machine_setup/nix/kubernetes/roles/etcd/default.nix

{
  config,
  lib,
  pkgs,
  self,
  ...
}:

{
  imports = [ ];

  options.me = {
    etcd.enable = lib.mkOption {
      type = lib.types.bool;
      default = false;
      example = true;
      description = "Whether we want to install etcd.";
    };

    etcd.cluster_name = lib.mkOption {
      type = lib.types.str;
      default = false;
      example = "lorem";
      description = "The unique name for the cluster.";
    };

    etcd.internal_ip = lib.mkOption {
      default = { };
      example = lib.literalExpression ''
        {
          "172.16.0.10" = true;
          "192.168.1.10" = lib.mkForce false;
        }
      '';
      type = lib.types.coercedTo (lib.types.listOf lib.types.str) (
        enabled: lib.listToAttrs (map (fs: lib.nameValuePair fs true) enabled)
      ) (lib.types.attrsOf lib.types.bool);
      description = "List internal IP addresses for accessing this node.";
    };

    etcd.initial_cluster = lib.mkOption {
      default = [ ];
      example = [
        "controller0=https://10.215.1.221:2380" # 2620:11f:7001:7:ffff:ffff:0ad7:01dd
        "controller1=https://10.215.1.222:2380" # 2620:11f:7001:7:ffff:ffff:0ad7:01de
        "controller2=https://10.215.1.223:2380" # 2620:11f:7001:7:ffff:ffff:0ad7:01df
      ];
      type = lib.types.listOf lib.types.str;
      description = "List of controller nodes to form the initial etcd cluster.";
    };
  };

  config = lib.mkIf config.me.etcd.enable {
    services.etcd = {
      enable = true;
      openFirewall = true;
      name = config.networking.hostName;
      certFile = "/.persist/keys/etcd/kubernetes.pem";
      keyFile = "/.persist/keys/etcd/kubernetes-key.pem";
      peerCertFile = "/.persist/keys/etcd/kubernetes.pem";
      peerKeyFile = "/.persist/keys/etcd/kubernetes-key.pem";
      trustedCaFile = "/.persist/keys/etcd/ca.pem";
      peerTrustedCaFile = "/.persist/keys/etcd/ca.pem";
      peerClientCertAuth = true;
      clientCertAuth = true;
      initialAdvertisePeerUrls = (
        builtins.map (iip: "https://${iip}:2380") (builtins.attrNames config.me.etcd.internal_ip)
      );
      listenPeerUrls = (
        builtins.map (iip: "https://${iip}:2380") (builtins.attrNames config.me.etcd.internal_ip)
      );
      listenClientUrls = (
        [
          "https://127.0.0.1:2379"
        ]
        ++ (builtins.map (iip: "https://${iip}:2379") (builtins.attrNames config.me.etcd.internal_ip))
      );
      advertiseClientUrls = (
        builtins.map (iip: "https://${iip}:2379") (builtins.attrNames config.me.etcd.internal_ip)
      );
      initialClusterToken = config.me.etcd.cluster_name;
      initialCluster = config.me.etcd.initial_cluster;
      initialClusterState = "new";
    };

    environment.persistence."/disk" = lib.mkIf (config.me.mountPersistence) {
      hideMounts = true;
      directories = [
        {
          directory = config.services.etcd.dataDir; # "/var/lib/etcd"
          user = "etcd";
          group = "etcd";
          mode = "0700";
        }
      ];
    };

    users.users.etcd.uid = 10016;
    users.groups.etcd.gid = 10016;

    environment.systemPackages = with pkgs; [
      net-tools # for debugging
      tcpdump
      e2fsprogs # mkfs.ext4
      gptfdisk # cgdisk
    ];
    networking.firewall.enable = false;
  };
}
Add configs for a new kubernetes cluster on NixOS. 2025-11-30 14:32:36 -05:00			`{`
			`config,`
			`lib,`
			`pkgs,`
			`self,`
			`...`
			`}:`

			`{`
			`imports = [ ];`

			`options.me = {`
			`etcd.enable = lib.mkOption {`
			`type = lib.types.bool;`
			`default = false;`
			`example = true;`
			`description = "Whether we want to install etcd.";`
			`};`

			`etcd.cluster_name = lib.mkOption {`
			`type = lib.types.str;`
			`default = false;`
			`example = "lorem";`
			`description = "The unique name for the cluster.";`
			`};`

			`etcd.internal_ip = lib.mkOption {`
			`default = { };`
			`example = lib.literalExpression ''`
			`{`
			`"172.16.0.10" = true;`
			`"192.168.1.10" = lib.mkForce false;`
			`}`
			`'';`
			`type = lib.types.coercedTo (lib.types.listOf lib.types.str) (`
			`enabled: lib.listToAttrs (map (fs: lib.nameValuePair fs true) enabled)`
			`) (lib.types.attrsOf lib.types.bool);`
			`description = "List internal IP addresses for accessing this node.";`
			`};`

			`etcd.initial_cluster = lib.mkOption {`
			`default = [ ];`
			`example = [`
			`"controller0=https://10.215.1.221:2380" # 2620:11f:7001:7:ffff:ffff:0ad7:01dd`
			`"controller1=https://10.215.1.222:2380" # 2620:11f:7001:7:ffff:ffff:0ad7:01de`
			`"controller2=https://10.215.1.223:2380" # 2620:11f:7001:7:ffff:ffff:0ad7:01df`
			`];`
			`type = lib.types.listOf lib.types.str;`
			`description = "List of controller nodes to form the initial etcd cluster.";`
			`};`
			`};`

			`config = lib.mkIf config.me.etcd.enable {`
			`services.etcd = {`
			`enable = true;`
			`openFirewall = true;`
			`name = config.networking.hostName;`
Add additional controllers. 2025-12-07 15:48:08 -05:00			`certFile = "/.persist/keys/etcd/kubernetes.pem";`
			`keyFile = "/.persist/keys/etcd/kubernetes-key.pem";`
			`peerCertFile = "/.persist/keys/etcd/kubernetes.pem";`
			`peerKeyFile = "/.persist/keys/etcd/kubernetes-key.pem";`
			`trustedCaFile = "/.persist/keys/etcd/ca.pem";`
			`peerTrustedCaFile = "/.persist/keys/etcd/ca.pem";`
Add configs for a new kubernetes cluster on NixOS. 2025-11-30 14:32:36 -05:00			`peerClientCertAuth = true;`
Add additional controllers. 2025-12-07 15:48:08 -05:00			`clientCertAuth = true;`
Add configs for a new kubernetes cluster on NixOS. 2025-11-30 14:32:36 -05:00			`initialAdvertisePeerUrls = (`
			`builtins.map (iip: "https://${iip}:2380") (builtins.attrNames config.me.etcd.internal_ip)`
			`);`
			`listenPeerUrls = (`
			`builtins.map (iip: "https://${iip}:2380") (builtins.attrNames config.me.etcd.internal_ip)`
			`);`
			`listenClientUrls = (`
			`[`
			`"https://127.0.0.1:2379"`
			`]`
			`++ (builtins.map (iip: "https://${iip}:2379") (builtins.attrNames config.me.etcd.internal_ip))`
			`);`
			`advertiseClientUrls = (`
			`builtins.map (iip: "https://${iip}:2379") (builtins.attrNames config.me.etcd.internal_ip)`
			`);`
			`initialClusterToken = config.me.etcd.cluster_name;`
			`initialCluster = config.me.etcd.initial_cluster;`
			`initialClusterState = "new";`
			`};`

Add additional controllers. 2025-12-07 15:48:08 -05:00			`environment.persistence."/disk" = lib.mkIf (config.me.mountPersistence) {`
Add configs for a new kubernetes cluster on NixOS. 2025-11-30 14:32:36 -05:00			`hideMounts = true;`
			`directories = [`
Add additional controllers. 2025-12-07 15:48:08 -05:00			`{`
			`directory = config.services.etcd.dataDir; # "/var/lib/etcd"`
			`user = "etcd";`
			`group = "etcd";`
			`mode = "0700";`
			`}`
Add configs for a new kubernetes cluster on NixOS. 2025-11-30 14:32:36 -05:00			`];`
			`};`
Add additional controllers. 2025-12-07 15:48:08 -05:00
			`users.users.etcd.uid = 10016;`
			`users.groups.etcd.gid = 10016;`

			`environment.systemPackages = with pkgs; [`
			`net-tools # for debugging`
			`tcpdump`
			`e2fsprogs # mkfs.ext4`
			`gptfdisk # cgdisk`
			`];`
			`networking.firewall.enable = false;`
Add configs for a new kubernetes cluster on NixOS. 2025-11-30 14:32:36 -05:00			`};`
			`}`