machine_setup/nix/kubernetes/README.org

* To-do
** Perhaps use overlay for /etc for speedup
#+begin_src nix
  system.etc.overlay.enable = true;
#+end_src
** read https://nixos.org/manual/nixos/stable/
** Performance for mini pc
#+begin_src nix
  security.pam.loginLimits = [
    { domain = "@users"; item = "rtprio"; type = "-"; value = 1; }
  ];
#+end_src
* Bootstrap
** Install cilium
#+begin_src bash
  # nix shell nixpkgs#cilium-cli
  nix shell 'nixpkgs#kubernetes-helm'

  helm repo add cilium https://helm.cilium.io/
  helm template --dry-run=client cilium cilium/cilium --version 1.18.5 --namespace kube-system \
       --set kubeProxyReplacement=true \
       --set ipam.mode=kubernetes \
       --set k8sServiceHost="2620:11f:7001:7:ffff:ffff:ad7:1dd" \
       --set k8sServicePort=6443 \
       --set ipv6.enabled=true \
       --set ipv4.enabled=true
       # --set enableIPv6Masquerade=false
       # --set enableIPv4BIGTCP=true \
       # --set enableIPv6BIGTCP=true
       # --set routingMode=native \
       # --set ipv4NativeRoutingCIDR=10.0.0.0/8 \
       # --set ipv6NativeRoutingCIDR=fd00::/100

  kubec
  tl -n kube-system exec ds/cilium -- cilium-dbg status --verbose
  kubectl -n kube-system exec ds/cilium -- cilium-dbg status | grep KubeProxyReplacement

  #      --set hostFirewall.enabled=true
  # routingMode=native

       # --set ipv4-native-routing-cidr=10.0.0.0/8 \
       # --set ipv6-native-routing-cidr=fd00::/100
  # --set 'ipam.operator.clusterPoolIPv4PodCIDRList=["10.0.0.0/8"]' \
  # --set 'ipam.operator.clusterPoolIPv6PodCIDRList=["fd00::/100"]' \


  # --set encryption.enabled=true \
  #   --set encryption.type=wireguard
  #   --set encryption.nodeEncryption=true
#+end_src
** Install flux
#+begin_src bash
  nix shell 'nixpkgs#fluxcd'

  flux bootstrap git \
    --url=ssh://git@<host>/<org>/<repository> \
    --branch=main \
    --private-key-file=<path/to/private.key> \
    --password=<key-passphrase> \
    --path=clusters/my-cluster
#+end_src

#+begin_src bash
  nix shell 'nixpkgs#kubernetes-helm'

  helm template --dry-run=server flux-operator oci://ghcr.io/controlplaneio-fluxcd/charts/flux-operator \
    --namespace flux-system \
    --create-namespace
#+end_src

#+begin_src text
  apiVersion: fluxcd.controlplane.io/v1
  kind: FluxInstance
  metadata:
    name: flux
    namespace: flux-system
    annotations:
      fluxcd.controlplane.io/reconcileEvery: "1h"
      fluxcd.controlplane.io/reconcileTimeout: "5m"
  spec:
    distribution:
      version: "2.x"
      registry: "ghcr.io/fluxcd"
      artifact: "oci://ghcr.io/controlplaneio-fluxcd/flux-operator-manifests"
    components:
      - source-controller
      - kustomize-controller
      - helm-controller
      - notification-controller
      - image-reflector-controller
      - image-automation-controller
    cluster:
      type: kubernetes
      size: medium
      multitenant: false
      networkPolicy: true
      domain: "cluster.local"
    kustomize:
      patches:
        - target:
            kind: Deployment
          patch: |
            - op: replace
              path: /spec/template/spec/nodeSelector
              value:
                kubernetes.io/os: linux
            - op: add
              path: /spec/template/spec/tolerations
              value:
                - key: "CriticalAddonsOnly"
                  operator: "Exists"
    sync:
      kind: OCIRepository
      url: "oci://ghcr.io/my-org/my-fleet-manifests"
      ref: "latest"
      path: "clusters/my-cluster"
      pullSecret: "ghcr-auth"
#+end_src

#+begin_src text
  apiVersion: fluxcd.controlplane.io/v1
  kind: FluxInstance
  metadata:
    name: flux
    namespace: flux-system
  spec:
    distribution:
      version: "2.7.x"
      registry: "ghcr.io/fluxcd"
    sync:
      kind: GitRepository
      url: "ssh://git@10.215.1.210:22/repos/mrmanager"
      ref: "refs/heads/nix"
      path: "clusters/my-cluster"
      pullSecret: "flux-system"
#+end_src

#+begin_src bash
  flux create secret git flux-system \
    --url=https://gitlab.com/my-org/my-fleet.git \
    --username=git \
    --password=$GITLAB_TOKEN
#+end_src
Add configs for a new kubernetes cluster on NixOS. 2025-11-30 14:32:36 -05:00			`* To-do`
			`** Perhaps use overlay for /etc for speedup`
			`#+begin_src nix`
			`system.etc.overlay.enable = true;`
			`#+end_src`
			`** read https://nixos.org/manual/nixos/stable/`
			`** Performance for mini pc`
			`#+begin_src nix`
			`security.pam.loginLimits = [`
			`{ domain = "@users"; item = "rtprio"; type = "-"; value = 1; }`
			`];`
			`#+end_src`
Add kube-proxy. 2025-12-16 21:07:39 -05:00			`* Bootstrap`
			`** Install cilium`
			`#+begin_src bash`
Set up flux. 2025-12-20 23:01:19 -05:00			`# nix shell nixpkgs#cilium-cli`
			`nix shell 'nixpkgs#kubernetes-helm'`

Add kube-proxy. 2025-12-16 21:07:39 -05:00			`helm repo add cilium https://helm.cilium.io/`
Switch to kubernetes ipam mode. 2025-12-29 15:59:00 -05:00			`helm template --dry-run=client cilium cilium/cilium --version 1.18.5 --namespace kube-system \`
Add kube-proxy. 2025-12-16 21:07:39 -05:00			`--set kubeProxyReplacement=true \`
Switch to kubernetes ipam mode. 2025-12-29 15:59:00 -05:00			`--set ipam.mode=kubernetes \`
Add cilium bootstrap. 2025-12-16 21:48:44 -05:00			`--set k8sServiceHost="2620:11f:7001:7:ffff:ffff:ad7:1dd" \`
			`--set k8sServicePort=6443 \`
Switch to kubernetes ipam mode. 2025-12-29 15:59:00 -05:00			`--set ipv6.enabled=true \`
Enable ipv4 and tunnel routing. 2025-12-29 17:00:23 -05:00			`--set ipv4.enabled=true`
			`# --set enableIPv6Masquerade=false`
			`# --set enableIPv4BIGTCP=true \`
			`# --set enableIPv6BIGTCP=true`
			`# --set routingMode=native \`
			`# --set ipv4NativeRoutingCIDR=10.0.0.0/8 \`
			`# --set ipv6NativeRoutingCIDR=fd00::/100`

			`kubec`
			`tl -n kube-system exec ds/cilium -- cilium-dbg status --verbose`
Add kube-proxy. 2025-12-16 21:07:39 -05:00			`kubectl -n kube-system exec ds/cilium -- cilium-dbg status \| grep KubeProxyReplacement`

Some networking fixes. 2025-12-18 22:28:03 -05:00			`# --set hostFirewall.enabled=true`
			`# routingMode=native`
Switch to kubernetes ipam mode. 2025-12-29 15:59:00 -05:00
			`# --set ipv4-native-routing-cidr=10.0.0.0/8 \`
			`# --set ipv6-native-routing-cidr=fd00::/100`
			`# --set 'ipam.operator.clusterPoolIPv4PodCIDRList=["10.0.0.0/8"]' \`
			`# --set 'ipam.operator.clusterPoolIPv6PodCIDRList=["fd00::/100"]' \`
Enable ipv4 and tunnel routing. 2025-12-29 17:00:23 -05:00

			`# --set encryption.enabled=true \`
			`# --set encryption.type=wireguard`
			`# --set encryption.nodeEncryption=true`
Add kube-proxy. 2025-12-16 21:07:39 -05:00			`#+end_src`
Set up flux. 2025-12-20 23:01:19 -05:00			`** Install flux`
			`#+begin_src bash`
			`nix shell 'nixpkgs#fluxcd'`

			`flux bootstrap git \`
			`--url=ssh://git@<host>/<org>/<repository> \`
			`--branch=main \`
			`--private-key-file=<path/to/private.key> \`
			`--password=<key-passphrase> \`
			`--path=clusters/my-cluster`
			`#+end_src`

			`#+begin_src bash`
			`nix shell 'nixpkgs#kubernetes-helm'`

			`helm template --dry-run=server flux-operator oci://ghcr.io/controlplaneio-fluxcd/charts/flux-operator \`
			`--namespace flux-system \`
			`--create-namespace`
			`#+end_src`

			`#+begin_src text`
			`apiVersion: fluxcd.controlplane.io/v1`
			`kind: FluxInstance`
			`metadata:`
			`name: flux`
			`namespace: flux-system`
			`annotations:`
			`fluxcd.controlplane.io/reconcileEvery: "1h"`
			`fluxcd.controlplane.io/reconcileTimeout: "5m"`
			`spec:`
			`distribution:`
			`version: "2.x"`
			`registry: "ghcr.io/fluxcd"`
			`artifact: "oci://ghcr.io/controlplaneio-fluxcd/flux-operator-manifests"`
			`components:`
			`- source-controller`
			`- kustomize-controller`
			`- helm-controller`
			`- notification-controller`
			`- image-reflector-controller`
			`- image-automation-controller`
			`cluster:`
			`type: kubernetes`
			`size: medium`
			`multitenant: false`
			`networkPolicy: true`
			`domain: "cluster.local"`
			`kustomize:`
			`patches:`
			`- target:`
			`kind: Deployment`
			`patch: \|`
			`- op: replace`
			`path: /spec/template/spec/nodeSelector`
			`value:`
			`kubernetes.io/os: linux`
			`- op: add`
			`path: /spec/template/spec/tolerations`
			`value:`
			`- key: "CriticalAddonsOnly"`
			`operator: "Exists"`
			`sync:`
			`kind: OCIRepository`
			`url: "oci://ghcr.io/my-org/my-fleet-manifests"`
			`ref: "latest"`
			`path: "clusters/my-cluster"`
			`pullSecret: "ghcr-auth"`
			`#+end_src`

			`#+begin_src text`
			`apiVersion: fluxcd.controlplane.io/v1`
			`kind: FluxInstance`
			`metadata:`
			`name: flux`
			`namespace: flux-system`
			`spec:`
			`distribution:`
			`version: "2.7.x"`
			`registry: "ghcr.io/fluxcd"`
			`sync:`
			`kind: GitRepository`
Generate kubernetes secrets for ssh keys. 2025-12-21 18:45:49 -05:00			`url: "ssh://git@10.215.1.210:22/repos/mrmanager"`
			`ref: "refs/heads/nix"`
Set up flux. 2025-12-20 23:01:19 -05:00			`path: "clusters/my-cluster"`
			`pullSecret: "flux-system"`
			`#+end_src`

			`#+begin_src bash`
			`flux create secret git flux-system \`
			`--url=https://gitlab.com/my-org/my-fleet.git \`
			`--username=git \`
			`--password=$GITLAB_TOKEN`
			`#+end_src`