talexander/machine_setup
1
0
Fork 0
Code Issues Pull Requests Releases Activity

Set up containerd use harbor.fizz.buzz.

Browse Source
This commit is contained in:
Tom Alexander
2026-05-02 12:50:36 -04:00
parent 70f180f3c8
commit 9beffb46b6
2 changed files with 42 additions and 13 deletions
Download Patch File Download Diff File Expand all files Collapse all files

21
nix/kubernetes/keys/package/deploy-script/package.nix
View File

@@ -119,8 +119,6 @@ let
${openssh}/bin/ssh mrmanager doas install -d -o 0 -g 0 -m 0755 /vm/${vm_name}/persist/keys
${openssh}/bin/ssh mrmanager doas install -d -o 10016 -g 10016 -m 0755 /vm/${vm_name}/persist/keys/etcd
${openssh}/bin/ssh mrmanager doas install -d -o 10024 -g 10024 -m 0755 /vm/${vm_name}/persist/keys/kube
''
+ (lib.concatMapStringsSep "\n" deploy_file [
{
@@ -248,7 +246,8 @@ let
${openssh}/bin/ssh mrmanager doas install -d -o 0 -g 0 -m 0755 /vm/${vm_name}/persist/keys
${openssh}/bin/ssh mrmanager doas install -d -o 10024 -g 10024 -m 0755 /vm/${vm_name}/persist/keys/kube
${openssh}/bin/ssh mrmanager doas install -d -o 0 -g 0 -m 0700 /vm/${vm_name}/persist/containerd/certs.d/docker.io
${openssh}/bin/ssh mrmanager doas install -d -o 0 -g 0 -m 0700 /vm/${vm_name}/persist/containerd/certs.d/harbor.fizz.buzz
''
+ (lib.concatMapStringsSep "\n" deploy_file [
{
@@ -291,6 +290,22 @@ let
group = 10024;
mode = "0600";
}
{
dest_dir = "/vm/${vm_name}/persist/containerd/certs.d/docker.io";
file = "${./files/containerd/docker.io/hosts.toml}";
name = "hosts.toml";
owner = 0;
group = 0;
mode = "0600";
}
{
dest_dir = "/vm/${vm_name}/persist/containerd/certs.d/harbor.fizz.buzz";
file = "${./files/containerd/harbor.fizz.buzz/hosts.toml}";
name = "hosts.toml";
owner = 0;
group = 0;
mode = "0600";
}
])
)
);

34
nix/kubernetes/roles/containerd/default.nix
View File

@@ -1,3 +1,4 @@
# TODO: Set up a proxy to harbor for OCI compliance: https://github.com/moby/moby/pull/34319#issuecomment-720606627
{
config,
lib,
@@ -29,30 +30,43 @@ in
config = lib.mkIf config.me.containerd.enable {
virtualisation.containerd.enable = true;
virtualisation.containerd.settings = {
virtualisation.containerd.settings = lib.mkForce {
"plugins" = {
"io.containerd.grpc.v1.cri" = {
"io.containerd.cri.v1.images" = {
"registry" = {
"config_path" = "/.persist/containerd/certs.d";
};
"snapshotter" = "overlayfs";
};
"io.containerd.cri.v1.runtime" = {
"cni" = {
"bin_dir" = "/opt/cni/bin";
"bin_dirs" = [
"/opt/cni/bin"
];
"conf_dir" = "/etc/cni/net.d";
# "bin_dir" = "${my-cni-plugins}/bin";
# "conf_dir" = "${my-cni-configs}";
};
"containerd" = {
"default_runtime_name" = "runc";
"runtimes" = {
"runc" = {
"options" = {
"SystemdCgroup" = true;
};
"runtime_type" = "io.containerd.runc.v2";
};
};
"snapshotter" = "overlayfs";
};
};
"io.containerd.cri.v1.services" = {
"containerd" = {
"runtimes" = {
"runc" = {
"options" = {
"SystemdCgroup" = true;
};
};
};
"version" = 2;
};
};
};
"version" = 3;
};
systemd.services.containerd.preStart = ''