Add configs for a new kubernetes cluster on NixOS.

2025-11-30 14:32:36 -05:00
parent 8d3ebf7ba2
commit f981bfff97
58 changed files with 3221 additions and 0 deletions
--- a/nix/kubernetes/roles/etcd/default.nix
+++ b/nix/kubernetes/roles/etcd/default.nix
@@ -0,0 +1,92 @@
+{
+  config,
+  lib,
+  pkgs,
+  self,
+  ...
+}:
+
+{
+  imports = [ ];
+
+  options.me = {
+    etcd.enable = lib.mkOption {
+      type = lib.types.bool;
+      default = false;
+      example = true;
+      description = "Whether we want to install etcd.";
+    };
+
+    etcd.cluster_name = lib.mkOption {
+      type = lib.types.str;
+      default = false;
+      example = "lorem";
+      description = "The unique name for the cluster.";
+    };
+
+    etcd.internal_ip = lib.mkOption {
+      default = { };
+      example = lib.literalExpression ''
+        {
+          "172.16.0.10" = true;
+          "192.168.1.10" = lib.mkForce false;
+        }
+      '';
+      type = lib.types.coercedTo (lib.types.listOf lib.types.str) (
+        enabled: lib.listToAttrs (map (fs: lib.nameValuePair fs true) enabled)
+      ) (lib.types.attrsOf lib.types.bool);
+      description = "List internal IP addresses for accessing this node.";
+    };
+
+    etcd.initial_cluster = lib.mkOption {
+      default = [ ];
+      example = [
+        "controller0=https://10.215.1.221:2380" # 2620:11f:7001:7:ffff:ffff:0ad7:01dd
+        "controller1=https://10.215.1.222:2380" # 2620:11f:7001:7:ffff:ffff:0ad7:01de
+        "controller2=https://10.215.1.223:2380" # 2620:11f:7001:7:ffff:ffff:0ad7:01df
+      ];
+      type = lib.types.listOf lib.types.str;
+      description = "List of controller nodes to form the initial etcd cluster.";
+    };
+  };
+
+  config = lib.mkIf config.me.etcd.enable {
+    services.etcd = {
+      enable = true;
+      openFirewall = true;
+      name = config.networking.hostName;
+      certFile = "/.disk/keys/kubernetes.pem";
+      keyFile = "/.disk/keys/kubernetes-key.pem";
+      peerCertFile = "/.disk/keys/kubernetes.pem";
+      peerKeyFile = "/.disk/keys/kubernetes-key.pem";
+      trustedCaFile = "/.disk/keys/ca.pem";
+      peerTrustedCaFile = "/.disk/keys/ca.pem";
+      peerClientCertAuth = true;
+      initialAdvertisePeerUrls = (
+        builtins.map (iip: "https://${iip}:2380") (builtins.attrNames config.me.etcd.internal_ip)
+      );
+      listenPeerUrls = (
+        builtins.map (iip: "https://${iip}:2380") (builtins.attrNames config.me.etcd.internal_ip)
+      );
+      listenClientUrls = (
+        [
+          "https://127.0.0.1:2379"
+        ]
+        ++ (builtins.map (iip: "https://${iip}:2379") (builtins.attrNames config.me.etcd.internal_ip))
+      );
+      advertiseClientUrls = (
+        builtins.map (iip: "https://${iip}:2379") (builtins.attrNames config.me.etcd.internal_ip)
+      );
+      initialClusterToken = config.me.etcd.cluster_name;
+      initialCluster = config.me.etcd.initial_cluster;
+      initialClusterState = "new";
+    };
+
+    environment.persistence."/persist" = lib.mkIf (config.me.mountPersistence) {
+      hideMounts = true;
+      directories = [
+        config.services.etcd.dataDir # "/var/lib/etcd"
+      ];
+    };
+  };
+}