talexander/machine_setup
1
0
Fork 0
Code Issues Pull Requests Releases Activity

Compare commits

base: talexander:b531c675ede0c124853b75a0242e2c8c2baa1546
Branches Tags
talexander:main talexander:nix talexander:kubernetes talexander:mt7927 talexander:yubipi talexander:upstream_amd_debug_tools talexander:install_files_mixin talexander:starship talexander:pixelbook
...
compare: talexander:ae5519bb39389c6949612f62e80e413c7bd528fc
Branches Tags
talexander:nix talexander:kubernetes talexander:main talexander:mt7927 talexander:yubipi talexander:upstream_amd_debug_tools talexander:install_files_mixin talexander:starship talexander:pixelbook

6 Commits
b531c675ed ... ae5519bb39

Author SHA1 Message Date
Tom Alexander
ae5519bb39 Add a secret for the harbor webhooks to flux. 2026-05-03 16:25:08 -04:00
Tom Alexander
795216d989 Update flux and install the image automation controller. 2026-05-03 16:12:37 -04:00
Tom Alexander
26cbb79960 Add IP addresses to worker certs for the metrics server. 2026-05-03 14:35:38 -04:00
Tom Alexander
b129bf5e3e Delete images after 24 hours of being unused. 2026-05-02 18:25:07 -04:00
Tom Alexander
9beffb46b6 Set up containerd use harbor.fizz.buzz. 2026-05-02 18:25:07 -04:00
Tom Alexander
70f180f3c8 Add secrets for archive-box, webhook-bridge, and tekton. 2026-05-02 18:25:06 -04:00
10 changed files with 342 additions and 68 deletions
Expand all files Collapse all files

15
nix/kubernetes/README.org
View File

@@ -11,13 +11,14 @@
]; ];
#+end_src #+end_src
* IP Ranges * IP Ranges
| | IPv4 | IPv6 | | | IPv4 | IPv6 |
|------------------------------+-----------------------------+-----------------------------------------| |--------------------------------+-----------------------------+-----------------------------------------|
| Pod | 10.200.0.0/16 | 2620:11f:7001:7:ffff:eeee::/96 | | Pod | 10.200.0.0/16 | 2620:11f:7001:7:ffff:eeee::/96 |
| Service | 10.197.0.0/16 | fd00:3e42:e349::/112 | | Service | 10.197.0.0/16 | fd00:3e42:e349::/112 |
| Node | 10.215.1.0/24 | 2620:11f:7001:7:ffff:ffff:0ad7:0100/120 | | Node | 10.215.1.0/24 | 2620:11f:7001:7:ffff:ffff:0ad7:0100/120 |
| Load Balancer | 74.80.180.139-74.80.180.142 | 2620:11f:7001:7:ffff:dddd::/96 | | Load Balancer | 74.80.180.139-74.80.180.142 | 2620:11f:7001:7:ffff:dddd::/96 |
| PowerDNS from inside cluster | 10.215.1.211 | | | Load Balancer Private (unused) | 10.198.0.0/16 | fd9c:0bd5:22a4::/112 |
| PowerDNS from inside cluster | 10.215.1.211 | |
* Healthcheck * Healthcheck
** Check cilium status ** Check cilium status
#+begin_src bash #+begin_src bash

188
nix/kubernetes/keys/package/bootstrap-script/files/manifests/flux.yaml
View File

@@ -6,10 +6,10 @@ metadata:
name: flux-operator-web name: flux-operator-web
namespace: flux-system namespace: flux-system
labels: labels:
helm.sh/chart: flux-operator-0.37.1 helm.sh/chart: flux-operator-0.48.0
app.kubernetes.io/name: flux-operator app.kubernetes.io/name: flux-operator
app.kubernetes.io/instance: flux-operator app.kubernetes.io/instance: flux-operator
app.kubernetes.io/version: "v0.37.1" app.kubernetes.io/version: "v0.48.0"
app.kubernetes.io/managed-by: Helm app.kubernetes.io/managed-by: Helm
spec: spec:
policyTypes: policyTypes:
@@ -32,10 +32,10 @@ metadata:
name: flux-operator name: flux-operator
namespace: flux-system namespace: flux-system
labels: labels:
helm.sh/chart: flux-operator-0.37.1 helm.sh/chart: flux-operator-0.48.0
app.kubernetes.io/name: flux-operator app.kubernetes.io/name: flux-operator
app.kubernetes.io/instance: flux-operator app.kubernetes.io/instance: flux-operator
app.kubernetes.io/version: "v0.37.1" app.kubernetes.io/version: "v0.48.0"
app.kubernetes.io/managed-by: Helm app.kubernetes.io/managed-by: Helm
automountServiceAccountToken: true automountServiceAccountToken: true
--- ---
@@ -44,14 +44,14 @@ apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition kind: CustomResourceDefinition
metadata: metadata:
annotations: annotations:
controller-gen.kubebuilder.io/version: v0.19.0 controller-gen.kubebuilder.io/version: v0.20.0
helm.sh/resource-policy: keep helm.sh/resource-policy: keep
labels: labels:
app.kubernetes.io/instance: 'flux-operator' app.kubernetes.io/instance: 'flux-operator'
app.kubernetes.io/managed-by: 'Helm' app.kubernetes.io/managed-by: 'Helm'
app.kubernetes.io/name: 'flux-operator' app.kubernetes.io/name: 'flux-operator'
app.kubernetes.io/version: 'v0.37.1' app.kubernetes.io/version: 'v0.48.0'
helm.sh/chart: 'flux-operator-0.37.1' helm.sh/chart: 'flux-operator-0.48.0'
name: fluxinstances.fluxcd.controlplane.io name: fluxinstances.fluxcd.controlplane.io
spec: spec:
group: fluxcd.controlplane.io group: fluxcd.controlplane.io
@@ -205,7 +205,11 @@ spec:
components: components:
description: |- description: |-
Components is the list of controllers to install. Components is the list of controllers to install.
Defaults to a commonly used subset. Defaults to the core Flux controllers:
- source-controller
- kustomize-controller
- helm-controller
- notification-controller
items: items:
description: Component is the name of a controller to install. description: Component is the name of a controller to install.
enum: enum:
@@ -661,14 +665,14 @@ apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition kind: CustomResourceDefinition
metadata: metadata:
annotations: annotations:
controller-gen.kubebuilder.io/version: v0.19.0 controller-gen.kubebuilder.io/version: v0.20.0
helm.sh/resource-policy: keep helm.sh/resource-policy: keep
labels: labels:
app.kubernetes.io/instance: 'flux-operator' app.kubernetes.io/instance: 'flux-operator'
app.kubernetes.io/managed-by: 'Helm' app.kubernetes.io/managed-by: 'Helm'
app.kubernetes.io/name: 'flux-operator' app.kubernetes.io/name: 'flux-operator'
app.kubernetes.io/version: 'v0.37.1' app.kubernetes.io/version: 'v0.48.0'
helm.sh/chart: 'flux-operator-0.37.1' helm.sh/chart: 'flux-operator-0.48.0'
name: fluxreports.fluxcd.controlplane.io name: fluxreports.fluxcd.controlplane.io
spec: spec:
group: fluxcd.controlplane.io group: fluxcd.controlplane.io
@@ -828,7 +832,7 @@ spec:
failing: failing:
description: |- description: |-
Failing is the number of reconciled Failing is the number of reconciled
resources in the Failing state. resources in the Failing state and not Suspended.
type: integer type: integer
running: running:
description: |- description: |-
@@ -965,14 +969,14 @@ apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition kind: CustomResourceDefinition
metadata: metadata:
annotations: annotations:
controller-gen.kubebuilder.io/version: v0.19.0 controller-gen.kubebuilder.io/version: v0.20.0
helm.sh/resource-policy: keep helm.sh/resource-policy: keep
labels: labels:
app.kubernetes.io/instance: 'flux-operator' app.kubernetes.io/instance: 'flux-operator'
app.kubernetes.io/managed-by: 'Helm' app.kubernetes.io/managed-by: 'Helm'
app.kubernetes.io/name: 'flux-operator' app.kubernetes.io/name: 'flux-operator'
app.kubernetes.io/version: 'v0.37.1' app.kubernetes.io/version: 'v0.48.0'
helm.sh/chart: 'flux-operator-0.37.1' helm.sh/chart: 'flux-operator-0.48.0'
name: resourcesetinputproviders.fluxcd.controlplane.io name: resourcesetinputproviders.fluxcd.controlplane.io
spec: spec:
group: fluxcd.controlplane.io group: fluxcd.controlplane.io
@@ -1029,9 +1033,9 @@ spec:
- a PEM-encoded CA certificate (`ca.crt`) - a PEM-encoded CA certificate (`ca.crt`)
- a PEM-encoded client certificate (`tls.crt`) and private key (`tls.key`) - a PEM-encoded client certificate (`tls.crt`) and private key (`tls.key`)
When connecting to a Git or OCI provider that uses self-signed certificates, the CA certificate When connecting to a Git, OCI, or ExternalService provider that uses self-signed certificates,
must be set in the Secret under the 'ca.crt' key to establish the trust relationship. the CA certificate must be set in the Secret under the 'ca.crt' key to establish the trust relationship.
When connecting to an OCI provider that supports client certificates (mTLS), the client certificate When connecting to a provider that supports client certificates (mTLS), the client certificate
and private key must be set in the Secret under the 'tls.crt' and 'tls.key' keys, respectively. and private key must be set in the Secret under the 'tls.crt' and 'tls.key' keys, respectively.
properties: properties:
name: name:
@@ -1102,6 +1106,11 @@ spec:
Supported only for tags at the moment. Supported only for tags at the moment.
type: string type: string
type: object type: object
insecure:
description: |-
Insecure allows connecting to an ExternalService or OCIArtifactTag provider
over plain HTTP without TLS. When not set, the URL must use HTTPS.
type: boolean
schedule: schedule:
description: Schedule defines the schedules for the input provider description: Schedule defines the schedules for the input provider
to run. to run.
@@ -1129,13 +1138,16 @@ spec:
type: array type: array
secretRef: secretRef:
description: |- description: |-
SecretRef specifies the Kubernetes Secret containing the basic-auth credentials SecretRef specifies the Kubernetes Secret containing the credentials
to access the input provider. to access the input provider.
When connecting to a Git provider, the secret must contain the keys When connecting to a Git provider, the secret must contain the keys
'username' and 'password', and the password should be a personal access token 'username' and 'password', and the password should be a personal access token
that grants read-only access to the repository. that grants read-only access to the repository.
When connecting to an OCI provider, the secret must contain a Kubernetes When connecting to an OCI provider, the secret must contain a Kubernetes
Image Pull Secret, as if created by `kubectl create secret docker-registry`. Image Pull Secret, as if created by `kubectl create secret docker-registry`.
When connecting to an ExternalService provider, the secret must contain either
a 'token' key for bearer token authentication, or 'username' and 'password'
keys for basic authentication.
properties: properties:
name: name:
description: Name of the referent. description: Name of the referent.
@@ -1177,10 +1189,14 @@ spec:
- AzureDevOpsBranch - AzureDevOpsBranch
- AzureDevOpsTag - AzureDevOpsTag
- AzureDevOpsPullRequest - AzureDevOpsPullRequest
- GiteaBranch
- GiteaTag
- GiteaPullRequest
- OCIArtifactTag - OCIArtifactTag
- ACRArtifactTag - ACRArtifactTag
- ECRArtifactTag - ECRArtifactTag
- GARArtifactTag - GARArtifactTag
- ExternalService
type: string type: string
url: url:
description: |- description: |-
@@ -1206,6 +1222,16 @@ spec:
- message: spec.url must start with 'oci://' when spec.type is an OCI - message: spec.url must start with 'oci://' when spec.type is an OCI
provider provider
rule: '!self.type.endsWith(''ArtifactTag'') || self.url.startsWith(''oci'')' rule: '!self.type.endsWith(''ArtifactTag'') || self.url.startsWith(''oci'')'
- message: spec.url must start with 'http://' or 'https://' when spec.type
is 'ExternalService'
rule: self.type != 'ExternalService' || self.url.startsWith('http')
- message: spec.insecure can only be set when spec.type is 'ExternalService'
or 'OCIArtifactTag'
rule: '!has(self.insecure) || !self.insecure || self.type == ''ExternalService''
|| self.type == ''OCIArtifactTag'''
- message: spec.url must use 'https://' unless spec.insecure is true
rule: self.type != 'ExternalService' || !self.url.startsWith('http://')
|| (has(self.insecure) && self.insecure)
- message: cannot specify spec.serviceAccountName when spec.type is not - message: cannot specify spec.serviceAccountName when spec.type is not
one of AzureDevOps* or *ArtifactTag one of AzureDevOps* or *ArtifactTag
rule: '!has(self.serviceAccountName) || self.type.startsWith(''AzureDevOps'') rule: '!has(self.serviceAccountName) || self.type.startsWith(''AzureDevOps'')
@@ -1345,14 +1371,14 @@ apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition kind: CustomResourceDefinition
metadata: metadata:
annotations: annotations:
controller-gen.kubebuilder.io/version: v0.19.0 controller-gen.kubebuilder.io/version: v0.20.0
helm.sh/resource-policy: keep helm.sh/resource-policy: keep
labels: labels:
app.kubernetes.io/instance: 'flux-operator' app.kubernetes.io/instance: 'flux-operator'
app.kubernetes.io/managed-by: 'Helm' app.kubernetes.io/managed-by: 'Helm'
app.kubernetes.io/name: 'flux-operator' app.kubernetes.io/name: 'flux-operator'
app.kubernetes.io/version: 'v0.37.1' app.kubernetes.io/version: 'v0.48.0'
helm.sh/chart: 'flux-operator-0.37.1' helm.sh/chart: 'flux-operator-0.48.0'
name: resourcesets.fluxcd.controlplane.io name: resourcesets.fluxcd.controlplane.io
spec: spec:
group: fluxcd.controlplane.io group: fluxcd.controlplane.io
@@ -1459,6 +1485,15 @@ spec:
input provider objects are used. Defaults to flattening all inputs input provider objects are used. Defaults to flattening all inputs
from all providers into a single list of input sets. from all providers into a single list of input sets.
properties: properties:
includeEmptyProviders:
description: |-
IncludeEmptyProviders controls how input providers that export no
inputs are treated. Only applies when Name is Permute. When true, if
any provider has zero inputs the resulting permutation set is empty
(mathematically correct Cartesian product behavior). When false or
unset (default), providers with zero inputs are silently skipped and
the remaining providers still permute among themselves.
type: boolean
name: name:
description: |- description: |-
Name defines how the inputs are combined when multiple Name defines how the inputs are combined when multiple
@@ -1481,6 +1516,9 @@ spec:
required: required:
- name - name
type: object type: object
x-kubernetes-validations:
- message: includeEmptyProviders only applies when name is Permute
rule: '!has(self.includeEmptyProviders) || self.name == ''Permute'''
inputs: inputs:
description: Inputs contains the list of ResourceSet inputs. description: Inputs contains the list of ResourceSet inputs.
items: items:
@@ -1659,6 +1697,16 @@ spec:
- type - type
type: object type: object
type: array type: array
externalChecksumRefs:
description: |-
ExternalChecksumRefs lists the ConfigMap and Secret references
discovered in checksumFrom annotations on the last reconciliation
that point to objects not rendered by this ResourceSet. Each entry
has the form "Kind/namespace/name". It is used to trigger a
reconciliation when one of the referenced objects changes.
items:
type: string
type: array
history: history:
description: |- description: |-
History contains the reconciliation history of the ResourceSet History contains the reconciliation history of the ResourceSet
@@ -1764,10 +1812,10 @@ metadata:
labels: labels:
rbac.authorization.k8s.io/aggregate-to-edit: "true" rbac.authorization.k8s.io/aggregate-to-edit: "true"
rbac.authorization.k8s.io/aggregate-to-admin: "true" rbac.authorization.k8s.io/aggregate-to-admin: "true"
helm.sh/chart: flux-operator-0.37.1 helm.sh/chart: flux-operator-0.48.0
app.kubernetes.io/name: flux-operator app.kubernetes.io/name: flux-operator
app.kubernetes.io/instance: flux-operator app.kubernetes.io/instance: flux-operator
app.kubernetes.io/version: "v0.37.1" app.kubernetes.io/version: "v0.48.0"
app.kubernetes.io/managed-by: Helm app.kubernetes.io/managed-by: Helm
rules: rules:
- apiGroups: - apiGroups:
@@ -1791,10 +1839,10 @@ metadata:
rbac.authorization.k8s.io/aggregate-to-admin: "true" rbac.authorization.k8s.io/aggregate-to-admin: "true"
rbac.authorization.k8s.io/aggregate-to-edit: "true" rbac.authorization.k8s.io/aggregate-to-edit: "true"
rbac.authorization.k8s.io/aggregate-to-view: "true" rbac.authorization.k8s.io/aggregate-to-view: "true"
helm.sh/chart: flux-operator-0.37.1 helm.sh/chart: flux-operator-0.48.0
app.kubernetes.io/name: flux-operator app.kubernetes.io/name: flux-operator
app.kubernetes.io/instance: flux-operator app.kubernetes.io/instance: flux-operator
app.kubernetes.io/version: "v0.37.1" app.kubernetes.io/version: "v0.48.0"
app.kubernetes.io/managed-by: Helm app.kubernetes.io/managed-by: Helm
rules: rules:
- apiGroups: - apiGroups:
@@ -1807,16 +1855,86 @@ rules:
- list - list
- watch - watch
--- ---
# Source: flux-operator/templates/web-standard-roles.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: flux-web-user
labels:
helm.sh/chart: flux-operator-0.48.0
app.kubernetes.io/name: flux-operator
app.kubernetes.io/instance: flux-operator
app.kubernetes.io/version: "v0.48.0"
app.kubernetes.io/managed-by: Helm
rules:
- apiGroups: ["*"]
resources: ["*"]
verbs: ["get", "list", "watch"]
---
# Source: flux-operator/templates/web-standard-roles.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: flux-web-admin
labels:
helm.sh/chart: flux-operator-0.48.0
app.kubernetes.io/name: flux-operator
app.kubernetes.io/instance: flux-operator
app.kubernetes.io/version: "v0.48.0"
app.kubernetes.io/managed-by: Helm
rules:
- apiGroups: ["*"]
resources: ["*"]
verbs: ["get", "list", "watch"]
- apiGroups:
- fluxcd.controlplane.io
- source.toolkit.fluxcd.io
- source.extensions.fluxcd.io
- kustomize.toolkit.fluxcd.io
- helm.toolkit.fluxcd.io
- image.toolkit.fluxcd.io
- notification.toolkit.fluxcd.io
resources: ["*"]
verbs:
- patch
- reconcile
- suspend
- resume
- download
- apiGroups:
- apps
resources:
- deployments
- statefulsets
- daemonsets
verbs:
- patch
- restart
- apiGroups:
- batch
resources:
- cronjobs
- jobs
verbs:
- create
- restart
- apiGroups:
- ""
resources:
- pods
verbs:
- delete
---
# Source: flux-operator/templates/admin-clusterrole.yaml # Source: flux-operator/templates/admin-clusterrole.yaml
apiVersion: rbac.authorization.k8s.io/v1 apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding kind: ClusterRoleBinding
metadata: metadata:
name: flux-operator name: flux-operator
labels: labels:
helm.sh/chart: flux-operator-0.37.1 helm.sh/chart: flux-operator-0.48.0
app.kubernetes.io/name: flux-operator app.kubernetes.io/name: flux-operator
app.kubernetes.io/instance: flux-operator app.kubernetes.io/instance: flux-operator
app.kubernetes.io/version: "v0.37.1" app.kubernetes.io/version: "v0.48.0"
app.kubernetes.io/managed-by: Helm app.kubernetes.io/managed-by: Helm
roleRef: roleRef:
apiGroup: rbac.authorization.k8s.io apiGroup: rbac.authorization.k8s.io
@@ -1834,10 +1952,10 @@ metadata:
name: flux-operator name: flux-operator
namespace: flux-system namespace: flux-system
labels: labels:
helm.sh/chart: flux-operator-0.37.1 helm.sh/chart: flux-operator-0.48.0
app.kubernetes.io/name: flux-operator app.kubernetes.io/name: flux-operator
app.kubernetes.io/instance: flux-operator app.kubernetes.io/instance: flux-operator
app.kubernetes.io/version: "v0.37.1" app.kubernetes.io/version: "v0.48.0"
app.kubernetes.io/managed-by: Helm app.kubernetes.io/managed-by: Helm
spec: spec:
ports: ports:
@@ -1860,10 +1978,10 @@ metadata:
name: flux-operator name: flux-operator
namespace: flux-system namespace: flux-system
labels: labels:
helm.sh/chart: flux-operator-0.37.1 helm.sh/chart: flux-operator-0.48.0
app.kubernetes.io/name: flux-operator app.kubernetes.io/name: flux-operator
app.kubernetes.io/instance: flux-operator app.kubernetes.io/instance: flux-operator
app.kubernetes.io/version: "v0.37.1" app.kubernetes.io/version: "v0.48.0"
app.kubernetes.io/managed-by: Helm app.kubernetes.io/managed-by: Helm
spec: spec:
selector: selector:
@@ -1877,10 +1995,10 @@ spec:
prometheus.io/port: "8080" prometheus.io/port: "8080"
prometheus.io/path: "/metrics" prometheus.io/path: "/metrics"
labels: labels:
helm.sh/chart: flux-operator-0.37.1 helm.sh/chart: flux-operator-0.48.0
app.kubernetes.io/name: flux-operator app.kubernetes.io/name: flux-operator
app.kubernetes.io/instance: flux-operator app.kubernetes.io/instance: flux-operator
app.kubernetes.io/version: "v0.37.1" app.kubernetes.io/version: "v0.48.0"
app.kubernetes.io/managed-by: Helm app.kubernetes.io/managed-by: Helm
spec: spec:
serviceAccountName: flux-operator serviceAccountName: flux-operator
@@ -1906,7 +2024,7 @@ spec:
runAsNonRoot: true runAsNonRoot: true
seccompProfile: seccompProfile:
type: RuntimeDefault type: RuntimeDefault
image: "ghcr.io/controlplaneio-fluxcd/flux-operator:v0.37.1" image: "ghcr.io/controlplaneio-fluxcd/flux-operator:v0.48.0"
imagePullPolicy: "IfNotPresent" imagePullPolicy: "IfNotPresent"
ports: ports:
- name: http-metrics - name: http-metrics

10
nix/kubernetes/keys/package/bootstrap-script/files/manifests/flux_instance.yaml
View File

@@ -5,5 +5,13 @@ metadata:
namespace: flux-system namespace: flux-system
spec: spec:
distribution: distribution:
version: "2.7.x" version: "2.8.x"
registry: "ghcr.io/fluxcd" registry: "ghcr.io/fluxcd"
components:
- source-controller
- kustomize-controller
- helm-controller
- notification-controller
- image-automation-controller
- image-reflector-controller
# - source-watcher

4
nix/kubernetes/keys/package/bootstrap-script/package.nix
View File

@@ -35,6 +35,10 @@ let
"${k8s.cilium-manifest}/cilium.yaml" "${k8s.cilium-manifest}/cilium.yaml"
"${k8s.coredns-manifest}/coredns.yaml" "${k8s.coredns-manifest}/coredns.yaml"
./files/manifests/flux_namespace.yaml ./files/manifests/flux_namespace.yaml
#
# Generate with: helm template --dry-run=server flux-operator oci://ghcr.io/controlplaneio-fluxcd/charts/flux-operator --namespace flux-system --create-namespace
#
./files/manifests/flux.yaml ./files/manifests/flux.yaml
./files/manifests/flux_instance.yaml ./files/manifests/flux_instance.yaml
] ]

21
nix/kubernetes/keys/package/deploy-script/package.nix
View File

@@ -119,8 +119,6 @@ let
${openssh}/bin/ssh mrmanager doas install -d -o 0 -g 0 -m 0755 /vm/${vm_name}/persist/keys ${openssh}/bin/ssh mrmanager doas install -d -o 0 -g 0 -m 0755 /vm/${vm_name}/persist/keys
${openssh}/bin/ssh mrmanager doas install -d -o 10016 -g 10016 -m 0755 /vm/${vm_name}/persist/keys/etcd ${openssh}/bin/ssh mrmanager doas install -d -o 10016 -g 10016 -m 0755 /vm/${vm_name}/persist/keys/etcd
${openssh}/bin/ssh mrmanager doas install -d -o 10024 -g 10024 -m 0755 /vm/${vm_name}/persist/keys/kube ${openssh}/bin/ssh mrmanager doas install -d -o 10024 -g 10024 -m 0755 /vm/${vm_name}/persist/keys/kube
'' ''
+ (lib.concatMapStringsSep "\n" deploy_file [ + (lib.concatMapStringsSep "\n" deploy_file [
{ {
@@ -248,7 +246,8 @@ let
${openssh}/bin/ssh mrmanager doas install -d -o 0 -g 0 -m 0755 /vm/${vm_name}/persist/keys ${openssh}/bin/ssh mrmanager doas install -d -o 0 -g 0 -m 0755 /vm/${vm_name}/persist/keys
${openssh}/bin/ssh mrmanager doas install -d -o 10024 -g 10024 -m 0755 /vm/${vm_name}/persist/keys/kube ${openssh}/bin/ssh mrmanager doas install -d -o 10024 -g 10024 -m 0755 /vm/${vm_name}/persist/keys/kube
${openssh}/bin/ssh mrmanager doas install -d -o 0 -g 0 -m 0700 /vm/${vm_name}/persist/containerd/certs.d/docker.io
${openssh}/bin/ssh mrmanager doas install -d -o 0 -g 0 -m 0700 /vm/${vm_name}/persist/containerd/certs.d/harbor.fizz.buzz
'' ''
+ (lib.concatMapStringsSep "\n" deploy_file [ + (lib.concatMapStringsSep "\n" deploy_file [
{ {
@@ -291,6 +290,22 @@ let
group = 10024; group = 10024;
mode = "0600"; mode = "0600";
} }
{
dest_dir = "/vm/${vm_name}/persist/containerd/certs.d/docker.io";
file = "${./files/containerd/docker.io/hosts.toml}";
name = "hosts.toml";
owner = 0;
group = 0;
mode = "0600";
}
{
dest_dir = "/vm/${vm_name}/persist/containerd/certs.d/harbor.fizz.buzz";
file = "${./files/containerd/harbor.fizz.buzz/hosts.toml}";
name = "hosts.toml";
owner = 0;
group = 0;
mode = "0600";
}
]) ])
) )
); );

6
nix/kubernetes/keys/package/k8s-ca/files/client-ca.conf
View File

@@ -120,7 +120,7 @@ extendedKeyUsage = clientAuth, serverAuth
keyUsage = critical, digitalSignature, keyEncipherment keyUsage = critical, digitalSignature, keyEncipherment
nsCertType = client nsCertType = client
nsComment = "worker0 Certificate" nsComment = "worker0 Certificate"
subjectAltName = DNS:worker0, IP:127.0.0.1 subjectAltName = DNS:worker0, IP:127.0.0.1, IP:10.215.1.224, IP:2620:11f:7001:7:ffff:ffff:ad7:1e0
subjectKeyIdentifier = hash subjectKeyIdentifier = hash
[worker0_distinguished_name] [worker0_distinguished_name]
@@ -141,7 +141,7 @@ extendedKeyUsage = clientAuth, serverAuth
keyUsage = critical, digitalSignature, keyEncipherment keyUsage = critical, digitalSignature, keyEncipherment
nsCertType = client nsCertType = client
nsComment = "worker1 Certificate" nsComment = "worker1 Certificate"
subjectAltName = DNS:worker1, IP:127.0.0.1 subjectAltName = DNS:worker1, IP:127.0.0.1, IP:10.215.1.225, IP:2620:11f:7001:7:ffff:ffff:ad7:1e1
subjectKeyIdentifier = hash subjectKeyIdentifier = hash
[worker1_distinguished_name] [worker1_distinguished_name]
@@ -162,7 +162,7 @@ extendedKeyUsage = clientAuth, serverAuth
keyUsage = critical, digitalSignature, keyEncipherment keyUsage = critical, digitalSignature, keyEncipherment
nsCertType = client nsCertType = client
nsComment = "worker2 Certificate" nsComment = "worker2 Certificate"
subjectAltName = DNS:worker2, IP:127.0.0.1 subjectAltName = DNS:worker2, IP:127.0.0.1, IP:10.215.1.226, IP:2620:11f:7001:7:ffff:ffff:ad7:1e2
subjectKeyIdentifier = hash subjectKeyIdentifier = hash
[worker2_distinguished_name] [worker2_distinguished_name]

18
nix/kubernetes/keys/package/k8s-secret-generic/package.nix
View File

@@ -16,19 +16,29 @@
secret_name, secret_name,
secret_namespace, secret_namespace,
secret_values ? { }, secret_values ? { },
secret_type ? null,
secret_annotations ? null,
... ...
}: }:
let let
toBase64 = (pkgs.callPackage ../../contrib/base64/package.nix { inherit lib; }).toBase64; toBase64 = (pkgs.callPackage ../../contrib/base64/package.nix { inherit lib; }).toBase64;
metadata = {
name = "${secret_name}";
namespace = "${secret_namespace}";
}
// lib.optionalAttrs (secret_annotations != null) {
"annotations" = secret_annotations;
};
secret_yaml = { secret_yaml = {
apiVersion = "v1"; apiVersion = "v1";
kind = "Secret"; kind = "Secret";
metadata = { metadata = metadata;
name = "${secret_name}";
namespace = "${secret_namespace}";
};
data = (builtins.mapAttrs (key: val: (toBase64 val)) secret_values); data = (builtins.mapAttrs (key: val: (toBase64 val)) secret_values);
}
// lib.optionalAttrs (secret_type != null) {
"type" = secret_type;
}; };
settingsFormat = pkgs.formats.yaml { }; settingsFormat = pkgs.formats.yaml { };
yaml_body = settingsFormat.generate "${secret_name}.yaml" secret_yaml; yaml_body = settingsFormat.generate "${secret_name}.yaml" secret_yaml;
yaml_file = pkgs.writeTextFile { yaml_file = pkgs.writeTextFile {

111
nix/kubernetes/keys/package/mrmanager-repo-secrets/package.nix
View File

@@ -13,13 +13,33 @@ let
( (
secret_namespace: secrets: secret_namespace: secrets:
(builtins.mapAttrs ( (builtins.mapAttrs (
secret_name: secret_values: secret_name: original_secret_values:
let
secret_type = original_secret_values."__type" or null;
secret_annotations = original_secret_values."__annotations" or null;
secret_values = removeAttrs original_secret_values [
"__type"
"__annotations"
];
in
(callPackage ../../package/k8s-secret-generic/package.nix { (callPackage ../../package/k8s-secret-generic/package.nix {
inherit secret_name secret_namespace secret_values; inherit
secret_name
secret_namespace
secret_values
secret_type
secret_annotations
;
}) })
) secrets) ) secrets)
) )
{ {
"archive-box" = {
"archive-box-auth" = {
"username" = (builtins.readFile "${./secrets/archive-box/archive-box-auth/username}");
"password" = (builtins.readFile "${./secrets/archive-box/archive-box-auth/password}");
};
};
"cert-manager" = { "cert-manager" = {
"rfc2136" = { "rfc2136" = {
"TSIG_SECRET" = (builtins.readFile "${./secrets/cert-manager/rfc2136/TSIG_SECRET}"); "TSIG_SECRET" = (builtins.readFile "${./secrets/cert-manager/rfc2136/TSIG_SECRET}");
@@ -37,6 +57,27 @@ let
); );
}; };
}; };
"flux-system" = {
"registry-credentials" =
(generate_docker_secret {
username = builtins.readFile "${./secrets/flux-system/registry-credentials/username}";
password = builtins.readFile "${./secrets/flux-system/registry-credentials/password}";
email = builtins.readFile "${./secrets/flux-system/registry-credentials/email}";
})
// {
# "__annotations" = {
# "tekton.dev/docker-0" = "https://harbor.fizz.buzz";
# };
};
"webhook-token" = {
# This token is used for gitea webhooks
"token" = generate_key 64 "flux-system.webhook-token.token";
};
"harbor-webhook-token" = {
# This token is used for harbor webhooks
"token" = generate_key 64 "flux-system.harbor-webhook-token.token";
};
};
"gitea" = { "gitea" = {
"gitea-env" = { "gitea-env" = {
"GITEA_ADMIN_USERNAME" = (builtins.readFile "${./secrets/gitea/gitea-env/GITEA_ADMIN_USERNAME}"); "GITEA_ADMIN_USERNAME" = (builtins.readFile "${./secrets/gitea/gitea-env/GITEA_ADMIN_USERNAME}");
@@ -59,6 +100,29 @@ let
); );
}; };
}; };
"tekton-gateway" = {
"oauth2-env" = oauth2_env { dex_id = "tekton"; };
};
"webhook-bridge" = {
"webhook-bridge" = {
"HMAC_TOKEN" = (builtins.readFile "${./secrets/webhook-bridge/webhook-bridge/HMAC_TOKEN}");
"OAUTH_TOKEN" = (builtins.readFile "${./secrets/webhook-bridge/webhook-bridge/OAUTH_TOKEN}");
};
"deployer-key" = {
"__annotations" = {
"tekton.dev/git-0" = "code.fizz.buzz";
};
"__type" = "kubernetes.io/ssh-auth";
"ssh-privatekey" = (builtins.readFile "${./secrets/webhook-bridge/deployer-key/ssh-privatekey}");
"ssh-publickey" = (builtins.readFile "${./secrets/webhook-bridge/deployer-key/ssh-publickey}");
};
"gitea" = {
"token" = (builtins.readFile "${./secrets/webhook-bridge/gitea/token}");
};
"harbor-plain" = {
"config.json" = (builtins.readFile "${./secrets/webhook-bridge/harbor-plain/config.json}");
};
};
}; };
encrypted_secrets = ( encrypted_secrets = (
builtins.mapAttrs ( builtins.mapAttrs (
@@ -92,6 +156,7 @@ let
## Utilities ## Utilities
inherit ((import ../../../functions/to_yaml.nix) { inherit pkgs; }) to_yaml; inherit ((import ../../../functions/to_yaml.nix) { inherit pkgs; }) to_yaml;
inherit (pkgs.callPackage ../../contrib/base64/package.nix { inherit lib; }) toBase64;
generate_key = generate_key =
len: name: len: name:
builtins.readFile ( builtins.readFile (
@@ -101,8 +166,46 @@ let
dd if=/dev/urandom | tr --complement --delete '[:alnum:]' | dd bs=${toString len} count=1 of="$out" dd if=/dev/urandom | tr --complement --delete '[:alnum:]' | dd bs=${toString len} count=1 of="$out"
'' ''
); );
helm_json_escape = json: builtins.toJSON json; # helm_json_escape = json: builtins.toJSON json;
helm_json_escape =
json:
builtins.replaceStrings
[
"="
"["
"]"
","
"."
"\""
"{"
"}"
]
[
"\\="
"\\["
"\\]"
"\\,"
"\\."
"\\\""
"\\{"
"\\}"
]
json;
generate_docker_secret =
{
username,
password,
email,
}:
let
in
{
"__type" = "kubernetes.io/dockerconfigjson";
".dockerconfigjson" = builtins.toJSON {
inherit username password email;
"auth" = toBase64 "${username}:${password}";
};
};
## dex ## dex
get_dex_config = get_dex_config =
client_id: client_id:

34
nix/kubernetes/roles/containerd/default.nix
View File

@@ -1,3 +1,4 @@
# TODO: Set up a proxy to harbor for OCI compliance: https://github.com/moby/moby/pull/34319#issuecomment-720606627
{ {
config, config,
lib, lib,
@@ -29,30 +30,43 @@ in
config = lib.mkIf config.me.containerd.enable { config = lib.mkIf config.me.containerd.enable {
virtualisation.containerd.enable = true; virtualisation.containerd.enable = true;
virtualisation.containerd.settings = { virtualisation.containerd.settings = lib.mkForce {
"plugins" = { "plugins" = {
"io.containerd.grpc.v1.cri" = { "io.containerd.cri.v1.images" = {
"registry" = {
"config_path" = "/.persist/containerd/certs.d";
};
"snapshotter" = "overlayfs";
};
"io.containerd.cri.v1.runtime" = {
"cni" = { "cni" = {
"bin_dir" = "/opt/cni/bin"; "bin_dirs" = [
"/opt/cni/bin"
];
"conf_dir" = "/etc/cni/net.d"; "conf_dir" = "/etc/cni/net.d";
# "bin_dir" = "${my-cni-plugins}/bin";
# "conf_dir" = "${my-cni-configs}";
}; };
"containerd" = { "containerd" = {
"default_runtime_name" = "runc"; "default_runtime_name" = "runc";
"runtimes" = { "runtimes" = {
"runc" = { "runc" = {
"options" = {
"SystemdCgroup" = true;
};
"runtime_type" = "io.containerd.runc.v2"; "runtime_type" = "io.containerd.runc.v2";
}; };
}; };
"snapshotter" = "overlayfs"; };
};
"io.containerd.cri.v1.services" = {
"containerd" = {
"runtimes" = {
"runc" = {
"options" = {
"SystemdCgroup" = true;
};
};
};
}; };
}; };
}; };
"version" = 2; "version" = 3;
}; };
systemd.services.containerd.preStart = '' systemd.services.containerd.preStart = ''

3
nix/kubernetes/roles/kubelet/default.nix
View File

@@ -32,7 +32,7 @@ let
containerRuntimeEndpoint = "unix:///var/run/containerd/containerd.sock"; containerRuntimeEndpoint = "unix:///var/run/containerd/containerd.sock";
enableServer = true; enableServer = true;
failSwapOn = false; failSwapOn = false;
maxPods = 16; maxPods = 110;
memorySwap = { memorySwap = {
swapBehavior = "NoSwap"; swapBehavior = "NoSwap";
}; };
@@ -47,6 +47,7 @@ let
"10.197.0.10" "10.197.0.10"
"fd00:3e42:e349::10" "fd00:3e42:e349::10"
]; ];
imageMaximumGCAge = "24h"; # Delete unused images after 1 day.
}; };
kubelet_config_file = (to_yaml_file "kubelet-config.yaml" kubelet_config); kubelet_config_file = (to_yaml_file "kubelet-config.yaml" kubelet_config);
in in