talexander/machine_setup
1
0
Fork 0
Code Issues Pull Requests Releases Activity

Set up containerd use harbor.fizz.buzz.

Browse Source
This commit is contained in:
Tom Alexander
2026-05-02 12:50:36 -04:00
parent 70f180f3c8
commit 9beffb46b6
2 changed files with 42 additions and 13 deletions
Download Patch File Download Diff File Expand all files Collapse all files

21
nix/kubernetes/keys/package/deploy-script/package.nix
View File

@@ -119,8 +119,6 @@ let
${openssh}/bin/ssh mrmanager doas install -d -o 0 -g 0 -m 0755 /vm/${vm_name}/persist/keys ${openssh}/bin/ssh mrmanager doas install -d -o 0 -g 0 -m 0755 /vm/${vm_name}/persist/keys
${openssh}/bin/ssh mrmanager doas install -d -o 10016 -g 10016 -m 0755 /vm/${vm_name}/persist/keys/etcd ${openssh}/bin/ssh mrmanager doas install -d -o 10016 -g 10016 -m 0755 /vm/${vm_name}/persist/keys/etcd
${openssh}/bin/ssh mrmanager doas install -d -o 10024 -g 10024 -m 0755 /vm/${vm_name}/persist/keys/kube ${openssh}/bin/ssh mrmanager doas install -d -o 10024 -g 10024 -m 0755 /vm/${vm_name}/persist/keys/kube
'' ''
+ (lib.concatMapStringsSep "\n" deploy_file [ + (lib.concatMapStringsSep "\n" deploy_file [
{ {
@@ -248,7 +246,8 @@ let
${openssh}/bin/ssh mrmanager doas install -d -o 0 -g 0 -m 0755 /vm/${vm_name}/persist/keys ${openssh}/bin/ssh mrmanager doas install -d -o 0 -g 0 -m 0755 /vm/${vm_name}/persist/keys
${openssh}/bin/ssh mrmanager doas install -d -o 10024 -g 10024 -m 0755 /vm/${vm_name}/persist/keys/kube ${openssh}/bin/ssh mrmanager doas install -d -o 10024 -g 10024 -m 0755 /vm/${vm_name}/persist/keys/kube
${openssh}/bin/ssh mrmanager doas install -d -o 0 -g 0 -m 0700 /vm/${vm_name}/persist/containerd/certs.d/docker.io
${openssh}/bin/ssh mrmanager doas install -d -o 0 -g 0 -m 0700 /vm/${vm_name}/persist/containerd/certs.d/harbor.fizz.buzz
'' ''
+ (lib.concatMapStringsSep "\n" deploy_file [ + (lib.concatMapStringsSep "\n" deploy_file [
{ {
@@ -291,6 +290,22 @@ let
group = 10024; group = 10024;
mode = "0600"; mode = "0600";
} }
{
dest_dir = "/vm/${vm_name}/persist/containerd/certs.d/docker.io";
file = "${./files/containerd/docker.io/hosts.toml}";
name = "hosts.toml";
owner = 0;
group = 0;
mode = "0600";
}
{
dest_dir = "/vm/${vm_name}/persist/containerd/certs.d/harbor.fizz.buzz";
file = "${./files/containerd/harbor.fizz.buzz/hosts.toml}";
name = "hosts.toml";
owner = 0;
group = 0;
mode = "0600";
}
]) ])
) )
); );

34
nix/kubernetes/roles/containerd/default.nix
View File

@@ -1,3 +1,4 @@
# TODO: Set up a proxy to harbor for OCI compliance: https://github.com/moby/moby/pull/34319#issuecomment-720606627
{ {
config, config,
lib, lib,
@@ -29,30 +30,43 @@ in
config = lib.mkIf config.me.containerd.enable { config = lib.mkIf config.me.containerd.enable {
virtualisation.containerd.enable = true; virtualisation.containerd.enable = true;
virtualisation.containerd.settings = { virtualisation.containerd.settings = lib.mkForce {
"plugins" = { "plugins" = {
"io.containerd.grpc.v1.cri" = { "io.containerd.cri.v1.images" = {
"registry" = {
"config_path" = "/.persist/containerd/certs.d";
};
"snapshotter" = "overlayfs";
};
"io.containerd.cri.v1.runtime" = {
"cni" = { "cni" = {
"bin_dir" = "/opt/cni/bin"; "bin_dirs" = [
"/opt/cni/bin"
];
"conf_dir" = "/etc/cni/net.d"; "conf_dir" = "/etc/cni/net.d";
# "bin_dir" = "${my-cni-plugins}/bin";
# "conf_dir" = "${my-cni-configs}";
}; };
"containerd" = { "containerd" = {
"default_runtime_name" = "runc"; "default_runtime_name" = "runc";
"runtimes" = { "runtimes" = {
"runc" = { "runc" = {
"options" = {
"SystemdCgroup" = true;
};
"runtime_type" = "io.containerd.runc.v2"; "runtime_type" = "io.containerd.runc.v2";
}; };
}; };
"snapshotter" = "overlayfs"; };
};
"io.containerd.cri.v1.services" = {
"containerd" = {
"runtimes" = {
"runc" = {
"options" = {
"SystemdCgroup" = true;
};
};
};
}; };
}; };
}; };
"version" = 2; "version" = 3;
}; };
systemd.services.containerd.preStart = '' systemd.services.containerd.preStart = ''