From 38b2b9ebf402e43117a1d349f1ecece986d7ebc1 Mon Sep 17 00:00:00 2001
From: Tom Alexander <tom@fizz.buzz>
Date: Sat, 20 Dec 2025 20:49:40 -0500
Subject: [PATCH] Add a bootstrap role to load manifests into the cluster.

---
 nix/kubernetes/configuration.nix           |  1 +
 nix/kubernetes/roles/bootstrap/default.nix | 53 ++++++++++++++++++++++
 2 files changed, 54 insertions(+)
 create mode 100644 nix/kubernetes/roles/bootstrap/default.nix

diff --git a/nix/kubernetes/configuration.nix b/nix/kubernetes/configuration.nix
index e6d5ef55..34e2f860 100644
--- a/nix/kubernetes/configuration.nix
+++ b/nix/kubernetes/configuration.nix
@@ -7,6 +7,7 @@
 {
   imports = [
     ./roles/boot
+    ./roles/bootstrap
     ./roles/cilium
     ./roles/containerd
     ./roles/control_plane
diff --git a/nix/kubernetes/roles/bootstrap/default.nix b/nix/kubernetes/roles/bootstrap/default.nix
new file mode 100644
index 00000000..f068c63c
--- /dev/null
+++ b/nix/kubernetes/roles/bootstrap/default.nix
@@ -0,0 +1,53 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+
+{
+  imports = [ ];
+
+  options.me = {
+    bootstrap.enable = lib.mkOption {
+      type = lib.types.bool;
+      default = false;
+      example = true;
+      description = "Whether we want to install bootstrap.";
+    };
+
+    bootstrap.manifests = lib.mkOption {
+      type = lib.types.listOf lib.types.path;
+      default = [ ];
+      example = lib.literalExpression ''[ ${./files/clusterrole.yaml} ]'';
+      description = "List of kubernetes manifests to load into the cluster.";
+    };
+  };
+
+  config =
+    lib.mkIf (config.me.bootstrap.enable && ((builtins.length config.me.bootstrap.manifests) > 0))
+      {
+        systemd.services.kube-bootstrap = {
+          enable = true;
+          description = "Load initial kubernetes manifests into the cluster.";
+          after = [ "kubernetes.target" ];
+          path = with pkgs; [
+            kubectl
+          ];
+          unitConfig.DefaultDependencies = "no";
+          serviceConfig = {
+            Type = "oneshot";
+          };
+          script =
+            let
+              manifests = (lib.concatMapStringsSep " " lib.escapeShellArgs config.me.bootstrap.manifests);
+            in
+            ''
+              set -o pipefail
+              IFS=$'\n\t'
+
+              kubectl apply --server-side --force-conflicts -f ${manifests}
+            '';
+        };
+      };
+}