talexander/machine_setup
1
0
Fork 0
Code Issues Pull Requests Releases Activity

Install kubernetes.

Browse Source
This commit is contained in:
Tom Alexander
2025-12-08 20:33:41 -05:00
parent c1c510e392
commit 514e67ac50
10 changed files with 309 additions and 21 deletions
Download Patch File Download Diff File Expand all files Collapse all files

113
nix/kubernetes/keys/scope.nix
View File

@@ -4,6 +4,8 @@
callPackage,
writeShellScript,
openssh,
runCommand,
writeText,
lib,
}:
let
@@ -50,25 +52,91 @@ makeScope newScope (
inherit all_hostnames;
k8s = self;
};
deploy_key = (
vm_name: file: ''
${openssh}/bin/ssh mrmanager rm -f /vm/${vm_name}/persist/keys/etcd/${builtins.baseNameOf file} ~/${builtins.baseNameOf file}
${openssh}/bin/scp ${file} mrmanager:~/${builtins.baseNameOf file}
${openssh}/bin/ssh mrmanager doas install -o 10016 -g 10016 -m 0640 ~/${builtins.baseNameOf file} /vm/${vm_name}/persist/keys/etcd/${builtins.baseNameOf file}
${openssh}/bin/ssh mrmanager rm -f ~/${builtins.baseNameOf file}
deploy_file = (
{
dest_dir,
file,
name ? (builtins.baseNameOf file),
owner,
group,
mode,
}:
''
##
## deploy ${name} to ${dest_dir}
##
${openssh}/bin/ssh mrmanager doas rm -f ${dest_dir}/${name} ~/${name}
${openssh}/bin/scp ${file} mrmanager:~/${name}
${openssh}/bin/ssh mrmanager doas install -o ${toString owner} -g ${toString group} -m ${mode} ~/${name} ${dest_dir}/${name}
${openssh}/bin/ssh mrmanager doas rm -f ~/${name}
''
);
deploy_machine = (
vm_name:
(
''
##
## Create directories on ${vm_name}
##
${openssh}/bin/ssh mrmanager doas install -d -o 11235 -g 11235 -m 0755 /vm/${vm_name}/persist/keys
${openssh}/bin/ssh mrmanager doas install -d -o 10016 -g 10016 -m 0755 /vm/${vm_name}/persist/keys/etcd
${openssh}/bin/ssh mrmanager doas install -d -o 10024 -g 10024 -m 0755 /vm/${vm_name}/persist/keys/kube
''
+ (lib.concatMapStringsSep "\n" (deploy_key vm_name) [
"${self.kubernetes}/kubernetes.pem"
"${self.kubernetes}/kubernetes-key.pem"
"${self.ca}/ca.pem"
+ (lib.concatMapStringsSep "\n" deploy_file [
{
dest_dir = "/vm/${vm_name}/persist/keys/etcd";
file = "${self.kubernetes}/kubernetes.pem";
owner = 10016;
group = 10016;
mode = "0640";
}
{
dest_dir = "/vm/${vm_name}/persist/keys/etcd";
file = "${self.kubernetes}/kubernetes-key.pem";
owner = 10016;
group = 10016;
mode = "0600";
}
{
dest_dir = "/vm/${vm_name}/persist/keys/etcd";
file = "${self.ca}/ca.pem";
owner = 10016;
group = 10016;
mode = "0640";
}
{
dest_dir = "/vm/${vm_name}/persist/keys/kube";
file = "${self.kubernetes}/kubernetes.pem";
owner = 10024;
group = 10024;
mode = "0640";
}
{
dest_dir = "/vm/${vm_name}/persist/keys/kube";
file = "${self.kubernetes}/kubernetes-key.pem";
owner = 10024;
group = 10024;
mode = "0640";
}
{
dest_dir = "/vm/${vm_name}/persist/keys/kube";
file = "${self.ca}/ca.pem";
owner = 10024;
group = 10024;
mode = "0600";
}
{
dest_dir = "/vm/${vm_name}/persist/keys/kube";
file = (writeText "encryption-config.yaml" (lib.generators.toYAML { } kube_encryption_config));
name = "encryption-config.yaml";
owner = 10024;
group = 10024;
mode = "0600";
}
])
)
);
@@ -84,6 +152,31 @@ makeScope newScope (
"nc2"
])
);
kube_encryption_key = runCommand "kube_encryption_key" { } ''
head -c 32 /dev/urandom | base64 | tee $out
'';
kube_encryption_config = {
kind = "EncryptionConfig";
apiVersion = "v1";
resources = [
{
resources = [ "secrets" ];
providers = [
{
aescbc = {
keys = [
{
name = "key1";
secret = (builtins.readFile "${kube_encryption_key}");
}
];
};
}
{ identity = { }; }
];
}
];
};
in
{
ca = (callPackage ./package/k8s-ca/package.nix additional_vars);