talexander/machine_setup
1
0
Fork 0
Code Issues Pull Requests Releases Activity

Compare commits

base: talexander:ae5519bb39389c6949612f62e80e413c7bd528fc
Branches Tags
talexander:main talexander:nix talexander:kubernetes talexander:mt7927 talexander:yubipi talexander:upstream_amd_debug_tools talexander:install_files_mixin talexander:starship talexander:pixelbook
...
compare: talexander:b531c675ede0c124853b75a0242e2c8c2baa1546
Branches Tags
talexander:nix talexander:kubernetes talexander:main talexander:mt7927 talexander:yubipi talexander:upstream_amd_debug_tools talexander:install_files_mixin talexander:starship talexander:pixelbook

3 Commits
ae5519bb39 ... b531c675ed

Author SHA1 Message Date
Tom Alexander
b531c675ed Delete images after 24 hours of being unused. 2026-05-02 17:41:08 -04:00
Tom Alexander
9630c065bb Set up containerd use harbor.fizz.buzz. 2026-05-02 17:41:08 -04:00
Tom Alexander
5e789063a7 Add secrets for archive-box, webhook-bridge, and tekton. 2026-05-02 17:41:08 -04:00
6 changed files with 135 additions and 29 deletions
Expand all files Collapse all files

3
nix/kubernetes/README.org
View File

@@ -12,11 +12,12 @@
#+end_src #+end_src
* IP Ranges * IP Ranges
| | IPv4 | IPv6 | | | IPv4 | IPv6 |
|------------------------------+-----------------------------+-----------------------------------------| |--------------------------------+-----------------------------+-----------------------------------------|
| Pod | 10.200.0.0/16 | 2620:11f:7001:7:ffff:eeee::/96 | | Pod | 10.200.0.0/16 | 2620:11f:7001:7:ffff:eeee::/96 |
| Service | 10.197.0.0/16 | fd00:3e42:e349::/112 | | Service | 10.197.0.0/16 | fd00:3e42:e349::/112 |
| Node | 10.215.1.0/24 | 2620:11f:7001:7:ffff:ffff:0ad7:0100/120 | | Node | 10.215.1.0/24 | 2620:11f:7001:7:ffff:ffff:0ad7:0100/120 |
| Load Balancer | 74.80.180.139-74.80.180.142 | 2620:11f:7001:7:ffff:dddd::/96 | | Load Balancer | 74.80.180.139-74.80.180.142 | 2620:11f:7001:7:ffff:dddd::/96 |
| Load Balancer Private (unused) | 10.198.0.0/16 | fd9c:0bd5:22a4::/112 |
| PowerDNS from inside cluster | 10.215.1.211 | | | PowerDNS from inside cluster | 10.215.1.211 | |
* Healthcheck * Healthcheck
** Check cilium status ** Check cilium status

21
nix/kubernetes/keys/package/deploy-script/package.nix
View File

@@ -119,8 +119,6 @@ let
${openssh}/bin/ssh mrmanager doas install -d -o 0 -g 0 -m 0755 /vm/${vm_name}/persist/keys ${openssh}/bin/ssh mrmanager doas install -d -o 0 -g 0 -m 0755 /vm/${vm_name}/persist/keys
${openssh}/bin/ssh mrmanager doas install -d -o 10016 -g 10016 -m 0755 /vm/${vm_name}/persist/keys/etcd ${openssh}/bin/ssh mrmanager doas install -d -o 10016 -g 10016 -m 0755 /vm/${vm_name}/persist/keys/etcd
${openssh}/bin/ssh mrmanager doas install -d -o 10024 -g 10024 -m 0755 /vm/${vm_name}/persist/keys/kube ${openssh}/bin/ssh mrmanager doas install -d -o 10024 -g 10024 -m 0755 /vm/${vm_name}/persist/keys/kube
'' ''
+ (lib.concatMapStringsSep "\n" deploy_file [ + (lib.concatMapStringsSep "\n" deploy_file [
{ {
@@ -248,7 +246,8 @@ let
${openssh}/bin/ssh mrmanager doas install -d -o 0 -g 0 -m 0755 /vm/${vm_name}/persist/keys ${openssh}/bin/ssh mrmanager doas install -d -o 0 -g 0 -m 0755 /vm/${vm_name}/persist/keys
${openssh}/bin/ssh mrmanager doas install -d -o 10024 -g 10024 -m 0755 /vm/${vm_name}/persist/keys/kube ${openssh}/bin/ssh mrmanager doas install -d -o 10024 -g 10024 -m 0755 /vm/${vm_name}/persist/keys/kube
${openssh}/bin/ssh mrmanager doas install -d -o 0 -g 0 -m 0700 /vm/${vm_name}/persist/containerd/certs.d/docker.io
${openssh}/bin/ssh mrmanager doas install -d -o 0 -g 0 -m 0700 /vm/${vm_name}/persist/containerd/certs.d/harbor.fizz.buzz
'' ''
+ (lib.concatMapStringsSep "\n" deploy_file [ + (lib.concatMapStringsSep "\n" deploy_file [
{ {
@@ -291,6 +290,22 @@ let
group = 10024; group = 10024;
mode = "0600"; mode = "0600";
} }
{
dest_dir = "/vm/${vm_name}/persist/containerd/certs.d/docker.io";
file = "${./files/containerd/docker.io/hosts.toml}";
name = "hosts.toml";
owner = 0;
group = 0;
mode = "0600";
}
{
dest_dir = "/vm/${vm_name}/persist/containerd/certs.d/harbor.fizz.buzz";
file = "${./files/containerd/harbor.fizz.buzz/hosts.toml}";
name = "hosts.toml";
owner = 0;
group = 0;
mode = "0600";
}
]) ])
) )
); );

16
nix/kubernetes/keys/package/k8s-secret-generic/package.nix
View File

@@ -16,19 +16,29 @@
secret_name, secret_name,
secret_namespace, secret_namespace,
secret_values ? { }, secret_values ? { },
secret_type ? null,
secret_annotations ? null,
... ...
}: }:
let let
toBase64 = (pkgs.callPackage ../../contrib/base64/package.nix { inherit lib; }).toBase64; toBase64 = (pkgs.callPackage ../../contrib/base64/package.nix { inherit lib; }).toBase64;
secret_yaml = {
apiVersion = "v1";
kind = "Secret";
metadata = { metadata = {
name = "${secret_name}"; name = "${secret_name}";
namespace = "${secret_namespace}"; namespace = "${secret_namespace}";
}
// lib.optionalAttrs (secret_annotations != null) {
"annotations" = secret_annotations;
}; };
secret_yaml = {
apiVersion = "v1";
kind = "Secret";
metadata = metadata;
data = (builtins.mapAttrs (key: val: (toBase64 val)) secret_values); data = (builtins.mapAttrs (key: val: (toBase64 val)) secret_values);
}
// lib.optionalAttrs (secret_type != null) {
"type" = secret_type;
}; };
settingsFormat = pkgs.formats.yaml { }; settingsFormat = pkgs.formats.yaml { };
yaml_body = settingsFormat.generate "${secret_name}.yaml" secret_yaml; yaml_body = settingsFormat.generate "${secret_name}.yaml" secret_yaml;
yaml_file = pkgs.writeTextFile { yaml_file = pkgs.writeTextFile {

73
nix/kubernetes/keys/package/mrmanager-repo-secrets/package.nix
View File

@@ -13,13 +13,33 @@ let
( (
secret_namespace: secrets: secret_namespace: secrets:
(builtins.mapAttrs ( (builtins.mapAttrs (
secret_name: secret_values: secret_name: original_secret_values:
let
secret_type = original_secret_values."__type" or null;
secret_annotations = original_secret_values."__annotations" or null;
secret_values = removeAttrs original_secret_values [
"__type"
"__annotations"
];
in
(callPackage ../../package/k8s-secret-generic/package.nix { (callPackage ../../package/k8s-secret-generic/package.nix {
inherit secret_name secret_namespace secret_values; inherit
secret_name
secret_namespace
secret_values
secret_type
secret_annotations
;
}) })
) secrets) ) secrets)
) )
{ {
"archive-box" = {
"archive-box-auth" = {
"username" = (builtins.readFile "${./secrets/archive-box/archive-box-auth/username}");
"password" = (builtins.readFile "${./secrets/archive-box/archive-box-auth/password}");
};
};
"cert-manager" = { "cert-manager" = {
"rfc2136" = { "rfc2136" = {
"TSIG_SECRET" = (builtins.readFile "${./secrets/cert-manager/rfc2136/TSIG_SECRET}"); "TSIG_SECRET" = (builtins.readFile "${./secrets/cert-manager/rfc2136/TSIG_SECRET}");
@@ -37,6 +57,11 @@ let
); );
}; };
}; };
"flux-system" = {
"webhook-token" = {
"token" = generate_key 64 "flux-system.webhook-token.token";
};
};
"gitea" = { "gitea" = {
"gitea-env" = { "gitea-env" = {
"GITEA_ADMIN_USERNAME" = (builtins.readFile "${./secrets/gitea/gitea-env/GITEA_ADMIN_USERNAME}"); "GITEA_ADMIN_USERNAME" = (builtins.readFile "${./secrets/gitea/gitea-env/GITEA_ADMIN_USERNAME}");
@@ -59,6 +84,23 @@ let
); );
}; };
}; };
"tekton-gateway" = {
"oauth2-env" = oauth2_env { dex_id = "tekton"; };
};
"webhook-bridge" = {
"webhook-bridge" = {
"HMAC_TOKEN" = (builtins.readFile "${./secrets/webhook-bridge/webhook-bridge/HMAC_TOKEN}");
"OAUTH_TOKEN" = (builtins.readFile "${./secrets/webhook-bridge/webhook-bridge/OAUTH_TOKEN}");
};
"deployer-key" = {
"__annotations" = {
"tekton.dev/git-0" = "code.fizz.buzz";
};
"__type" = "kubernetes.io/ssh-auth";
"ssh-privatekey" = (builtins.readFile "${./secrets/webhook-bridge/deployer-key/ssh-privatekey}");
"ssh-publickey" = (builtins.readFile "${./secrets/webhook-bridge/deployer-key/ssh-publickey}");
};
};
}; };
encrypted_secrets = ( encrypted_secrets = (
builtins.mapAttrs ( builtins.mapAttrs (
@@ -101,8 +143,31 @@ let
dd if=/dev/urandom | tr --complement --delete '[:alnum:]' | dd bs=${toString len} count=1 of="$out" dd if=/dev/urandom | tr --complement --delete '[:alnum:]' | dd bs=${toString len} count=1 of="$out"
'' ''
); );
helm_json_escape = json: builtins.toJSON json; # helm_json_escape = json: builtins.toJSON json;
helm_json_escape =
json:
builtins.replaceStrings
[
"="
"["
"]"
","
"."
"\""
"{"
"}"
]
[
"\\="
"\\["
"\\]"
"\\,"
"\\."
"\\\""
"\\{"
"\\}"
]
json;
## dex ## dex
get_dex_config = get_dex_config =
client_id: client_id:

34
nix/kubernetes/roles/containerd/default.nix
View File

@@ -1,3 +1,4 @@
# TODO: Set up a proxy to harbor for OCI compliance: https://github.com/moby/moby/pull/34319#issuecomment-720606627
{ {
config, config,
lib, lib,
@@ -29,30 +30,43 @@ in
config = lib.mkIf config.me.containerd.enable { config = lib.mkIf config.me.containerd.enable {
virtualisation.containerd.enable = true; virtualisation.containerd.enable = true;
virtualisation.containerd.settings = { virtualisation.containerd.settings = lib.mkForce {
"plugins" = { "plugins" = {
"io.containerd.grpc.v1.cri" = { "io.containerd.cri.v1.images" = {
"registry" = {
"config_path" = "/.persist/containerd/certs.d";
};
"snapshotter" = "overlayfs";
};
"io.containerd.cri.v1.runtime" = {
"cni" = { "cni" = {
"bin_dir" = "/opt/cni/bin"; "bin_dirs" = [
"/opt/cni/bin"
];
"conf_dir" = "/etc/cni/net.d"; "conf_dir" = "/etc/cni/net.d";
# "bin_dir" = "${my-cni-plugins}/bin";
# "conf_dir" = "${my-cni-configs}";
}; };
"containerd" = { "containerd" = {
"default_runtime_name" = "runc"; "default_runtime_name" = "runc";
"runtimes" = { "runtimes" = {
"runc" = { "runc" = {
"options" = {
"SystemdCgroup" = true;
};
"runtime_type" = "io.containerd.runc.v2"; "runtime_type" = "io.containerd.runc.v2";
}; };
}; };
"snapshotter" = "overlayfs"; };
};
"io.containerd.cri.v1.services" = {
"containerd" = {
"runtimes" = {
"runc" = {
"options" = {
"SystemdCgroup" = true;
}; };
}; };
}; };
"version" = 2; };
};
};
"version" = 3;
}; };
systemd.services.containerd.preStart = '' systemd.services.containerd.preStart = ''

3
nix/kubernetes/roles/kubelet/default.nix
View File

@@ -32,7 +32,7 @@ let
containerRuntimeEndpoint = "unix:///var/run/containerd/containerd.sock"; containerRuntimeEndpoint = "unix:///var/run/containerd/containerd.sock";
enableServer = true; enableServer = true;
failSwapOn = false; failSwapOn = false;
maxPods = 16; maxPods = 110;
memorySwap = { memorySwap = {
swapBehavior = "NoSwap"; swapBehavior = "NoSwap";
}; };
@@ -47,6 +47,7 @@ let
"10.197.0.10" "10.197.0.10"
"fd00:3e42:e349::10" "fd00:3e42:e349::10"
]; ];
imageMaximumGCAge = "24h"; # Delete unused images after 1 day.
}; };
kubelet_config_file = (to_yaml_file "kubelet-config.yaml" kubelet_config); kubelet_config_file = (to_yaml_file "kubelet-config.yaml" kubelet_config);
in in