs
(
key_name: key_config:
(callPackage ./package/pgp-key/package.nix (additional_vars // { inherit key_name; } // key_config))
)
{
"flux_gpg" = {
pgp_comment = "flux secrets";
pgp_name = "flux sops";
};
}
);
Generic secrets for pgp keys.
2025-12-21 19:43:43 -05:00
k8s-secrets-generic = (
builtins.mapAttrs
(
secret_name: secret_config:
(callPackage ./package/k8s-secret-generic/package.nix (
additional_vars // { inherit secret_name; } // secret_config
))
)
{
"sops-gpg" = {
secret_namespace = "flux-system";
secret_values = {
"sops.asc" = (builtins.readFile "${self.pgp-keys.flux_gpg}/flux_gpg_private_key.asc");
};
};
Generic secrets for ssh keys.
2025-12-21 22:41:21 -05:00
"kubernetes-deploy-key" = {
secret_namespace = "flux-system";
secret_values = {
"identity" = builtins.readFile "${self.ssh-keys.flux_ssh_key}/flux_ssh_key";
"identity.pub" = builtins.readFile "${self.ssh-keys.flux_ssh_key}/flux_ssh_key.pub";
Apply the git repo to the cluster.
2025-12-21 23:48:17 -05:00
"known_hosts" = builtins.readFile ./generated/known_hosts;
Generic secrets for ssh keys.
2025-12-21 22:41:21 -05:00
};
};
Generic secrets for pgp keys.
2025-12-21 19:43:43 -05:00
}
);
Switch to generating certs with openssl.
2025-12-14 18:24:24 -05:00
client-configs = (
builtins.mapAttrs
(
config_name: config:
(callPackage ./package/k8s-client-config/package.nix (
additional_vars // { inherit config_name; } // config
))
)
{
controller0 = {
config_user = "system:node:controller0";
Add kubelet.
2025-12-16 19:31:33 -05:00
config_server = "https://127.0.0.1:6443";
# config_server = "https://server.kubernetes.local:6443";
Switch to generating certs with openssl.
2025-12-14 18:24:24 -05:00
};
controller1 = {
config_user = "system:node:controller1";
Add kubelet.
2025-12-16 19:31:33 -05:00
config_server = "https://127.0.0.1:6443";
# config_server = "https://server.kubernetes.local:6443";
Switch to generating certs with openssl.
2025-12-14 18:24:24 -05:00
};
controller2 = {
config_user = "system:node:controller2";
Add kubelet.
2025-12-16 19:31:33 -05:00
config_server = "https://127.0.0.1:6443";
# config_server = "https://server.kubernetes.local:6443";
Switch to generating certs with openssl.
2025-12-14 18:24:24 -05:00
};
worker0 = {
config_user = "system:node:worker0";
Add kubelet.
2025-12-16 19:31:33 -05:00
config_server = "https://[2620:11f:7001:7:ffff:ffff:ad7:1dd]:6443";
# config_server = "https://127.0.0.1:6443";
# config_server = "https://server.kubernetes.local:6443";
Switch to generating certs with openssl.
2025-12-14 18:24:24 -05:00
};
worker1 = {
config_user = "system:node:worker1";
Add kubelet.
2025-12-16 19:31:33 -05:00
config_server = "https://[2620:11f:7001:7:ffff:ffff:ad7:1dd]:6443";
# config_server = "https://127.0.0.1:6443";
# config_server = "https://server.kubernetes.local:6443";
Switch to generating certs with openssl.
2025-12-14 18:24:24 -05:00
};
worker2 = {
config_user = "system:node:worker2";
Add kubelet.
2025-12-16 19:31:33 -05:00
config_server = "https://[2620:11f:7001:7:ffff:ffff:ad7:1dd]:6443";
# config_server = "https://127.0.0.1:6443";
# config_server = "https://server.kubernetes.local:6443";
Switch to generating certs with openssl.
2025-12-14 18:24:24 -05:00
};
kube-proxy = {
config_user = "system:kube-proxy";
Add kube-proxy.
2025-12-16 21:07:39 -05:00
config_server = "https://[2620:11f:7001:7:ffff:ffff:ad7:1dd]:6443";
# config_server = "https://127.0.0.1:6443";
# config_server = "https://server.kubernetes.local:6443";
Switch to generating certs with openssl.
2025-12-14 18:24:24 -05:00
};
kube-controller-manager = {
config_user = "system:kube-controller-manager";
Add kube-scheduler.
2025-12-15 20:09:46 -05:00
# config_server = "https://[2620:11f:7001:7:ffff:ffff:ad7:1dd]:6443";
config_server = "https://127.0.0.1:6443";
# config_server = "https://server.kubernetes.local:6443";
Switch to generating certs with openssl.
2025-12-14 18:24:24 -05:00
};
kube-scheduler = {
config_user = "system:kube-scheduler";
Add kube-scheduler.
2025-12-15 20:09:46 -05:00
# config_server = "https://[2620:11f:7001:7:ffff:ffff:ad7:1dd]:6443";
config_server = "https://127.0.0.1:6443";
# config_server = "https://server.kubernetes.local:6443";
Switch to generating certs with openssl.
2025-12-14 18:24:24 -05:00
};
admin = {
config_user = "admin";
Add kube-scheduler.
2025-12-15 20:09:46 -05:00
config_server = "https://[2620:11f:7001:7:ffff:ffff:ad7:1dd]:6443";
# config_server = "https://127.0.0.1:6443";
Switch to generating certs with openssl.
2025-12-14 18:24:24 -05:00
};
}
);
Move the encryption config into a package.
2025-12-14 20:28:48 -05:00
encryption_config = (callPackage ./package/k8s-encryption-key/package.nix additional_vars);
Implement a generic helm templater package.
2025-12-29 21:41:23 -05:00
cilium-manifest =
let
version = "1.18.5";
in
(callPackage ./package/helm-manifest/package.nix (
additional_vars
// {
helm_src = fetchFromGitHub {
owner = "cilium";
repo = "cilium";
tag = "v${version}";
hash = "sha256-348inOOQ/fgwTYnaSHrQ363xGYnx2UPts3D4ycDRsWE=";
};
helm_name = "cilium";
helm_namespace = "kube-system";
helm_path = "install/kubernetes/cilium";
helm_manifest_name = "cilium.yaml";
helm_values = {
"kubeProxyReplacement" = true;
"ipam.mode" = "kubernetes";
"k8sServiceHost" = "2620:11f:7001:7:ffff:ffff:ad7:1dd";
"k8sServicePort" = 6443;
"ipv6.enabled" = true;
"ipv4.enabled" = true;
"enableIPv6Masquerade" = false;
"enableIPv4BIGTCP" = false;
"enableIPv6BIGTCP" = false;
"routingMode" = "native";
"ipv4NativeRoutingCIDR" = "10.0.0.0/8";
"ipv6NativeRoutingCIDR" = "2620:11f:7001:7:ffff::/96";
# --set hostFirewall.enabled=true
# --set routingMode=native
# --set 'ipam.operator.clusterPoolIPv4PodCIDRList=["10.0.0.0/8"]' \
# --set 'ipam.operator.clusterPoolIPv6PodCIDRList=["fd00::/100"]' \
# --set encryption.enabled=true \
# --set encryption.type=wireguard
# --set encryption.nodeEncryption=true
};
}
));
coredns-manifest =
let
version = "1.45.0";
in
(callPackage ./package/helm-manifest/package.nix (
additional_vars
// {
helm_src = fetchFromGitHub {
owner = "coredns";
repo = "helm";
tag = "coredns-${version}";
hash = "sha256-9YHd/jB33JXvySzx/p9DaP+/2p5ucyLjues4DNtOkmU=";
};
helm_name = "coredns";
helm_namespace = "kube-system";
helm_path = "charts/coredns";
helm_manifest_name = "coredns.yaml";
helm_values = { };
}
));
Switch to generating certs with openssl.
2025-12-14 18:24:24 -05:00
all_keys = (callPackage ./package/k8s-keys/package.nix additional_vars);
deploy_script = (callPackage ./package/deploy-script/package.nix additional_vars);
Move the cluster bootstrap into the keys flake. Bootstrapping the cluster needs access to secrets, so I am moving it into the keys flake.
2025-12-20 23:13:51 -05:00
bootstrap_script = (callPackage ./package/bootstrap-script/package.nix additional_vars);
Add configs for a new kubernetes cluster on NixOS.
2025-11-30 14:32:36 -05:00
}
)
Reference in New Issue Copy Permalink