talexander/machine_setup
1
0
Fork 0
Code Issues Pull Requests Releases Activity

Compare commits

base: talexander:nix
Branches Tags
talexander:main talexander:nix talexander:kubernetes talexander:mt7927 talexander:yubipi talexander:upstream_amd_debug_tools talexander:install_files_mixin talexander:starship talexander:pixelbook
..
compare: talexander:kubernetes
Branches Tags
talexander:nix talexander:main talexander:kubernetes talexander:mt7927 talexander:yubipi talexander:upstream_amd_debug_tools talexander:install_files_mixin talexander:starship talexander:pixelbook

79 Commits
nix ... kubernetes

Author SHA1 Message Date
Tom Alexander
e900dc4199 Add secret for homepage-staging. 2026-05-05 22:43:45 -04:00
Tom Alexander
df2299d214 Add a secret for the harbor webhooks to flux. 2026-05-05 22:43:45 -04:00
Tom Alexander
8f0a273ee3 Update flux and install the image automation controller. 2026-05-05 22:43:45 -04:00
Tom Alexander
2a41b6c16e Add IP addresses to worker certs for the metrics server. 2026-05-05 22:43:45 -04:00
Tom Alexander
e537825c54 Delete images after 24 hours of being unused. 2026-05-05 22:43:45 -04:00
Tom Alexander
6c4075e279 Set up containerd use harbor.fizz.buzz. 2026-05-05 22:43:44 -04:00
Tom Alexander
785f28a351 Add secrets for archive-box, webhook-bridge, and tekton. 2026-05-05 22:43:44 -04:00
Tom Alexander
5cfb2c3b6a Allow node-to-node communication. 2026-05-05 22:43:44 -04:00
Tom Alexander
2fdf0a0f63 Use numbers for folder order. 2026-05-05 22:43:44 -04:00
Tom Alexander
d7c889a2d7 Add harbor secrets. 2026-05-05 22:43:44 -04:00
Tom Alexander
d2c01c1223 Switch to the experimental gateway CRDs for TCPRoute support. 2026-05-05 22:43:44 -04:00
Tom Alexander
f62f6bed00 Add oauth2 proxy secrets. 2026-05-05 22:43:43 -04:00
Tom Alexander
efc4d0f12e Add dex secrets. 2026-05-05 22:43:43 -04:00
Tom Alexander
f0e539f5ef Enable the firewall. 2026-05-05 22:43:43 -04:00
Tom Alexander
abd795d8ae Add gitea secrets. 2026-05-05 22:43:43 -04:00
Tom Alexander
2d3c03e042 Add generation for in-repo secrets. 2026-05-05 22:43:43 -04:00
Tom Alexander
a44e972701 Enforce cilium network policies. 2026-05-05 22:43:43 -04:00
Tom Alexander
7619c482ef Downgrade to gateway 1.4.1. 
1.5 came out recently, so no gateway providers support it.
 2026-05-05 22:43:42 -04:00
Tom Alexander
3ea1b59d59 Update packages in kubernetes/keys. 2026-05-05 22:43:42 -04:00
Tom Alexander
4457d35a63 Fix network for updated nix. 2026-05-05 22:43:42 -04:00
Tom Alexander
dddf80273a Fix proxy auth tls 2026-05-05 22:43:42 -04:00
Tom Alexander
9751784e76 Generate certificates for the aggregation layer. 2026-05-05 22:43:42 -04:00
Tom Alexander
1195bf2aa5 Add a note for the cilium connectivity test. 2026-05-05 22:43:42 -04:00
Tom Alexander
b6b5d5bd0f Temporarily disable the firewall for debugging. 2026-05-05 22:43:41 -04:00
Tom Alexander
893922959a Enable gateway support. 2026-05-05 22:43:41 -04:00
Tom Alexander
1fc4dd8f72 Enable hubble. 2026-05-05 22:43:41 -04:00
Tom Alexander
4b1a5c56ab Temporarily drop flux interval to 1 minute during early development. 
This is to reduce waiting time.
 2026-05-05 22:43:41 -04:00
Tom Alexander
af478c9731 Install deferred manifests. 2026-05-05 22:43:41 -04:00
Tom Alexander
81e9386b9b Add a custom nftables firewall config. 2026-05-05 22:43:41 -04:00
Tom Alexander
c89b5031c7 Enable the firewall. 
Now that we have networking working, I can enable the firewall and confirm nothing breaks.
 2026-05-05 22:43:41 -04:00
Tom Alexander
9378bc3343 Fix CoreDNS IPv4 connectivity. 2026-05-05 22:43:40 -04:00
Tom Alexander
61cd0acc5e Increase timeout for coredns cache. 2026-05-05 22:43:40 -04:00
Tom Alexander
646fc44d8f More changes to try to fix coredns. 2026-05-05 22:43:40 -04:00
Tom Alexander
5d094246de Move the kubelet yaml config into nix. 2026-05-05 22:43:40 -04:00
Tom Alexander
8158b06e2d Implement a generic helm templater package. 2026-05-05 22:43:40 -04:00
Tom Alexander
423d429d0e Switch to generating the coredns manifests via nix. 2026-05-05 22:43:40 -04:00
Tom Alexander
de5f2ec54d Use CoreDNS for in-cluster DNS requests and caching. 2026-05-05 22:43:39 -04:00
Tom Alexander
5871c72491 Enable native routing. 2026-05-05 22:43:39 -04:00
Tom Alexander
ab179f2f49 Build the cilium manifest automatically in nix. 2026-05-05 22:43:39 -04:00
Tom Alexander
91cfb2a9c4 Allow pods to directly speak to the public internet on their own public IPv6 addresses. 2026-05-05 22:43:39 -04:00
Tom Alexander
dfd43da93a Enable ipv4 and tunnel routing. 2026-05-05 22:43:39 -04:00
Tom Alexander
8a54291834 Switch to kubernetes ipam mode. 2026-05-05 22:43:39 -04:00
Tom Alexander
ed786cf926 Fix service cluster ip range. 
Kubernetes only allows a /112 for service ip range.
 2026-05-05 22:43:38 -04:00
Tom Alexander
0f09d38212 Fix trailing line break in kubernetes encryption config. 2026-05-05 22:43:38 -04:00
Tom Alexander
0215812ee9 Move the yaml functions to their own file. 2026-05-05 22:43:38 -04:00
Tom Alexander
d26b3d5ebf Introduce functions to generate yaml. 
The toYAML function is just an alias to toJSON which is technically fine since YAML is a superset of JSON, but these new functions will generate actual YAML.
 2026-05-05 22:43:38 -04:00
Tom Alexander
2861fddf6f Add missing cidr declarations. 2026-05-05 22:43:38 -04:00
Tom Alexander
0e8393762d Fix DNS resolution. 2026-05-05 22:43:38 -04:00
Tom Alexander
45cc48b3b5 Apply the git repo to the cluster. 2026-05-05 22:43:38 -04:00
Tom Alexander
0a112a931a Trust flux's ssh key in the yaml git repo. 2026-05-05 22:43:37 -04:00
Tom Alexander
3b3f27bd59 Generic secrets for ssh keys. 2026-05-05 22:43:37 -04:00
Tom Alexander
f19d018a34 Generic secrets for pgp keys. 2026-05-05 22:43:37 -04:00
Tom Alexander
d277ca5634 Generate kubernetes secrets for ssh keys. 2026-05-05 22:43:37 -04:00
Tom Alexander
1f02259850 Install CoreDNS. 2026-05-05 22:43:37 -04:00
Tom Alexander
9382057b47 Generate pgp keys for sops. 2026-05-05 22:43:37 -04:00
Tom Alexander
586198586b Generate ssh keys for flux bootstrap. 2026-05-05 22:43:36 -04:00
Tom Alexander
2efe37993a Move the cluster bootstrap into the keys flake. 
Bootstrapping the cluster needs access to secrets, so I am moving it into the keys flake.
 2026-05-05 22:43:36 -04:00
Tom Alexander
61583f9eff Set up flux. 2026-05-05 22:43:36 -04:00
Tom Alexander
54782da612 Add a bootstrap role. 2026-05-05 22:43:36 -04:00
Tom Alexander
4d499c0210 Add a bootstrap role to load manifests into the cluster. 2026-05-05 22:43:36 -04:00
Tom Alexander
365566bf75 Fix launching of containers. 2026-05-05 22:43:36 -04:00
Tom Alexander
37de518169 Create a debugging role. 2026-05-05 22:43:35 -04:00
Tom Alexander
2bd134ab12 Some networking fixes. 2026-05-05 22:43:35 -04:00
Tom Alexander
827ef15c90 Add cilium bootstrap. 2026-05-05 22:43:35 -04:00
Tom Alexander
f7d463947d Installing the cni plugins. 2026-05-05 22:43:35 -04:00
Tom Alexander
a389547117 Add kube-proxy. 2026-05-05 22:43:35 -04:00
Tom Alexander
3cb65e76c0 Add kubelet. 2026-05-05 22:43:35 -04:00
Tom Alexander
6c05320380 Add worker nodes. 2026-05-05 22:43:34 -04:00
Tom Alexander
d302ac96e2 Add kube-scheduler. 2026-05-05 22:43:34 -04:00
Tom Alexander
23ee194a84 Add kube-controller-manager. 2026-05-05 22:43:34 -04:00
Tom Alexander
0e111b500b Fix launching kube-apiserver. 2026-05-05 22:43:34 -04:00
Tom Alexander
df9f526f9e Move the encryption config into a package. 2026-05-05 22:43:34 -04:00
Tom Alexander
d8b7319348 Switch to generating certs with openssl. 2026-05-05 22:43:34 -04:00
Tom Alexander
2ac3cff2a1 Add controller proxy certs. 2026-05-05 22:43:33 -04:00
Tom Alexander
f31260eb00 Add requestheader-client-ca. 2026-05-05 22:43:33 -04:00
Tom Alexander
38f6d3abf9 Add service account. 2026-05-05 22:43:33 -04:00
Tom Alexander
2522803300 Install kubernetes. 2026-05-05 22:43:33 -04:00
Tom Alexander
f8a40ca20e Add additional controllers. 2026-05-05 22:43:33 -04:00
Tom Alexander
9fc2e682f4 Add configs for a new kubernetes cluster on NixOS. 2026-05-05 22:43:32 -04:00
157 changed files with 9723 additions and 347 deletions
Expand all files Collapse all files

12
nix/configuration/README.org Normal file
View File

@@ -0,0 +1,12 @@
* To-do
** Perhaps use overlay for /etc for speedup
#+begin_src nix
system.etc.overlay.enable = true;
#+end_src
** read https://nixos.org/manual/nixos/stable/
** Performance for mini pc
#+begin_src nix
security.pam.loginLimits = [
{ domain = "@users"; item = "rtprio"; type = "-"; value = 1; }
];
#+end_src

52
nix/configuration/configuration.nix
View File

@@ -54,7 +54,6 @@ in
./roles/iso_mount
./roles/jujutsu
./roles/kanshi
./roles/kernel
./roles/kodi
./roles/kubernetes
./roles/latex
@@ -138,15 +137,14 @@ in
nix.settings.keep-derivations = true;
# Automatic garbage collection
nix.gc = lib.mkIf (!config.me.buildingPortable) {
# Runs nix-collect-garbage --delete-older-than 5d
# automatic = true;
automatic = false;
persistent = true;
dates = "monthly";
# randomizedDelaySec = "14m";
options = "--delete-older-than 30d";
};
# nix.gc = lib.mkIf (!config.me.buildingPortable) {
# # Runs nix-collect-garbage --delete-older-than 5d
# automatic = true;
# persistent = true;
# dates = "monthly";
# # randomizedDelaySec = "14m";
# options = "--delete-older-than 30d";
# };
nix.settings.auto-optimise-store = !config.me.buildingPortable;
environment.systemPackages = [
@@ -236,30 +234,20 @@ in
);
in
[
(disableTests "coreutils")
(disableTests "coreutils-full")
(disableTests "deno") # Tests use too much disk space
(disableOptimizations "libtpms")
(disableTests "libuv")
(final: prev: {
inherit (final.unoptimized)
libtpms
libjxl
ddrescueview
deno
mesa
;
})
(disableOptimizationsPython3 "scipy")
(disableOptimizations "assimp")
(disableOptimizations "gsl")
(final: prev: {
rpcs3 = prev.rpcs3.override {
glew = (final.glew.override { enableEGL = false; });
};
})
(final: prev: {
fwupd = prev.fwupd.overrideAttrs (
finalAttrs: prevAttrs: {
version = "2.1.5";
src = final.fetchFromGitHub {
owner = "fwupd";
repo = "fwupd";
tag = finalAttrs.version;
hash = "sha256-DzQ+N99ZmFRqZc2rN6PSqmoIMXUyrE8Kkn+KnT/AWPc=";
};
}
);
})
# Works but probably sets python2's scipy to be python3:
#
# (final: prev: {

31
nix/configuration/flake.lock generated
View File

@@ -22,11 +22,11 @@
]
},
"locked": {
"lastModified": 1780894562,
"narHash": "sha256-c3430xwxwhHipl3jigUGMMBfpaMylDqytW/kdmB3ZGs=",
"lastModified": 1776613567,
"narHash": "sha256-gC9Cp5ibBmGD5awCA9z7xy6MW6iJufhazTYJOiGlCUI=",
"owner": "nix-community",
"repo": "disko",
"rev": "24fed06cac83bcc44ac8efbb57cab1a82fa0bedc",
"rev": "32f4236bfc141ae930b5ba2fb604f561fed5219d",
"type": "github"
},
"original": {
@@ -164,11 +164,11 @@
},
"nixpkgs": {
"locked": {
"lastModified": 1780749050,
"narHash": "sha256-3av0pIjlOWQ6rDbNOmpUSvbNnJkGORQKKjb4LtCZsIY=",
"lastModified": 1777268161,
"narHash": "sha256-bxrdOn8SCOv8tN4JbTF/TXq7kjo9ag4M+C8yzzIRYbE=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "a799d3e3886da994fa307f817a6bc705ae538eeb",
"rev": "1c3fe55ad329cbcb28471bb30f05c9827f724c76",
"type": "github"
},
"original": {
@@ -178,22 +178,6 @@
"type": "github"
}
},
"nixpkgs-google": {
"locked": {
"lastModified": 1779893571,
"narHash": "sha256-wiwMyVCtmjRjlFCe2zaumCE6LRV9GzzN0ZH25NQkbAU=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "45f6cfaa4605b706c870e75bd74bdb5e97eee11e",
"type": "github"
},
"original": {
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "45f6cfaa4605b706c870e75bd74bdb5e97eee11e",
"type": "github"
}
},
"nixpkgs-stable": {
"locked": {
"lastModified": 1730741070,
@@ -242,8 +226,7 @@
"disko": "disko",
"impermanence": "impermanence",
"lanzaboote": "lanzaboote",
"nixpkgs": "nixpkgs",
"nixpkgs-google": "nixpkgs-google"
"nixpkgs": "nixpkgs"
}
},
"rust-overlay": {

5
nix/configuration/flake.nix
View File

@@ -20,7 +20,6 @@
inputs.nixpkgs.follows = "nixpkgs";
};
nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable";
nixpkgs-google.url = "github:NixOS/nixpkgs/45f6cfaa4605b706c870e75bd74bdb5e97eee11e";
lanzaboote = {
url = "github:nix-community/lanzaboote/v0.4.2";
inputs.nixpkgs.follows = "nixpkgs";
@@ -35,7 +34,6 @@
{
self,
nixpkgs,
nixpkgs-google,
disko,
impermanence,
lanzaboote,
@@ -94,9 +92,6 @@
hostPlatform.gcc.arch = "default";
hostPlatform.gcc.tune = "default";
};
google = import nixpkgs-google {
system = prev.stdenv.hostPlatform.system;
};
})
];
};

1
nix/configuration/hosts/odo/default.nix
View File

@@ -110,7 +110,6 @@
me.jujutsu.config = ../../roles/jujutsu/files/jujutsu_config_home.toml;
me.jujutsu.enable = true;
me.kanshi.enable = false;
me.kernel.enable = true;
me.kubernetes.enable = true;
me.latex.enable = true;
me.launch_keyboard.enable = true;

1
nix/configuration/hosts/odowork/default.nix
View File

@@ -111,7 +111,6 @@
me.iso_mount.enable = true;
me.jujutsu.config = ../../roles/jujutsu/files/jujutsu_config_home.toml;
me.jujutsu.enable = true;
me.kernel.enable = true;
me.latex.enable = true;
me.launch_keyboard.enable = true;
me.lvfs.enable = true;

1
nix/configuration/hosts/quark/default.nix
View File

@@ -104,7 +104,6 @@
me.jujutsu.config = ../../roles/jujutsu/files/jujutsu_config_home.toml;
me.jujutsu.enable = true;
me.kanshi.enable = false;
me.kernel.enable = true;
me.kubernetes.enable = true;
me.latex.enable = true;
me.launch_keyboard.enable = true;

10
nix/configuration/roles/base/default.nix
View File

@@ -14,12 +14,6 @@ let
cleanup_temporary_files = (
patchScriptBin "cleanup_temporary_files" (builtins.readFile ./files/cleanup_temporary_files.bash)
);
decode_jwt = (patchScriptBin "decode_jwt" (builtins.readFile ./files/decode_jwt.bash));
git_find_merged_branches = (
patchScriptBin "git_find_merged_branches" (builtins.readFile ./files/git_find_merged_branches.bash)
);
git_fix_author = (patchScriptBin "git_fix_author" (builtins.readFile ./files/git_fix_author.bash));
rsync_clone = (patchScriptBin "rsync_clone" (builtins.readFile ./files/rsync_clone.bash));
alias_rga = pkgs.writeShellScriptBin "rga" ''
exec ${pkgs.ripgrep}/bin/rg -uuu "''${@}"
'';
@@ -65,12 +59,8 @@ in
nix-output-monitor # For better view into nixos-rebuild
# nix-serve-ng # Serve nix store over http
cleanup_temporary_files
decode_jwt
jq
inetutils # For whois
git_find_merged_branches
git_fix_author
rsync_clone
];
};
}

5
nix/configuration/roles/base/files/cleanup_temporary_files.bash
View File

@@ -1,7 +1,4 @@
#!/usr/bin/env bash
#
# Delete temporary files on entire disk
set -euo pipefail
IFS=$'\n\t'
exec find / -type f '(' -name '*.orig' -or -name '*~' -or -name '*.core' ')' -delete -print 2>/dev/null
find / -type f '(' -name '*.orig' -or -name '*~' -or -name '*.core' ')' -delete -print 2>/dev/null

8
nix/configuration/roles/base/files/decode_jwt.bash
View File

@@ -1,8 +0,0 @@
#!/usr/bin/env bash
#
# Decode the contents of a JWT
set -euo pipefail
IFS=$'\n\t'
DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
exec jq -R 'split(".") | .[0],.[1] | gsub("-"; "+") | gsub("_"; "/") | gsub("%3D"; "=")| @base64d | fromjson'

10
nix/configuration/roles/base/files/git_find_merged_branches.bash
View File

@@ -1,10 +0,0 @@
#!/usr/bin/env bash
#
# Find local branches that have been merged
set -euo pipefail
IFS=$'\n\t'
DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
: ${MAIN_BRANCH:="main"}
git checkout -q ${MAIN_BRANCH} && git for-each-ref refs/heads/ "--format=%(refname:short)" | while read branch; do mergeBase=$(git merge-base ${MAIN_BRANCH} $branch) && [[ $(git cherry ${MAIN_BRANCH} $(git commit-tree $(git rev-parse "$branch^{tree}") -p $mergeBase -m _)) == "-"* ]] && echo "$branch"; done

22
nix/configuration/roles/base/files/git_fix_author.bash
View File

@@ -1,22 +0,0 @@
#!/usr/bin/env bash
#
set -euo pipefail
IFS=$'\n\t'
DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
git filter-branch --env-filter '
WRONG_EMAIL="old@email.foo"
NEW_NAME="New Name"
NEW_EMAIL="new@email.bar"
if [ "$GIT_COMMITTER_EMAIL" = "$WRONG_EMAIL" ]
then
export GIT_COMMITTER_NAME="$NEW_NAME"
export GIT_COMMITTER_EMAIL="$NEW_EMAIL"
fi
if [ "$GIT_AUTHOR_EMAIL" = "$WRONG_EMAIL" ]
then
export GIT_AUTHOR_NAME="$NEW_NAME"
export GIT_AUTHOR_EMAIL="$NEW_EMAIL"
fi
' --tag-name-filter cat --commit-filter 'git commit-tree -S "$@";' -- --branches --tags

8
nix/configuration/roles/base/files/rsync_clone.bash
View File

@@ -1,8 +0,0 @@
#!/usr/bin/env bash
#
# Wrapper to set rsync flags for cloning a folder preserving attributes
set -euo pipefail
IFS=$'\n\t'
DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
exec rsync -aHAXS "$@"

11
nix/configuration/roles/firewall/default.nix
View File

@@ -24,16 +24,7 @@
networking.firewall.allowedUDPPorts = [
5353 # mDNS
];
# networking.firewall.enable = true;
# networking.nftables.enable = true;
# Or disable the firewall altogether.
networking.firewall.enable = false;
# Debugging
# networking.firewall.logRefusedConnections = true;
# networking.firewall.logRefusedPackets = true;
# networking.firewall.logReversePathDrops = true;
# networking.firewall.enable = false;
};
}

2
nix/configuration/roles/gcloud/default.nix
View File

@@ -18,7 +18,7 @@
};
config = lib.mkIf config.me.gcloud.enable {
environment.systemPackages = with pkgs.google; [
environment.systemPackages = with pkgs; [
(google-cloud-sdk.withExtraComponents [ google-cloud-sdk.components.gke-gcloud-auth-plugin ])
];

194
nix/configuration/roles/kernel/default.nix
View File

@@ -1,194 +0,0 @@
# Check current config:
# nix build '/persist/machine_setup/nix/configuration#nixosConfigurations.hydra.pkgs.linux_me.configfile'
# cat $(nix eval --raw '/persist/machine_setup/nix/configuration#nixosConfigurations.hydra.pkgs.linux_me.configfile') | less
{
config,
lib,
pkgs,
...
}:
let
preemption_type = with lib.kernel; {
full = {
PREEMPT_DYNAMIC = yes;
PREEMPT = yes;
PREEMPT_VOLUNTARY = lib.mkForce no;
PREEMPT_LAZY = lib.mkForce no;
PREEMPT_NONE = no;
};
lazy = {
PREEMPT_DYNAMIC = yes;
PREEMPT = no;
PREEMPT_VOLUNTARY = lib.mkForce no;
PREEMPT_LAZY = yes;
PREEMPT_NONE = no;
};
voluntary = {
PREEMPT_DYNAMIC = no;
PREEMPT = no;
PREEMPT_VOLUNTARY = yes;
PREEMPT_LAZY = lib.mkForce no;
PREEMPT_NONE = no;
};
none = {
PREEMPT_DYNAMIC = no;
PREEMPT = no;
PREEMPT_VOLUNTARY = lib.mkForce no;
PREEMPT_LAZY = lib.mkForce no;
PREEMPT_NONE = yes;
};
};
tick_hz =
with lib.kernel;
{
"1000" = {
HZ_1000 = yes;
HZ = freeform "1000";
};
}
// lib.genAttrs [ "100" "250" "300" "500" "600" "750" ] (hz: {
HZ_1000 = no;
"HZ_${hz}" = yes;
HZ = freeform hz;
});
performance_governor = with lib.kernel; {
default = {
CPU_FREQ_DEFAULT_GOV_SCHEDUTIL = yes;
};
performance = {
CPU_FREQ_DEFAULT_GOV_SCHEDUTIL = no;
CPU_FREQ_DEFAULT_GOV_PERFORMANCE = yes;
};
};
tick_rate = with lib.kernel; {
# Always tick at the hz frequency.
periodic = {
NO_HZ_IDLE = no;
NO_HZ_FULL = no;
NO_HZ = no;
NO_HZ_COMMON = no;
HZ_PERIODIC = yes;
};
# Idle - Do not disturb the CPU when idle. This can save power but increase latency.
idle = {
HZ_PERIODIC = no;
NO_HZ_FULL = no;
NO_HZ_IDLE = yes;
NO_HZ = yes;
NO_HZ_COMMON = yes;
};
# Full dyntick system (tickless) - The kernel tries to shut down the tick whenever possible.
tickless = {
HZ_PERIODIC = no;
NO_HZ_IDLE = no;
NO_HZ_FULL = yes;
NO_HZ = yes;
NO_HZ_COMMON = yes;
CONTEXT_TRACKING = yes;
};
};
huge_page = with lib.kernel; {
always = {
TRANSPARENT_HUGEPAGE_MADVISE = no;
TRANSPARENT_HUGEPAGE_ALWAYS = yes;
};
madvise = {
TRANSPARENT_HUGEPAGE_ALWAYS = no;
TRANSPARENT_HUGEPAGE_MADVISE = yes;
};
};
common_config =
with lib.kernel;
{
# Google's BBRv3 TCP congestion Control
TCP_CONG_BBR = yes;
DEFAULT_BBR = yes;
};
flavors = {
server = lib.mkMerge [
preemption_type.none
tick_hz."300"
performance_governor.default
tick_rate.tickless
huge_page.madvise
];
interactive =
with lib.kernel;
lib.mkMerge [
{
# Enable RCU Lazy - Reduces power consumption when idle or lightly loaded. Useful for battery-powered devices like laptops.
RCU_LAZY = yes;
}
preemption_type.lazy
tick_hz."300"
performance_governor.default
tick_rate.tickless
huge_page.madvise
];
};
in
{
imports = [ ];
options.me = {
kernel.enable = lib.mkOption {
type = lib.types.bool;
default = false;
example = true;
description = "Whether we want to install kernel.";
};
kernel.version = lib.mkOption {
type = lib.types.str;
default = "linux"; # LTS
example = "linux_6_18";
description = "What version of the kernl should we use.";
};
kernel.flavor = lib.mkOption {
type = lib.types.str;
default = "interactive";
example = "server";
description = "What type of kernel should be built.";
};
};
config = lib.mkIf config.me.kernel.enable (
lib.mkMerge [
{
boot.kernelPackages = pkgs.linuxPackagesFor pkgs.linux_me;
}
(lib.mkIf (!config.me.optimizations.enable) {
nixpkgs.overlays = [
(final: prev: {
linux_me = final."${config.me.kernel.version}";
})
];
})
(lib.mkIf (config.me.optimizations.enable) {
nixpkgs.overlays = [
(
final: prev:
let
addConfig =
additionalConfig: pkg:
pkg.override (oldconfig: {
structuredExtraConfig = lib.mkMerge ([ pkg.structuredExtraConfig ] ++ additionalConfig);
# stdenv = pkgs.llvmPackages_latest.stdenv;
# stdenv = pkgs.clangStdenv;
});
in
{
linux_me = addConfig ([
common_config
flavors."${config.me.kernel.flavor}"
]) final."${config.me.kernel.version}";
}
)
];
})
]
);
}

1
nix/configuration/roles/minimal_base/default.nix
View File

@@ -19,7 +19,6 @@
config = lib.mkIf config.me.minimal_base.enable {
me.doas.enable = true;
me.kernel.enable = true;
me.network.enable = true;
me.nvme.enable = true;
me.ssh.enable = true;

59
nix/configuration/roles/optimized_build/default.nix
View File

@@ -1,6 +1,7 @@
{
config,
lib,
pkgs,
...
}:
@@ -48,13 +49,71 @@
};
config = lib.mkMerge [
(lib.mkIf (!config.me.optimizations.enable) (
lib.mkMerge [
{
boot.kernelPackages = pkgs.linuxPackagesFor pkgs.linux_6_18;
# boot.kernelPackages = pkgs.linuxPackagesFor pkgs.linux;
}
]
))
(lib.mkIf config.me.optimizations.enable (
lib.mkMerge [
{
boot.kernelPackages = pkgs.linuxPackagesFor pkgs.linux_me;
nixpkgs.hostPlatform = {
gcc.arch = config.me.optimizations.arch;
gcc.tune = config.me.optimizations.arch;
};
nixpkgs.overlays = [
(
final: prev:
let
addConfig =
additionalConfig: pkg:
pkg.override (oldconfig: {
structuredExtraConfig = pkg.structuredExtraConfig // additionalConfig;
});
in
{
linux_me = addConfig {
# Server | No preemption - Run until the next tick. Highest throughput but can cause stutter.
# PREEMPT = lib.mkOverride 60 lib.kernel.no;
# Desktop | Preempt kernel threads only at pre-defined places that call cond_resched().
PREEMPT_VOLUNTARY = lib.mkOverride 60 lib.kernel.no;
# Low-latency desktop | Full preemption - Kernel threads can be preempted unless they hold a spinlock or are in a no-preemption section.
PREEMPT = lib.mkOverride 60 lib.kernel.yes;
# RT - All kernel code is preemptible except for a few critical sections.
# Middle ground | Real-time tasks preempt immediately like FULL, normal tasks run until the next tick.
PREEMPT_LAZY = lib.mkOverride 90 lib.kernel.no;
# Google's BBRv3 TCP congestion Control
TCP_CONG_BBR = lib.kernel.yes;
DEFAULT_BBR = lib.kernel.yes;
# Preemptive Full Tickless Kernel at 300Hz
HZ = lib.kernel.freeform "300";
HZ_300 = lib.kernel.yes;
HZ_1000 = lib.kernel.no;
} prev.linux_6_18; # or prev.linux
}
)
(final: prev: {
inherit (final.unoptimized)
assimp
binaryen
gsl
rapidjson
ffmpeg-headless
ffmpeg
pipewire
chromaprint
gtkmm
;
})
];
}
]
))

5
nix/configuration/roles/sm64ex/default.nix
View File

@@ -18,10 +18,7 @@
};
config = lib.mkIf (config.me.sm64ex.enable && config.me.graphical) {
allowedUnfree = [
"sm64ex"
"baserom.us.z64"
];
allowedUnfree = [ "sm64ex" ];
environment.systemPackages = with pkgs; [
sm64ex

4
nix/configuration/roles/sound/default.nix
View File

@@ -30,7 +30,7 @@
# If you want to use JACK applications, uncomment this
#jack.enable = true;
extraLadspaPackages = [ pkgs.rnnoise-plugin.ladspa ];
extraLv2Packages = [ pkgs.rnnoise-plugin ];
configPackages = [
(pkgs.writeTextDir "share/pipewire/pipewire.conf.d/99-input-denoising.conf" ''
context.modules = [
@@ -43,7 +43,7 @@
{
type = ladspa
name = rnnoise
plugin = "librnnoise_ladspa"
plugin = "${pkgs.rnnoise-plugin}/lib/ladspa/librnnoise_ladspa.so"
label = noise_suppressor_mono
control = {
"VAD Threshold (%)" = 50.0

6
nix/configuration/roles/vscode/default.nix
View File

@@ -121,12 +121,6 @@ in
group = "talexander";
mode = "0755";
}
{
directory = ".vscode-shared";
user = "talexander";
group = "talexander";
mode = "0755";
}
];
};
};

3
nix/configuration/roles/zfs/default.nix
View File

@@ -44,9 +44,6 @@ in
boot.zfs.devNodes = "/dev/disk/by-partuuid";
# Do not force import your root pool during boot. Force importing would be useful if the pool had been imported by a different machine most recently.
boot.zfs.forceImportRoot = false;
services.zfs = {
autoScrub = {
enable = true;

1
nix/kubernetes/.gitignore vendored Normal file
View File

@@ -0,0 +1 @@
result

132
nix/kubernetes/README.org Normal file
View File

@@ -0,0 +1,132 @@
* To-do
** Perhaps use overlay for /etc for speedup
#+begin_src nix
system.etc.overlay.enable = true;
#+end_src
** read https://nixos.org/manual/nixos/stable/
** Performance for mini pc
#+begin_src nix
security.pam.loginLimits = [
{ domain = "@users"; item = "rtprio"; type = "-"; value = 1; }
];
#+end_src
* IP Ranges
| | IPv4 | IPv6 |
|--------------------------------+-----------------------------+-----------------------------------------|
| Pod | 10.200.0.0/16 | 2620:11f:7001:7:ffff:eeee::/96 |
| Service | 10.197.0.0/16 | fd00:3e42:e349::/112 |
| Node | 10.215.1.0/24 | 2620:11f:7001:7:ffff:ffff:0ad7:0100/120 |
| Load Balancer | 74.80.180.139-74.80.180.142 | 2620:11f:7001:7:ffff:dddd::/96 |
| Load Balancer Private (unused) | 10.198.0.0/16 | fd9c:0bd5:22a4::/112 |
| PowerDNS from inside cluster | 10.215.1.211 | |
* Healthcheck
** Check cilium status
#+begin_src bash
kubectl -n kube-system exec ds/cilium -- cilium-dbg status --verbose
kubectl -n kube-system exec ds/cilium -- cilium-dbg status | grep KubeProxyReplacement
#+end_src
** Check connectivity
#+begin_src bash
cilium connectivity test
#+end_src
** Show dropped packets
#+begin_src bash
kubectl -n kube-system exec ds/cilium -- cilium-dbg monitor --type drop
#+end_src
** Show dropped packets for a specific pod
#+begin_src bash
kubectl -n kube-system exec ds/cilium -- hubble observe --since 30s --pod cnpg-system/cnpg-controller-manager-84d498b97-q5m4n --type drop
#+end_src
** Install flux
#+begin_src bash
nix shell 'nixpkgs#fluxcd'
flux bootstrap git \
--url=ssh://git@<host>/<org>/<repository> \
--branch=main \
--private-key-file=<path/to/private.key> \
--password=<key-passphrase> \
--path=clusters/my-cluster
#+end_src
#+begin_src bash
nix shell 'nixpkgs#kubernetes-helm'
helm template --dry-run=server flux-operator oci://ghcr.io/controlplaneio-fluxcd/charts/flux-operator \
--namespace flux-system \
--create-namespace
#+end_src
#+begin_src text
apiVersion: fluxcd.controlplane.io/v1
kind: FluxInstance
metadata:
name: flux
namespace: flux-system
annotations:
fluxcd.controlplane.io/reconcileEvery: "1h"
fluxcd.controlplane.io/reconcileTimeout: "5m"
spec:
distribution:
version: "2.x"
registry: "ghcr.io/fluxcd"
artifact: "oci://ghcr.io/controlplaneio-fluxcd/flux-operator-manifests"
components:
- source-controller
- kustomize-controller
- helm-controller
- notification-controller
- image-reflector-controller
- image-automation-controller
cluster:
type: kubernetes
size: medium
multitenant: false
networkPolicy: true
domain: "cluster.local"
kustomize:
patches:
- target:
kind: Deployment
patch: |
- op: replace
path: /spec/template/spec/nodeSelector
value:
kubernetes.io/os: linux
- op: add
path: /spec/template/spec/tolerations
value:
- key: "CriticalAddonsOnly"
operator: "Exists"
sync:
kind: OCIRepository
url: "oci://ghcr.io/my-org/my-fleet-manifests"
ref: "latest"
path: "clusters/my-cluster"
pullSecret: "ghcr-auth"
#+end_src
#+begin_src text
apiVersion: fluxcd.controlplane.io/v1
kind: FluxInstance
metadata:
name: flux
namespace: flux-system
spec:
distribution:
version: "2.7.x"
registry: "ghcr.io/fluxcd"
sync:
kind: GitRepository
url: "ssh://git@10.215.1.210:22/repos/mrmanager"
ref: "refs/heads/nix"
path: "clusters/my-cluster"
pullSecret: "flux-system"
#+end_src
#+begin_src bash
flux create secret git flux-system \
--url=https://gitlab.com/my-org/my-fleet.git \
--username=git \
--password=$GITLAB_TOKEN
#+end_src

148
nix/kubernetes/configuration.nix Normal file
View File

@@ -0,0 +1,148 @@
{
config,
lib,
...
}:
{
imports = [
./roles/boot
./roles/cilium
./roles/containerd
./roles/control_plane
./roles/debugging
./roles/doas
./roles/dont_use_substituters
./roles/etcd
./roles/firewall
./roles/image_based_appliance
./roles/iso
./roles/kube_apiserver
./roles/kube_controller_manager
./roles/kube_proxy
./roles/kube_scheduler
./roles/kubelet
./roles/kubernetes
./roles/minimal_base
./roles/network
./roles/nvme
./roles/optimized_build
./roles/ssh
./roles/sshd
./roles/user
./roles/worker_node
./roles/zsh
./util/install_files
./util/unfree_polyfill
];
config = {
nix.settings.experimental-features = [
"nix-command"
"flakes"
"ca-derivations"
# "blake3-hashes"
# "git-hashing"
];
nix.settings.trusted-users = [ "@wheel" ];
hardware.enableRedistributableFirmware = true;
# Keep outputs so we can build offline.
nix.settings.keep-outputs = true;
nix.settings.keep-derivations = true;
# Automatic garbage collection
nix.gc = lib.mkIf (!config.me.buildingPortable) {
# Runs nix-collect-garbage --delete-older-than 5d
automatic = true;
persistent = true;
dates = "monthly";
# randomizedDelaySec = "14m";
options = "--delete-older-than 30d";
};
nix.settings.auto-optimise-store = !config.me.buildingPortable;
environment.persistence."/persist" = lib.mkIf (config.me.mountPersistence) {
hideMounts = true;
directories = [
"/var/lib/nixos" # Contains user information (uids/gids)
"/var/lib/systemd" # Systemd state directory for random seed, persistent timers, core dumps, persist hardware state like backlight and rfkill
"/var/log/journal" # Logs, alternatively set `services.journald.storage = "volatile";` to write to /run/log/journal
];
files = [
"/etc/machine-id" # Systemd unique machine id "otherwise, the system journal may fail to list earlier boots, etc"
];
};
# Write a list of the currently installed packages to /etc/current-system-packages
# environment.etc."current-system-packages".text =
# let
# packages = builtins.map (p: "${p.name}") config.environment.systemPackages;
# sortedUnique = builtins.sort builtins.lessThan (lib.unique packages);
# formatted = builtins.concatStringsSep "\n" sortedUnique;
# in
# formatted;
# nixpkgs.overlays = [
# (final: prev: {
# foot = throw "foo";
# })
# ];
nixpkgs.overlays =
let
disableTests = (
package_name:
(final: prev: {
"${package_name}" = prev."${package_name}".overrideAttrs (old: {
doCheck = false;
doInstallCheck = false;
});
})
);
in
[
# (final: prev: {
# imagemagick = prev.imagemagick.overrideAttrs (old: rec {
# # 7.1.2-6 seems to no longer exist, so use 7.1.2-7
# version = "7.1.2-7";
# src = final.fetchFromGitHub {
# owner = "ImageMagick";
# repo = "ImageMagick";
# tag = version;
# hash = "sha256-9ARCYftoXiilpJoj+Y+aLCEqLmhHFYSrHfgA5DQHbGo=";
# };
# });
# })
# (final: prev: {
# grub2 = (final.callPackage ./package/grub { });
# })
(final: prev: {
inherit (final.unoptimized)
libtpms
;
})
];
# This option defines the first version of NixOS you have installed on this particular machine,
# and is used to maintain compatibility with application data (e.g. databases) created on older NixOS versions.
#
# Most users should NEVER change this value after the initial install, for any reason,
# even if you've upgraded your system to a new NixOS release.
#
# This value does NOT affect the Nixpkgs version your packages and OS are pulled from,
# so changing it will NOT upgrade your system - see https://nixos.org/manual/nixos/stable/#sec-upgrading for how
# to actually do that.
#
# This value being lower than the current NixOS release does NOT mean your system is
# out of date, out of support, or vulnerable.
#
# Do NOT change this value unless you have manually inspected all the changes it would make to your configuration,
# and migrated your data accordingly.
#
# For more information, see `man configuration.nix` or https://nixos.org/manual/nixos/stable/options#opt-system.stateVersion .
system.stateVersion = "24.11"; # Did you read the comment?
};
}

256
nix/kubernetes/flake.lock generated Normal file
View File

@@ -0,0 +1,256 @@
{
"nodes": {
"crane": {
"locked": {
"lastModified": 1731098351,
"narHash": "sha256-HQkYvKvaLQqNa10KEFGgWHfMAbWBfFp+4cAgkut+NNE=",
"owner": "ipetkov",
"repo": "crane",
"rev": "ef80ead953c1b28316cc3f8613904edc2eb90c28",
"type": "github"
},
"original": {
"owner": "ipetkov",
"repo": "crane",
"type": "github"
}
},
"disko": {
"inputs": {
"nixpkgs": [
"nixpkgs"
]
},
"locked": {
"lastModified": 1769524058,
"narHash": "sha256-zygdD6X1PcVNR2PsyK4ptzrVEiAdbMqLos7utrMDEWE=",
"owner": "nix-community",
"repo": "disko",
"rev": "71a3fc97d80881e91710fe721f1158d3b96ae14d",
"type": "github"
},
"original": {
"owner": "nix-community",
"repo": "disko",
"type": "github"
}
},
"flake-compat": {
"flake": false,
"locked": {
"lastModified": 1696426674,
"narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=",
"owner": "edolstra",
"repo": "flake-compat",
"rev": "0f9255e01c2351cc7d116c072cb317785dd33b33",
"type": "github"
},
"original": {
"owner": "edolstra",
"repo": "flake-compat",
"type": "github"
}
},
"flake-parts": {
"inputs": {
"nixpkgs-lib": [
"lanzaboote",
"nixpkgs"
]
},
"locked": {
"lastModified": 1730504689,
"narHash": "sha256-hgmguH29K2fvs9szpq2r3pz2/8cJd2LPS+b4tfNFCwE=",
"owner": "hercules-ci",
"repo": "flake-parts",
"rev": "506278e768c2a08bec68eb62932193e341f55c90",
"type": "github"
},
"original": {
"owner": "hercules-ci",
"repo": "flake-parts",
"type": "github"
}
},
"gitignore": {
"inputs": {
"nixpkgs": [
"lanzaboote",
"pre-commit-hooks-nix",
"nixpkgs"
]
},
"locked": {
"lastModified": 1709087332,
"narHash": "sha256-HG2cCnktfHsKV0s4XW83gU3F57gaTljL9KNSuG6bnQs=",
"owner": "hercules-ci",
"repo": "gitignore.nix",
"rev": "637db329424fd7e46cf4185293b9cc8c88c95394",
"type": "github"
},
"original": {
"owner": "hercules-ci",
"repo": "gitignore.nix",
"type": "github"
}
},
"home-manager": {
"inputs": {
"nixpkgs": [
"impermanence",
"nixpkgs"
]
},
"locked": {
"lastModified": 1768598210,
"narHash": "sha256-kkgA32s/f4jaa4UG+2f8C225Qvclxnqs76mf8zvTVPg=",
"owner": "nix-community",
"repo": "home-manager",
"rev": "c47b2cc64a629f8e075de52e4742de688f930dc6",
"type": "github"
},
"original": {
"owner": "nix-community",
"repo": "home-manager",
"type": "github"
}
},
"impermanence": {
"inputs": {
"home-manager": "home-manager",
"nixpkgs": [
"nixpkgs"
]
},
"locked": {
"lastModified": 1769548169,
"narHash": "sha256-03+JxvzmfwRu+5JafM0DLbxgHttOQZkUtDWBmeUkN8Y=",
"owner": "nix-community",
"repo": "impermanence",
"rev": "7b1d382faf603b6d264f58627330f9faa5cba149",
"type": "github"
},
"original": {
"owner": "nix-community",
"repo": "impermanence",
"type": "github"
}
},
"lanzaboote": {
"inputs": {
"crane": "crane",
"flake-compat": "flake-compat",
"flake-parts": "flake-parts",
"nixpkgs": [
"nixpkgs"
],
"pre-commit-hooks-nix": "pre-commit-hooks-nix",
"rust-overlay": "rust-overlay"
},
"locked": {
"lastModified": 1737639419,
"narHash": "sha256-AEEDktApTEZ5PZXNDkry2YV2k6t0dTgLPEmAZbnigXU=",
"owner": "nix-community",
"repo": "lanzaboote",
"rev": "a65905a09e2c43ff63be8c0e86a93712361f871e",
"type": "github"
},
"original": {
"owner": "nix-community",
"ref": "v0.4.2",
"repo": "lanzaboote",
"type": "github"
}
},
"nixpkgs": {
"locked": {
"lastModified": 1770197578,
"narHash": "sha256-AYqlWrX09+HvGs8zM6ebZ1pwUqjkfpnv8mewYwAo+iM=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "00c21e4c93d963c50d4c0c89bfa84ed6e0694df2",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "nixos-unstable",
"repo": "nixpkgs",
"type": "github"
}
},
"nixpkgs-stable": {
"locked": {
"lastModified": 1730741070,
"narHash": "sha256-edm8WG19kWozJ/GqyYx2VjW99EdhjKwbY3ZwdlPAAlo=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "d063c1dd113c91ab27959ba540c0d9753409edf3",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "nixos-24.05",
"repo": "nixpkgs",
"type": "github"
}
},
"pre-commit-hooks-nix": {
"inputs": {
"flake-compat": [
"lanzaboote",
"flake-compat"
],
"gitignore": "gitignore",
"nixpkgs": [
"lanzaboote",
"nixpkgs"
],
"nixpkgs-stable": "nixpkgs-stable"
},
"locked": {
"lastModified": 1731363552,
"narHash": "sha256-vFta1uHnD29VUY4HJOO/D6p6rxyObnf+InnSMT4jlMU=",
"owner": "cachix",
"repo": "pre-commit-hooks.nix",
"rev": "cd1af27aa85026ac759d5d3fccf650abe7e1bbf0",
"type": "github"
},
"original": {
"owner": "cachix",
"repo": "pre-commit-hooks.nix",
"type": "github"
}
},
"root": {
"inputs": {
"disko": "disko",
"impermanence": "impermanence",
"lanzaboote": "lanzaboote",
"nixpkgs": "nixpkgs"
}
},
"rust-overlay": {
"inputs": {
"nixpkgs": [
"lanzaboote",
"nixpkgs"
]
},
"locked": {
"lastModified": 1731897198,
"narHash": "sha256-Ou7vLETSKwmE/HRQz4cImXXJBr/k9gp4J4z/PF8LzTE=",
"owner": "oxalica",
"repo": "rust-overlay",
"rev": "0be641045af6d8666c11c2c40e45ffc9667839b5",
"type": "github"
},
"original": {
"owner": "oxalica",
"repo": "rust-overlay",
"type": "github"
}
}
},
"root": "root",
"version": 7
}

183
nix/kubernetes/flake.nix Normal file
View File

@@ -0,0 +1,183 @@
# Get a repl for this flake
# nix repl --expr "builtins.getFlake \"$PWD\""
# TODO maybe use `nix eval --raw .#odo.iso.outPath`
#
# Install on a new machine:
#
# Set
# me.disko.enable = true;
# me.disko.offline.enable = true;
#
# Run
# doas disko --mode destroy,format,mount hosts/recovery/disk-config.nix
# doas nixos-install --substituters "http://10.0.2.2:8080?trusted=1 https://cache.nixos.org/" --flake ".#recovery"
{
description = "My system configuration";
inputs = {
impermanence = {
url = "github:nix-community/impermanence";
inputs.nixpkgs.follows = "nixpkgs";
};
nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable";
lanzaboote = {
url = "github:nix-community/lanzaboote/v0.4.2";
inputs.nixpkgs.follows = "nixpkgs";
};
disko = {
url = "github:nix-community/disko";
inputs.nixpkgs.follows = "nixpkgs";
};
};
outputs =
{
self,
nixpkgs,
disko,
impermanence,
lanzaboote,
...
}:
let
forAllSystems =
func:
builtins.listToAttrs (
map (system: {
name = system;
value = func system;
}) nixpkgs.lib.systems.flakeExposed
);
nodes = {
controller0 = {
system = "x86_64-linux";
};
controller1 = {
system = "x86_64-linux";
};
controller2 = {
system = "x86_64-linux";
};
worker0 = {
system = "x86_64-linux";
};
worker1 = {
system = "x86_64-linux";
};
worker2 = {
system = "x86_64-linux";
};
};
nixosConfigs = builtins.mapAttrs (
hostname: nodeConfig: format:
nixpkgs.lib.nixosSystem {
specialArgs = {
inherit self;
this_nixos_config = self.nixosConfigurations."${hostname}";
all_nixos_configs = self.nixosConfigurations;
};
modules = [
impermanence.nixosModules.impermanence
lanzaboote.nixosModules.lanzaboote
disko.nixosModules.disko
./configuration.nix
(./. + "/hosts/${hostname}")
(./. + "/formats/${format}.nix")
{
config = {
nixpkgs.hostPlatform.system = nodeConfig.system;
nixpkgs.overlays = [
(final: prev: {
# stable = nixpkgs-stable.legacyPackages."${prev.stdenv.hostPlatform.system}";
unoptimized = import nixpkgs {
system = prev.stdenv.hostPlatform.system;
hostPlatform.gcc.arch = "default";
hostPlatform.gcc.tune = "default";
};
})
];
};
}
(
{
config,
lib,
pkgs,
...
}:
let
nix-self-repl = pkgs.writeShellScriptBin "nix-self-repl" ''
source /etc/set-environment
nix repl --expr 'builtins.getFlake "${self}"'
'';
# If we wanted the current version of a flake then we'd just launch
# nix repl
# and then run:
# :lf /path/to/flake
in
{
config = {
environment.systemPackages = lib.mkIf config.nix.enable [ nix-self-repl ];
};
}
)
];
}
) nodes;
installerConfig =
hostname: nodeConfig:
nixpkgs.lib.nixosSystem {
specialArgs = {
targetSystem = self.nixosConfigurations."${hostname}";
};
modules = [
./formats/installer.nix
(
{
config,
lib,
pkgs,
...
}:
let
nix-self-repl = pkgs.writeShellScriptBin "nix-self-repl" ''
source /etc/set-environment
nix repl --expr 'builtins.getFlake "${self}"'
'';
# If we wanted the current version of a flake then we'd just launch
# nix repl
# and then run:
# :lf /path/to/flake
in
{
config = {
environment.systemPackages = lib.mkIf config.nix.enable [ nix-self-repl ];
};
}
)
({ nixpkgs.hostPlatform.system = nodeConfig.system; })
];
};
in
{
nixosConfigurations = (builtins.mapAttrs (name: value: value "toplevel") nixosConfigs);
}
// {
packages = (
forAllSystems (
system:
(builtins.mapAttrs (hostname: nodeConfig: {
iso = (nixosConfigs."${hostname}" "iso").config.system.build.isoImage;
vm_iso = (nixosConfigs."${hostname}" "vm_iso").config.system.build.isoImage;
sd = (nixosConfigs."${hostname}" "sd").config.system.build.sdImage;
installer = (installerConfig hostname nodes."${hostname}").config.system.build.isoImage;
}) (nixpkgs.lib.attrsets.filterAttrs (hostname: nodeConfig: nodeConfig.system == system) nodes))
)
);
};
}

74
nix/kubernetes/formats/installer.nix Normal file
View File

@@ -0,0 +1,74 @@
{
config,
pkgs,
lib,
modulesPath,
targetSystem,
...
}:
let
installer = pkgs.writeShellApplication {
name = "installer";
runtimeInputs = with pkgs; [
# clevis
dosfstools
e2fsprogs
gawk
nixos-install-tools
util-linux
config.nix.package
];
text = ''
set -euo pipefail
${targetSystem.config.system.build.diskoScript}
nixos-install --no-channel-copy --no-root-password --option substituters "" --system ${targetSystem.config.system.build.toplevel}
'';
};
installerFailsafe = pkgs.writeShellScript "failsafe" ''
${lib.getExe installer} || echo "ERROR: Installation failure!"
sleep 3600
'';
in
{
imports = [
(modulesPath + "/installer/cd-dvd/iso-image.nix")
(modulesPath + "/profiles/all-hardware.nix")
];
# boot.kernelPackages = pkgs.linuxPackagesFor pkgs.linux_6_17;
# boot.zfs.package = pkgs.zfs_unstable;
boot.kernelPackages = pkgs.linuxPackagesFor pkgs.linux;
boot.kernelParams = [
"quiet"
"systemd.unit=getty.target"
];
boot.supportedFilesystems.zfs = true;
boot.initrd.systemd.enable = true;
networking.hostId = "04581ecf";
isoImage.makeEfiBootable = true;
isoImage.makeUsbBootable = true;
isoImage.squashfsCompression = "zstd -Xcompression-level 15";
environment.systemPackages = [
installer
];
systemd.services."getty@tty1" = {
overrideStrategy = "asDropin";
serviceConfig = {
ExecStart = [
""
installerFailsafe
];
Restart = "no";
StandardInput = "null";
};
};
# system.stateVersion = lib.mkDefault lib.trivial.release;
system.stateVersion = "24.11";
}

36
nix/kubernetes/formats/iso.nix Normal file
View File

@@ -0,0 +1,36 @@
{
config,
lib,
modulesPath,
pkgs,
...
}:
{
imports = [
(modulesPath + "/installer/cd-dvd/iso-image.nix")
];
config = {
isoImage.makeEfiBootable = true;
isoImage.makeUsbBootable = true;
networking.dhcpcd.enable = true;
networking.useDHCP = true;
me.buildingPortable = true;
me.disko.enable = true;
me.disko.offline.enable = true;
me.mountPersistence = lib.mkForce false;
# me.optimizations.enable = lib.mkForce false;
# Not doing image_based_appliance because this might be an install ISO, in which case we'd need nix to do the install.
# me.image_based_appliance.enable = true;
# TODO: Should I use this instead of doing a mkIf for the disk config?
# disko.enableConfig = false;
# Faster image generation for testing/development.
isoImage.squashfsCompression = "zstd -Xcompression-level 15";
};
}

32
nix/kubernetes/formats/sd.nix Normal file
View File

@@ -0,0 +1,32 @@
{
modulesPath,
...
}:
{
imports = [
(modulesPath + "/installer/sd-card/sd-image.nix")
];
config = {
isoImage.makeEfiBootable = true;
isoImage.makeUsbBootable = true;
boot.loader.grub.enable = false;
boot.loader.generic-extlinux-compatible.enable = true;
# TODO: image based appliance?
# TODO: Maybe this?
# fileSystems = {
# "/" = {
# device = "/dev/disk/by-label/NIXOS_SD";
# fsType = "ext4";
# options = [
# "noatime"
# "norelatime"
# ];
# };
# };
};
}

1
nix/kubernetes/formats/toplevel.nix Normal file
View File

@@ -0,0 +1 @@
{ }

22
nix/kubernetes/formats/vm_iso.nix Normal file
View File

@@ -0,0 +1,22 @@
{
lib,
modulesPath,
...
}:
{
imports = [
(modulesPath + "/installer/cd-dvd/iso-image.nix")
(modulesPath + "/profiles/qemu-guest.nix") # VirtIO kernel modules
];
config = {
isoImage.makeEfiBootable = true;
isoImage.makeUsbBootable = true;
networking.dhcpcd.enable = true;
networking.useDHCP = true;
me.image_based_appliance.enable = true;
};
}

24
nix/kubernetes/functions/to_yaml.nix Normal file
View File

@@ -0,0 +1,24 @@
{
pkgs,
...
}:
let
to_yaml_file =
file_name: contents:
let
settingsFormat = pkgs.formats.yaml { };
yaml_file = settingsFormat.generate file_name contents;
in
yaml_file;
to_yaml =
file_name: contents:
let
settingsFormat = pkgs.formats.yaml { };
yaml_file = settingsFormat.generate file_name contents;
yaml_content = builtins.readFile yaml_file;
in
yaml_content;
in
{
inherit to_yaml to_yaml_file;
}

13
nix/kubernetes/hosts/controller0/DEPLOY_BOOT Executable file
View File

@@ -0,0 +1,13 @@
#!/usr/bin/env bash
#
set -euo pipefail
IFS=$'\n\t'
DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
: "${JOBS:="1"}"
TARGET=controller0
for f in /persist/manual/manual_add_to_store/*; do nix-store --add-fixed sha256 "$f"; done
nixos-rebuild boot --flake "$DIR/../../#controller0" --target-host "$TARGET" --build-host "$TARGET" --sudo --max-jobs "$JOBS" --log-format internal-json -v "${@}" |& nom --json

13
nix/kubernetes/hosts/controller0/DEPLOY_SWITCH Executable file
View File

@@ -0,0 +1,13 @@
#!/usr/bin/env bash
#
set -euo pipefail
IFS=$'\n\t'
DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
: "${JOBS:="1"}"
TARGET=controller0
for f in /persist/manual/manual_add_to_store/*; do nix-store --add-fixed sha256 "$f"; done
nixos-rebuild switch --flake "$DIR/../../#controller0" --target-host "$TARGET" --build-host "$TARGET" --sudo --max-jobs "$JOBS" --log-format internal-json -v "${@}" |& nom --json

10
nix/kubernetes/hosts/controller0/ISO Executable file
View File

@@ -0,0 +1,10 @@
#!/usr/bin/env bash
#
set -euo pipefail
IFS=$'\n\t'
DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
: "${JOBS:="1"}"
for f in /persist/manual/manual_add_to_store/*; do nix-store --add-fixed sha256 "$f"; done
nix build --extra-experimental-features nix-command --extra-experimental-features flakes "$DIR/../..#controller0.iso" --max-jobs "$JOBS" --log-format internal-json -v "${@}" |& nom --json

10
nix/kubernetes/hosts/controller0/SELF_BOOT Executable file
View File

@@ -0,0 +1,10 @@
#!/usr/bin/env bash
#
set -euo pipefail
IFS=$'\n\t'
DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
: "${JOBS:="1"}"
for f in /persist/manual/manual_add_to_store/*; do nix-store --add-fixed sha256 "$f"; done
nixos-rebuild boot --show-trace --sudo --max-jobs "$JOBS" --flake "$DIR/../../#controller0" --log-format internal-json -v "${@}" |& nom --json

10
nix/kubernetes/hosts/controller0/SELF_BUILD Executable file
View File

@@ -0,0 +1,10 @@
#!/usr/bin/env bash
#
set -euo pipefail
IFS=$'\n\t'
DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
: "${JOBS:="1"}"
for f in /persist/manual/manual_add_to_store/*; do nix-store --add-fixed sha256 "$f"; done
nixos-rebuild build --show-trace --sudo --max-jobs "$JOBS" --flake "$DIR/../../#controller0" --log-format internal-json -v "${@}" |& nom --json

10
nix/kubernetes/hosts/controller0/SELF_SWITCH Executable file
View File

@@ -0,0 +1,10 @@
#!/usr/bin/env bash
#
set -euo pipefail
IFS=$'\n\t'
DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
: "${JOBS:="1"}"
for f in /persist/manual/manual_add_to_store/*; do nix-store --add-fixed sha256 "$f"; done
nixos-rebuild switch --show-trace --sudo --max-jobs "$JOBS" --flake "$DIR/../../#controller0" --log-format internal-json -v "${@}" |& nom --json

10
nix/kubernetes/hosts/controller0/VM_ISO Executable file
View File

@@ -0,0 +1,10 @@
#!/usr/bin/env bash
#
set -euo pipefail
IFS=$'\n\t'
DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
: "${JOBS:="1"}"
for f in /persist/manual/manual_add_to_store/*; do nix-store --add-fixed sha256 "$f"; done
nix build --extra-experimental-features nix-command --extra-experimental-features flakes "$DIR/../..#controller0.vm_iso" --max-jobs "$JOBS" --log-format internal-json -v "${@}" |& nom --json

130
nix/kubernetes/hosts/controller0/default.nix Normal file
View File

@@ -0,0 +1,130 @@
# MANUAL: On client machines generate signing keys:
# nix-store --generate-binary-cache-key some-name /persist/manual/nix/nix-cache-key.sec /persist/manual/nix/nix-cache-key.pub
#
# Trust other machines and add the substituters:
# nix.binaryCachePublicKeys = [ "some-name:AzNW1MOlkNEsUAXS1jIFZ1QCFKXjV+Y/LrF37quAZ1A=" ];
# nix.binaryCaches = [ "https://test.example/nix-cache" ];
{
config,
lib,
pkgs,
...
}:
{
imports = [
./hardware-configuration.nix
./vm_disk.nix
];
config = {
networking =
let
interface = "enp0s2";
in
{
# Generate with `head -c4 /dev/urandom | od -A none -t x4`
hostId = "769e1349";
hostName = "controller0"; # Define your hostname.
interfaces = {
"${interface}" = {
ipv4.addresses = [
{
address = "10.215.1.221";
prefixLength = 24;
}
];
ipv6.addresses = [
{
address = "2620:11f:7001:7:ffff:ffff:0ad7:01dd";
prefixLength = 64;
}
];
};
};
defaultGateway = "10.215.1.1";
defaultGateway6 = {
# address = "2620:11f:7001:7::1";
address = "2620:11f:7001:7:ffff:ffff:0ad7:0101";
inherit interface;
};
dhcpcd.enable = lib.mkForce false;
useDHCP = lib.mkForce false;
};
time.timeZone = "America/New_York";
i18n.defaultLocale = "en_US.UTF-8";
me.boot.enable = true;
me.boot.secure = false;
me.mountPersistence = true;
boot.loader.timeout = lib.mkForce 0; # We can always generate a new ISO if we need to access other boot options.
me.optimizations = {
enable = true;
arch = "znver4";
# build_arch = "x86-64-v3";
system_features = [
"gccarch-znver4"
"gccarch-skylake"
"gccarch-kabylake"
# "gccarch-alderlake" missing WAITPKG
"gccarch-x86-64-v3"
"gccarch-x86-64-v4"
"benchmark"
"big-parallel"
"kvm"
"nixos-test"
];
};
# Mount tmpfs at /tmp
boot.tmp.useTmpfs = true;
# Enable TRIM
# services.fstrim.enable = lib.mkDefault true;
# nix.optimise.automatic = true;
# nix.optimise.dates = [ "03:45" ];
# nix.optimise.persistent = true;
environment.systemPackages = with pkgs; [
htop
];
# nix.sshServe.enable = true;
# nix.sshServe.keys = [ "ssh-dss AAAAB3NzaC1k... bob@example.org" ];
me.etcd.cluster_name = "put-a-nix-on-it";
me.etcd.internal_ip = [
# "10.215.1.221"
"[2620:11f:7001:7:ffff:ffff:0ad7:01dd]"
];
me.etcd.initial_cluster = [
# "controller0=https://10.215.1.221:2380" # 2620:11f:7001:7:ffff:ffff:0ad7:01dd
# "controller1=https://10.215.1.222:2380" # 2620:11f:7001:7:ffff:ffff:0ad7:01de
# "controller2=https://10.215.1.223:2380" # 2620:11f:7001:7:ffff:ffff:0ad7:01df
"controller0=https://[2620:11f:7001:7:ffff:ffff:0ad7:01dd]:2380" # 10.215.1.221
"controller1=https://[2620:11f:7001:7:ffff:ffff:0ad7:01de]:2380" # 10.215.1.222
"controller2=https://[2620:11f:7001:7:ffff:ffff:0ad7:01df]:2380" # 10.215.1.223
];
me.kube_apiserver.internal_ip = "2620:11f:7001:7:ffff:ffff:0ad7:01dd";
# me.kube_apiserver.external_ip = "74.80.180.138";
me.kube_apiserver.external_ip = "2620:11f:7001:7:ffff:ffff:0ad7:01dd";
me.kube_apiserver.etcd_services = [
"https://[2620:11f:7001:7:ffff:ffff:0ad7:01dd]:2379" # 10.215.1.221
"https://[2620:11f:7001:7:ffff:ffff:0ad7:01de]:2379" # 10.215.1.222
"https://[2620:11f:7001:7:ffff:ffff:0ad7:01df]:2379" # 10.215.1.223
];
me.control_plane.enable = true;
me.dont_use_substituters.enable = true;
me.etcd.enable = true;
me.minimal_base.enable = true;
};
}

31
nix/kubernetes/hosts/controller0/hardware-configuration.nix Normal file
View File

@@ -0,0 +1,31 @@
{
config,
lib,
modulesPath,
...
}:
{
imports = [
(modulesPath + "/installer/scan/not-detected.nix")
];
config = {
boot.initrd.availableKernelModules = [
"nvme"
"xhci_pci"
"thunderbolt"
];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ ];
boot.extraModulePackages = [ ];
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
# (the default) this is the recommended approach. When using systemd-networkd it's
# still possible to use this option, but it's recommended to use it in conjunction
# with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
# networking.useDHCP = lib.mkDefault true;
# networking.interfaces.eno1.useDHCP = lib.mkDefault true;
# networking.interfaces.wlp58s0.useDHCP = lib.mkDefault true;
};
}

94
nix/kubernetes/hosts/controller0/vm_disk.nix Normal file
View File

@@ -0,0 +1,94 @@
{
config,
lib,
pkgs,
...
}:
{
imports = [ ];
config = {
# Mount the local disk
fileSystems = lib.mkIf config.me.mountPersistence {
"/.disk" = lib.mkForce {
device = "/dev/nvme0n1p1";
fsType = "ext4";
options = [
"noatime"
"discard"
];
neededForBoot = true;
};
"/.persist" = lib.mkForce {
device = "bind9p";
fsType = "9p";
options = [
"noatime"
"trans=virtio"
"version=9p2000.L"
"cache=mmap"
"msize=512000"
# "noauto"
# "x-systemd.automount"
];
neededForBoot = true;
};
"/persist" = {
fsType = "none";
device = "/.persist/persist";
options = [
"bind"
"rw"
];
depends = [
"/.persist/persist"
];
neededForBoot = true;
};
"/state" = {
fsType = "none";
device = "/.persist/state";
options = [
"bind"
"rw"
];
depends = [
"/.persist/state"
];
neededForBoot = true;
};
"/k8spv" = lib.mkForce {
device = "k8spv";
fsType = "9p";
options = [
"noatime"
"trans=virtio"
"version=9p2000.L"
"cache=mmap"
"msize=512000"
# "noauto"
# "x-systemd.automount"
];
neededForBoot = true;
};
"/disk" = {
fsType = "none";
device = "/.disk/persist";
options = [
"bind"
"rw"
];
depends = [
"/.disk/persist"
];
neededForBoot = true;
};
};
};
}

13
nix/kubernetes/hosts/controller1/DEPLOY_BOOT Executable file
View File

@@ -0,0 +1,13 @@
#!/usr/bin/env bash
#
set -euo pipefail
IFS=$'\n\t'
DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
: "${JOBS:="1"}"
TARGET=controller1
for f in /persist/manual/manual_add_to_store/*; do nix-store --add-fixed sha256 "$f"; done
nixos-rebuild boot --flake "$DIR/../../#controller1" --target-host "$TARGET" --build-host "$TARGET" --sudo --max-jobs "$JOBS" --log-format internal-json -v "${@}" |& nom --json

13
nix/kubernetes/hosts/controller1/DEPLOY_SWITCH Executable file
View File

@@ -0,0 +1,13 @@
#!/usr/bin/env bash
#
set -euo pipefail
IFS=$'\n\t'
DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
: "${JOBS:="1"}"
TARGET=controller1
for f in /persist/manual/manual_add_to_store/*; do nix-store --add-fixed sha256 "$f"; done
nixos-rebuild switch --flake "$DIR/../../#controller1" --target-host "$TARGET" --build-host "$TARGET" --sudo --max-jobs "$JOBS" --log-format internal-json -v "${@}" |& nom --json

10
nix/kubernetes/hosts/controller1/ISO Executable file
View File

@@ -0,0 +1,10 @@
#!/usr/bin/env bash
#
set -euo pipefail
IFS=$'\n\t'
DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
: "${JOBS:="1"}"
for f in /persist/manual/manual_add_to_store/*; do nix-store --add-fixed sha256 "$f"; done
nix build --extra-experimental-features nix-command --extra-experimental-features flakes "$DIR/../..#controller1.iso" --max-jobs "$JOBS" --log-format internal-json -v "${@}" |& nom --json

10
nix/kubernetes/hosts/controller1/SELF_BOOT Executable file
View File

@@ -0,0 +1,10 @@
#!/usr/bin/env bash
#
set -euo pipefail
IFS=$'\n\t'
DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
: "${JOBS:="1"}"
for f in /persist/manual/manual_add_to_store/*; do nix-store --add-fixed sha256 "$f"; done
nixos-rebuild boot --show-trace --sudo --max-jobs "$JOBS" --flake "$DIR/../../#controller1" --log-format internal-json -v "${@}" |& nom --json

10
nix/kubernetes/hosts/controller1/SELF_BUILD Executable file
View File

@@ -0,0 +1,10 @@
#!/usr/bin/env bash
#
set -euo pipefail
IFS=$'\n\t'
DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
: "${JOBS:="1"}"
for f in /persist/manual/manual_add_to_store/*; do nix-store --add-fixed sha256 "$f"; done
nixos-rebuild build --show-trace --sudo --max-jobs "$JOBS" --flake "$DIR/../../#controller1" --log-format internal-json -v "${@}" |& nom --json

10
nix/kubernetes/hosts/controller1/SELF_SWITCH Executable file
View File

@@ -0,0 +1,10 @@
#!/usr/bin/env bash
#
set -euo pipefail
IFS=$'\n\t'
DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
: "${JOBS:="1"}"
for f in /persist/manual/manual_add_to_store/*; do nix-store --add-fixed sha256 "$f"; done
nixos-rebuild switch --show-trace --sudo --max-jobs "$JOBS" --flake "$DIR/../../#controller1" --log-format internal-json -v "${@}" |& nom --json

10
nix/kubernetes/hosts/controller1/VM_ISO Executable file
View File

@@ -0,0 +1,10 @@
#!/usr/bin/env bash
#
set -euo pipefail
IFS=$'\n\t'
DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
: "${JOBS:="1"}"
for f in /persist/manual/manual_add_to_store/*; do nix-store --add-fixed sha256 "$f"; done
nix build --extra-experimental-features nix-command --extra-experimental-features flakes "$DIR/../..#controller1.vm_iso" --max-jobs "$JOBS" --log-format internal-json -v "${@}" |& nom --json

130
nix/kubernetes/hosts/controller1/default.nix Normal file
View File

@@ -0,0 +1,130 @@
# MANUAL: On client machines generate signing keys:
# nix-store --generate-binary-cache-key some-name /persist/manual/nix/nix-cache-key.sec /persist/manual/nix/nix-cache-key.pub
#
# Trust other machines and add the substituters:
# nix.binaryCachePublicKeys = [ "some-name:AzNW1MOlkNEsUAXS1jIFZ1QCFKXjV+Y/LrF37quAZ1A=" ];
# nix.binaryCaches = [ "https://test.example/nix-cache" ];
{
config,
lib,
pkgs,
...
}:
{
imports = [
./hardware-configuration.nix
./vm_disk.nix
];
config = {
networking =
let
interface = "enp0s2";
in
{
# Generate with `head -c4 /dev/urandom | od -A none -t x4`
hostId = "59a83979";
hostName = "controller1"; # Define your hostname.
interfaces = {
"${interface}" = {
ipv4.addresses = [
{
address = "10.215.1.222";
prefixLength = 24;
}
];
ipv6.addresses = [
{
address = "2620:11f:7001:7:ffff:ffff:0ad7:01de";
prefixLength = 64;
}
];
};
};
defaultGateway = "10.215.1.1";
defaultGateway6 = {
# address = "2620:11f:7001:7::1";
address = "2620:11f:7001:7:ffff:ffff:0ad7:0101";
inherit interface;
};
dhcpcd.enable = lib.mkForce false;
useDHCP = lib.mkForce false;
};
time.timeZone = "America/New_York";
i18n.defaultLocale = "en_US.UTF-8";
me.boot.enable = true;
me.boot.secure = false;
me.mountPersistence = true;
boot.loader.timeout = lib.mkForce 0; # We can always generate a new ISO if we need to access other boot options.
me.optimizations = {
enable = true;
arch = "znver4";
# build_arch = "x86-64-v3";
system_features = [
"gccarch-znver4"
"gccarch-skylake"
"gccarch-kabylake"
# "gccarch-alderlake" missing WAITPKG
"gccarch-x86-64-v3"
"gccarch-x86-64-v4"
"benchmark"
"big-parallel"
"kvm"
"nixos-test"
];
};
# Mount tmpfs at /tmp
boot.tmp.useTmpfs = true;
# Enable TRIM
# services.fstrim.enable = lib.mkDefault true;
# nix.optimise.automatic = true;
# nix.optimise.dates = [ "03:45" ];
# nix.optimise.persistent = true;
environment.systemPackages = with pkgs; [
htop
];
# nix.sshServe.enable = true;
# nix.sshServe.keys = [ "ssh-dss AAAAB3NzaC1k... bob@example.org" ];
me.etcd.cluster_name = "put-a-nix-on-it";
me.etcd.internal_ip = [
# "10.215.1.221"
"[2620:11f:7001:7:ffff:ffff:0ad7:01de]"
];
me.etcd.initial_cluster = [
# "controller0=https://10.215.1.221:2380" # 2620:11f:7001:7:ffff:ffff:0ad7:01dd
# "controller1=https://10.215.1.222:2380" # 2620:11f:7001:7:ffff:ffff:0ad7:01de
# "controller2=https://10.215.1.223:2380" # 2620:11f:7001:7:ffff:ffff:0ad7:01df
"controller0=https://[2620:11f:7001:7:ffff:ffff:0ad7:01dd]:2380" # 10.215.1.221
"controller1=https://[2620:11f:7001:7:ffff:ffff:0ad7:01de]:2380" # 10.215.1.222
"controller2=https://[2620:11f:7001:7:ffff:ffff:0ad7:01df]:2380" # 10.215.1.223
];
me.kube_apiserver.internal_ip = "2620:11f:7001:7:ffff:ffff:0ad7:01de";
# me.kube_apiserver.external_ip = "74.80.180.138";
me.kube_apiserver.external_ip = "2620:11f:7001:7:ffff:ffff:0ad7:01de";
me.kube_apiserver.etcd_services = [
"https://[2620:11f:7001:7:ffff:ffff:0ad7:01dd]:2379" # 10.215.1.221
"https://[2620:11f:7001:7:ffff:ffff:0ad7:01de]:2379" # 10.215.1.222
"https://[2620:11f:7001:7:ffff:ffff:0ad7:01df]:2379" # 10.215.1.223
];
me.control_plane.enable = true;
me.dont_use_substituters.enable = true;
me.etcd.enable = true;
me.minimal_base.enable = true;
};
}

31
nix/kubernetes/hosts/controller1/hardware-configuration.nix Normal file
View File

@@ -0,0 +1,31 @@
{
config,
lib,
modulesPath,
...
}:
{
imports = [
(modulesPath + "/installer/scan/not-detected.nix")
];
config = {
boot.initrd.availableKernelModules = [
"nvme"
"xhci_pci"
"thunderbolt"
];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ ];
boot.extraModulePackages = [ ];
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
# (the default) this is the recommended approach. When using systemd-networkd it's
# still possible to use this option, but it's recommended to use it in conjunction
# with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
# networking.useDHCP = lib.mkDefault true;
# networking.interfaces.eno1.useDHCP = lib.mkDefault true;
# networking.interfaces.wlp58s0.useDHCP = lib.mkDefault true;
};
}

94
nix/kubernetes/hosts/controller1/vm_disk.nix Normal file
View File

@@ -0,0 +1,94 @@
{
config,
lib,
pkgs,
...
}:
{
imports = [ ];
config = {
# Mount the local disk
fileSystems = lib.mkIf config.me.mountPersistence {
"/.disk" = lib.mkForce {
device = "/dev/nvme0n1p1";
fsType = "ext4";
options = [
"noatime"
"discard"
];
neededForBoot = true;
};
"/.persist" = lib.mkForce {
device = "bind9p";
fsType = "9p";
options = [
"noatime"
"trans=virtio"
"version=9p2000.L"
"cache=mmap"
"msize=512000"
# "noauto"
# "x-systemd.automount"
];
neededForBoot = true;
};
"/persist" = {
fsType = "none";
device = "/.persist/persist";
options = [
"bind"
"rw"
];
depends = [
"/.persist/persist"
];
neededForBoot = true;
};
"/state" = {
fsType = "none";
device = "/.persist/state";
options = [
"bind"
"rw"
];
depends = [
"/.persist/state"
];
neededForBoot = true;
};
"/k8spv" = lib.mkForce {
device = "k8spv";
fsType = "9p";
options = [
"noatime"
"trans=virtio"
"version=9p2000.L"
"cache=mmap"
"msize=512000"
# "noauto"
# "x-systemd.automount"
];
neededForBoot = true;
};
"/disk" = {
fsType = "none";
device = "/.disk/persist";
options = [
"bind"
"rw"
];
depends = [
"/.disk/persist"
];
neededForBoot = true;
};
};
};
}

13
nix/kubernetes/hosts/controller2/DEPLOY_BOOT Executable file
View File

@@ -0,0 +1,13 @@
#!/usr/bin/env bash
#
set -euo pipefail
IFS=$'\n\t'
DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
: "${JOBS:="1"}"
TARGET=controller2
for f in /persist/manual/manual_add_to_store/*; do nix-store --add-fixed sha256 "$f"; done
nixos-rebuild boot --flake "$DIR/../../#controller2" --target-host "$TARGET" --build-host "$TARGET" --sudo --max-jobs "$JOBS" --log-format internal-json -v "${@}" |& nom --json

13
nix/kubernetes/hosts/controller2/DEPLOY_SWITCH Executable file
View File

@@ -0,0 +1,13 @@
#!/usr/bin/env bash
#
set -euo pipefail
IFS=$'\n\t'
DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
: "${JOBS:="1"}"
TARGET=controller2
for f in /persist/manual/manual_add_to_store/*; do nix-store --add-fixed sha256 "$f"; done
nixos-rebuild switch --flake "$DIR/../../#controller2" --target-host "$TARGET" --build-host "$TARGET" --sudo --max-jobs "$JOBS" --log-format internal-json -v "${@}" |& nom --json

10
nix/kubernetes/hosts/controller2/ISO Executable file
View File

@@ -0,0 +1,10 @@
#!/usr/bin/env bash
#
set -euo pipefail
IFS=$'\n\t'
DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
: "${JOBS:="1"}"
for f in /persist/manual/manual_add_to_store/*; do nix-store --add-fixed sha256 "$f"; done
nix build --extra-experimental-features nix-command --extra-experimental-features flakes "$DIR/../..#controller2.iso" --max-jobs "$JOBS" --log-format internal-json -v "${@}" |& nom --json

10
nix/kubernetes/hosts/controller2/SELF_BOOT Executable file
View File

@@ -0,0 +1,10 @@
#!/usr/bin/env bash
#
set -euo pipefail
IFS=$'\n\t'
DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
: "${JOBS:="1"}"
for f in /persist/manual/manual_add_to_store/*; do nix-store --add-fixed sha256 "$f"; done
nixos-rebuild boot --show-trace --sudo --max-jobs "$JOBS" --flake "$DIR/../../#controller2" --log-format internal-json -v "${@}" |& nom --json

10
nix/kubernetes/hosts/controller2/SELF_BUILD Executable file
View File

@@ -0,0 +1,10 @@
#!/usr/bin/env bash
#
set -euo pipefail
IFS=$'\n\t'
DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
: "${JOBS:="1"}"
for f in /persist/manual/manual_add_to_store/*; do nix-store --add-fixed sha256 "$f"; done
nixos-rebuild build --show-trace --sudo --max-jobs "$JOBS" --flake "$DIR/../../#controller2" --log-format internal-json -v "${@}" |& nom --json

10
nix/kubernetes/hosts/controller2/SELF_SWITCH Executable file
View File

@@ -0,0 +1,10 @@
#!/usr/bin/env bash
#
set -euo pipefail
IFS=$'\n\t'
DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
: "${JOBS:="1"}"
for f in /persist/manual/manual_add_to_store/*; do nix-store --add-fixed sha256 "$f"; done
nixos-rebuild switch --show-trace --sudo --max-jobs "$JOBS" --flake "$DIR/../../#controller2" --log-format internal-json -v "${@}" |& nom --json

10
nix/kubernetes/hosts/controller2/VM_ISO Executable file
View File

@@ -0,0 +1,10 @@
#!/usr/bin/env bash
#
set -euo pipefail
IFS=$'\n\t'
DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
: "${JOBS:="1"}"
for f in /persist/manual/manual_add_to_store/*; do nix-store --add-fixed sha256 "$f"; done
nix build --extra-experimental-features nix-command --extra-experimental-features flakes "$DIR/../..#controller2.vm_iso" --max-jobs "$JOBS" --log-format internal-json -v "${@}" |& nom --json

130
nix/kubernetes/hosts/controller2/default.nix Normal file
View File

@@ -0,0 +1,130 @@
# MANUAL: On client machines generate signing keys:
# nix-store --generate-binary-cache-key some-name /persist/manual/nix/nix-cache-key.sec /persist/manual/nix/nix-cache-key.pub
#
# Trust other machines and add the substituters:
# nix.binaryCachePublicKeys = [ "some-name:AzNW1MOlkNEsUAXS1jIFZ1QCFKXjV+Y/LrF37quAZ1A=" ];
# nix.binaryCaches = [ "https://test.example/nix-cache" ];
{
config,
lib,
pkgs,
...
}:
{
imports = [
./hardware-configuration.nix
./vm_disk.nix
];
config = {
networking =
let
interface = "enp0s2";
in
{
# Generate with `head -c4 /dev/urandom | od -A none -t x4`
hostId = "26a43660";
hostName = "controller2"; # Define your hostname.
interfaces = {
"${interface}" = {
ipv4.addresses = [
{
address = "10.215.1.223";
prefixLength = 24;
}
];
ipv6.addresses = [
{
address = "2620:11f:7001:7:ffff:ffff:0ad7:01df";
prefixLength = 64;
}
];
};
};
defaultGateway = "10.215.1.1";
defaultGateway6 = {
# address = "2620:11f:7001:7::1";
address = "2620:11f:7001:7:ffff:ffff:0ad7:0101";
inherit interface;
};
dhcpcd.enable = lib.mkForce false;
useDHCP = lib.mkForce false;
};
time.timeZone = "America/New_York";
i18n.defaultLocale = "en_US.UTF-8";
me.boot.enable = true;
me.boot.secure = false;
me.mountPersistence = true;
boot.loader.timeout = lib.mkForce 0; # We can always generate a new ISO if we need to access other boot options.
me.optimizations = {
enable = true;
arch = "znver4";
# build_arch = "x86-64-v3";
system_features = [
"gccarch-znver4"
"gccarch-skylake"
"gccarch-kabylake"
# "gccarch-alderlake" missing WAITPKG
"gccarch-x86-64-v3"
"gccarch-x86-64-v4"
"benchmark"
"big-parallel"
"kvm"
"nixos-test"
];
};
# Mount tmpfs at /tmp
boot.tmp.useTmpfs = true;
# Enable TRIM
# services.fstrim.enable = lib.mkDefault true;
# nix.optimise.automatic = true;
# nix.optimise.dates = [ "03:45" ];
# nix.optimise.persistent = true;
environment.systemPackages = with pkgs; [
htop
];
# nix.sshServe.enable = true;
# nix.sshServe.keys = [ "ssh-dss AAAAB3NzaC1k... bob@example.org" ];
me.etcd.cluster_name = "put-a-nix-on-it";
me.etcd.internal_ip = [
# "10.215.1.221"
"[2620:11f:7001:7:ffff:ffff:0ad7:01df]"
];
me.etcd.initial_cluster = [
# "controller0=https://10.215.1.221:2380" # 2620:11f:7001:7:ffff:ffff:0ad7:01dd
# "controller1=https://10.215.1.222:2380" # 2620:11f:7001:7:ffff:ffff:0ad7:01de
# "controller2=https://10.215.1.223:2380" # 2620:11f:7001:7:ffff:ffff:0ad7:01df
"controller0=https://[2620:11f:7001:7:ffff:ffff:0ad7:01dd]:2380" # 10.215.1.221
"controller1=https://[2620:11f:7001:7:ffff:ffff:0ad7:01de]:2380" # 10.215.1.222
"controller2=https://[2620:11f:7001:7:ffff:ffff:0ad7:01df]:2380" # 10.215.1.223
];
me.kube_apiserver.internal_ip = "2620:11f:7001:7:ffff:ffff:0ad7:01df";
# me.kube_apiserver.external_ip = "74.80.180.138";
me.kube_apiserver.external_ip = "2620:11f:7001:7:ffff:ffff:0ad7:01df";
me.kube_apiserver.etcd_services = [
"https://[2620:11f:7001:7:ffff:ffff:0ad7:01dd]:2379" # 10.215.1.221
"https://[2620:11f:7001:7:ffff:ffff:0ad7:01de]:2379" # 10.215.1.222
"https://[2620:11f:7001:7:ffff:ffff:0ad7:01df]:2379" # 10.215.1.223
];
me.control_plane.enable = true;
me.dont_use_substituters.enable = true;
me.etcd.enable = true;
me.minimal_base.enable = true;
};
}

31
nix/kubernetes/hosts/controller2/hardware-configuration.nix Normal file
View File

@@ -0,0 +1,31 @@
{
config,
lib,
modulesPath,
...
}:
{
imports = [
(modulesPath + "/installer/scan/not-detected.nix")
];
config = {
boot.initrd.availableKernelModules = [
"nvme"
"xhci_pci"
"thunderbolt"
];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ ];
boot.extraModulePackages = [ ];
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
# (the default) this is the recommended approach. When using systemd-networkd it's
# still possible to use this option, but it's recommended to use it in conjunction
# with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
# networking.useDHCP = lib.mkDefault true;
# networking.interfaces.eno1.useDHCP = lib.mkDefault true;
# networking.interfaces.wlp58s0.useDHCP = lib.mkDefault true;
};
}

94
nix/kubernetes/hosts/controller2/vm_disk.nix Normal file
View File

@@ -0,0 +1,94 @@
{
config,
lib,
pkgs,
...
}:
{
imports = [ ];
config = {
# Mount the local disk
fileSystems = lib.mkIf config.me.mountPersistence {
"/.disk" = lib.mkForce {
device = "/dev/nvme0n1p1";
fsType = "ext4";
options = [
"noatime"
"discard"
];
neededForBoot = true;
};
"/.persist" = lib.mkForce {
device = "bind9p";
fsType = "9p";
options = [
"noatime"
"trans=virtio"
"version=9p2000.L"
"cache=mmap"
"msize=512000"
# "noauto"
# "x-systemd.automount"
];
neededForBoot = true;
};
"/persist" = {
fsType = "none";
device = "/.persist/persist";
options = [
"bind"
"rw"
];
depends = [
"/.persist/persist"
];
neededForBoot = true;
};
"/state" = {
fsType = "none";
device = "/.persist/state";
options = [
"bind"
"rw"
];
depends = [
"/.persist/state"
];
neededForBoot = true;
};
"/k8spv" = lib.mkForce {
device = "k8spv";
fsType = "9p";
options = [
"noatime"
"trans=virtio"
"version=9p2000.L"
"cache=mmap"
"msize=512000"
# "noauto"
# "x-systemd.automount"
];
neededForBoot = true;
};
"/disk" = {
fsType = "none";
device = "/.disk/persist";
options = [
"bind"
"rw"
];
depends = [
"/.disk/persist"
];
neededForBoot = true;
};
};
};
}

13
nix/kubernetes/hosts/worker0/DEPLOY_BOOT Executable file
View File

@@ -0,0 +1,13 @@
#!/usr/bin/env bash
#
set -euo pipefail
IFS=$'\n\t'
DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
: "${JOBS:="1"}"
TARGET=worker0
for f in /persist/manual/manual_add_to_store/*; do nix-store --add-fixed sha256 "$f"; done
nixos-rebuild boot --flake "$DIR/../../#worker0" --target-host "$TARGET" --build-host "$TARGET" --sudo --max-jobs "$JOBS" --log-format internal-json -v "${@}" |& nom --json

13
nix/kubernetes/hosts/worker0/DEPLOY_SWITCH Executable file
View File

@@ -0,0 +1,13 @@
#!/usr/bin/env bash
#
set -euo pipefail
IFS=$'\n\t'
DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
: "${JOBS:="1"}"
TARGET=worker0
for f in /persist/manual/manual_add_to_store/*; do nix-store --add-fixed sha256 "$f"; done
nixos-rebuild switch --flake "$DIR/../../#worker0" --target-host "$TARGET" --build-host "$TARGET" --sudo --max-jobs "$JOBS" --log-format internal-json -v "${@}" |& nom --json

10
nix/kubernetes/hosts/worker0/ISO Executable file
View File

@@ -0,0 +1,10 @@
#!/usr/bin/env bash
#
set -euo pipefail
IFS=$'\n\t'
DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
: "${JOBS:="1"}"
for f in /persist/manual/manual_add_to_store/*; do nix-store --add-fixed sha256 "$f"; done
nix build --extra-experimental-features nix-command --extra-experimental-features flakes "$DIR/../..#worker0.iso" --max-jobs "$JOBS" --log-format internal-json -v "${@}" |& nom --json

10
nix/kubernetes/hosts/worker0/SELF_BOOT Executable file
View File

@@ -0,0 +1,10 @@
#!/usr/bin/env bash
#
set -euo pipefail
IFS=$'\n\t'
DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
: "${JOBS:="1"}"
for f in /persist/manual/manual_add_to_store/*; do nix-store --add-fixed sha256 "$f"; done
nixos-rebuild boot --show-trace --sudo --max-jobs "$JOBS" --flake "$DIR/../../#worker0" --log-format internal-json -v "${@}" |& nom --json

10
nix/kubernetes/hosts/worker0/SELF_BUILD Executable file
View File

@@ -0,0 +1,10 @@
#!/usr/bin/env bash
#
set -euo pipefail
IFS=$'\n\t'
DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
: "${JOBS:="1"}"
for f in /persist/manual/manual_add_to_store/*; do nix-store --add-fixed sha256 "$f"; done
nixos-rebuild build --show-trace --sudo --max-jobs "$JOBS" --flake "$DIR/../../#worker0" --log-format internal-json -v "${@}" |& nom --json

10
nix/kubernetes/hosts/worker0/SELF_SWITCH Executable file
View File

@@ -0,0 +1,10 @@
#!/usr/bin/env bash
#
set -euo pipefail
IFS=$'\n\t'
DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
: "${JOBS:="1"}"
for f in /persist/manual/manual_add_to_store/*; do nix-store --add-fixed sha256 "$f"; done
nixos-rebuild switch --show-trace --sudo --max-jobs "$JOBS" --flake "$DIR/../../#worker0" --log-format internal-json -v "${@}" |& nom --json

10
nix/kubernetes/hosts/worker0/VM_ISO Executable file
View File

@@ -0,0 +1,10 @@
#!/usr/bin/env bash
#
set -euo pipefail
IFS=$'\n\t'
DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
: "${JOBS:="1"}"
for f in /persist/manual/manual_add_to_store/*; do nix-store --add-fixed sha256 "$f"; done
nix build --extra-experimental-features nix-command --extra-experimental-features flakes "$DIR/../..#worker0.vm_iso" --max-jobs "$JOBS" --log-format internal-json -v "${@}" |& nom --json

106
nix/kubernetes/hosts/worker0/default.nix Normal file
View File

@@ -0,0 +1,106 @@
# MANUAL: On client machines generate signing keys:
# nix-store --generate-binary-cache-key some-name /persist/manual/nix/nix-cache-key.sec /persist/manual/nix/nix-cache-key.pub
#
# Trust other machines and add the substituters:
# nix.binaryCachePublicKeys = [ "some-name:AzNW1MOlkNEsUAXS1jIFZ1QCFKXjV+Y/LrF37quAZ1A=" ];
# nix.binaryCaches = [ "https://test.example/nix-cache" ];
{
config,
lib,
pkgs,
...
}:
{
imports = [
./hardware-configuration.nix
./vm_disk.nix
];
config = {
networking =
let
interface = "enp0s2";
in
{
# Generate with `head -c4 /dev/urandom | od -A none -t x4`
hostId = "0aadbb10";
hostName = "worker0"; # Define your hostname.
interfaces = {
"${interface}" = {
ipv4.addresses = [
{
address = "10.215.1.224";
prefixLength = 24;
}
];
ipv6.addresses = [
{
address = "2620:11f:7001:7:ffff:ffff:0ad7:01e0";
prefixLength = 64;
}
];
};
};
defaultGateway = "10.215.1.1";
defaultGateway6 = {
# address = "2620:11f:7001:7::1";
address = "2620:11f:7001:7:ffff:ffff:0ad7:0101";
inherit interface;
};
dhcpcd.enable = lib.mkForce false;
useDHCP = lib.mkForce false;
};
time.timeZone = "America/New_York";
i18n.defaultLocale = "en_US.UTF-8";
me.boot.enable = true;
me.boot.secure = false;
me.mountPersistence = true;
boot.loader.timeout = lib.mkForce 0; # We can always generate a new ISO if we need to access other boot options.
me.optimizations = {
enable = true;
arch = "znver4";
# build_arch = "x86-64-v3";
system_features = [
"gccarch-znver4"
"gccarch-skylake"
"gccarch-kabylake"
# "gccarch-alderlake" missing WAITPKG
"gccarch-x86-64-v3"
"gccarch-x86-64-v4"
"benchmark"
"big-parallel"
"kvm"
"nixos-test"
];
};
# Mount tmpfs at /tmp
boot.tmp.useTmpfs = true;
# Enable TRIM
# services.fstrim.enable = lib.mkDefault true;
# nix.optimise.automatic = true;
# nix.optimise.dates = [ "03:45" ];
# nix.optimise.persistent = true;
environment.systemPackages = with pkgs; [
htop
];
# nix.sshServe.enable = true;
# nix.sshServe.keys = [ "ssh-dss AAAAB3NzaC1k... bob@example.org" ];
me.dont_use_substituters.enable = true;
me.minimal_base.enable = true;
me.worker_node.enable = true;
};
}

31
nix/kubernetes/hosts/worker0/hardware-configuration.nix Normal file
View File

@@ -0,0 +1,31 @@
{
config,
lib,
modulesPath,
...
}:
{
imports = [
(modulesPath + "/installer/scan/not-detected.nix")
];
config = {
boot.initrd.availableKernelModules = [
"nvme"
"xhci_pci"
"thunderbolt"
];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ ];
boot.extraModulePackages = [ ];
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
# (the default) this is the recommended approach. When using systemd-networkd it's
# still possible to use this option, but it's recommended to use it in conjunction
# with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
# networking.useDHCP = lib.mkDefault true;
# networking.interfaces.eno1.useDHCP = lib.mkDefault true;
# networking.interfaces.wlp58s0.useDHCP = lib.mkDefault true;
};
}

94
nix/kubernetes/hosts/worker0/vm_disk.nix Normal file
View File

@@ -0,0 +1,94 @@
{
config,
lib,
pkgs,
...
}:
{
imports = [ ];
config = {
# Mount the local disk
fileSystems = lib.mkIf config.me.mountPersistence {
"/.disk" = lib.mkForce {
device = "/dev/nvme0n1p1";
fsType = "ext4";
options = [
"noatime"
"discard"
];
neededForBoot = true;
};
"/.persist" = lib.mkForce {
device = "bind9p";
fsType = "9p";
options = [
"noatime"
"trans=virtio"
"version=9p2000.L"
"cache=mmap"
"msize=512000"
# "noauto"
# "x-systemd.automount"
];
neededForBoot = true;
};
"/persist" = {
fsType = "none";
device = "/.persist/persist";
options = [
"bind"
"rw"
];
depends = [
"/.persist/persist"
];
neededForBoot = true;
};
"/state" = {
fsType = "none";
device = "/.persist/state";
options = [
"bind"
"rw"
];
depends = [
"/.persist/state"
];
neededForBoot = true;
};
"/k8spv" = lib.mkForce {
device = "k8spv";
fsType = "9p";
options = [
"noatime"
"trans=virtio"
"version=9p2000.L"
"cache=mmap"
"msize=512000"
# "noauto"
# "x-systemd.automount"
];
neededForBoot = true;
};
"/disk" = {
fsType = "none";
device = "/.disk/persist";
options = [
"bind"
"rw"
];
depends = [
"/.disk/persist"
];
neededForBoot = true;
};
};
};
}

13
nix/kubernetes/hosts/worker1/DEPLOY_BOOT Executable file
View File

@@ -0,0 +1,13 @@
#!/usr/bin/env bash
#
set -euo pipefail
IFS=$'\n\t'
DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
: "${JOBS:="1"}"
TARGET=worker1
for f in /persist/manual/manual_add_to_store/*; do nix-store --add-fixed sha256 "$f"; done
nixos-rebuild boot --flake "$DIR/../../#worker1" --target-host "$TARGET" --build-host "$TARGET" --sudo --max-jobs "$JOBS" --log-format internal-json -v "${@}" |& nom --json

13
nix/kubernetes/hosts/worker1/DEPLOY_SWITCH Executable file
View File

@@ -0,0 +1,13 @@
#!/usr/bin/env bash
#
set -euo pipefail
IFS=$'\n\t'
DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
: "${JOBS:="1"}"
TARGET=worker1
for f in /persist/manual/manual_add_to_store/*; do nix-store --add-fixed sha256 "$f"; done
nixos-rebuild switch --flake "$DIR/../../#worker1" --target-host "$TARGET" --build-host "$TARGET" --sudo --max-jobs "$JOBS" --log-format internal-json -v "${@}" |& nom --json

10
nix/kubernetes/hosts/worker1/ISO Executable file
View File

@@ -0,0 +1,10 @@
#!/usr/bin/env bash
#
set -euo pipefail
IFS=$'\n\t'
DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
: "${JOBS:="1"}"
for f in /persist/manual/manual_add_to_store/*; do nix-store --add-fixed sha256 "$f"; done
nix build --extra-experimental-features nix-command --extra-experimental-features flakes "$DIR/../..#worker1.iso" --max-jobs "$JOBS" --log-format internal-json -v "${@}" |& nom --json

10
nix/kubernetes/hosts/worker1/SELF_BOOT Executable file
View File

@@ -0,0 +1,10 @@
#!/usr/bin/env bash
#
set -euo pipefail
IFS=$'\n\t'
DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
: "${JOBS:="1"}"
for f in /persist/manual/manual_add_to_store/*; do nix-store --add-fixed sha256 "$f"; done
nixos-rebuild boot --show-trace --sudo --max-jobs "$JOBS" --flake "$DIR/../../#worker1" --log-format internal-json -v "${@}" |& nom --json

10
nix/kubernetes/hosts/worker1/SELF_BUILD Executable file
View File

@@ -0,0 +1,10 @@
#!/usr/bin/env bash
#
set -euo pipefail
IFS=$'\n\t'
DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
: "${JOBS:="1"}"
for f in /persist/manual/manual_add_to_store/*; do nix-store --add-fixed sha256 "$f"; done
nixos-rebuild build --show-trace --sudo --max-jobs "$JOBS" --flake "$DIR/../../#worker1" --log-format internal-json -v "${@}" |& nom --json

10
nix/kubernetes/hosts/worker1/SELF_SWITCH Executable file
View File

@@ -0,0 +1,10 @@
#!/usr/bin/env bash
#
set -euo pipefail
IFS=$'\n\t'
DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
: "${JOBS:="1"}"
for f in /persist/manual/manual_add_to_store/*; do nix-store --add-fixed sha256 "$f"; done
nixos-rebuild switch --show-trace --sudo --max-jobs "$JOBS" --flake "$DIR/../../#worker1" --log-format internal-json -v "${@}" |& nom --json

10
nix/kubernetes/hosts/worker1/VM_ISO Executable file
View File

@@ -0,0 +1,10 @@
#!/usr/bin/env bash
#
set -euo pipefail
IFS=$'\n\t'
DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
: "${JOBS:="1"}"
for f in /persist/manual/manual_add_to_store/*; do nix-store --add-fixed sha256 "$f"; done
nix build --extra-experimental-features nix-command --extra-experimental-features flakes "$DIR/../..#worker1.vm_iso" --max-jobs "$JOBS" --log-format internal-json -v "${@}" |& nom --json

106
nix/kubernetes/hosts/worker1/default.nix Normal file
View File

@@ -0,0 +1,106 @@
# MANUAL: On client machines generate signing keys:
# nix-store --generate-binary-cache-key some-name /persist/manual/nix/nix-cache-key.sec /persist/manual/nix/nix-cache-key.pub
#
# Trust other machines and add the substituters:
# nix.binaryCachePublicKeys = [ "some-name:AzNW1MOlkNEsUAXS1jIFZ1QCFKXjV+Y/LrF37quAZ1A=" ];
# nix.binaryCaches = [ "https://test.example/nix-cache" ];
{
config,
lib,
pkgs,
...
}:
{
imports = [
./hardware-configuration.nix
./vm_disk.nix
];
config = {
networking =
let
interface = "enp0s2";
in
{
# Generate with `head -c4 /dev/urandom | od -A none -t x4`
hostId = "4324346d";
hostName = "worker1"; # Define your hostname.
interfaces = {
"${interface}" = {
ipv4.addresses = [
{
address = "10.215.1.225";
prefixLength = 24;
}
];
ipv6.addresses = [
{
address = "2620:11f:7001:7:ffff:ffff:0ad7:01e1";
prefixLength = 64;
}
];
};
};
defaultGateway = "10.215.1.1";
defaultGateway6 = {
# address = "2620:11f:7001:7::1";
address = "2620:11f:7001:7:ffff:ffff:0ad7:0101";
inherit interface;
};
dhcpcd.enable = lib.mkForce false;
useDHCP = lib.mkForce false;
};
time.timeZone = "America/New_York";
i18n.defaultLocale = "en_US.UTF-8";
me.boot.enable = true;
me.boot.secure = false;
me.mountPersistence = true;
boot.loader.timeout = lib.mkForce 0; # We can always generate a new ISO if we need to access other boot options.
me.optimizations = {
enable = true;
arch = "znver4";
# build_arch = "x86-64-v3";
system_features = [
"gccarch-znver4"
"gccarch-skylake"
"gccarch-kabylake"
# "gccarch-alderlake" missing WAITPKG
"gccarch-x86-64-v3"
"gccarch-x86-64-v4"
"benchmark"
"big-parallel"
"kvm"
"nixos-test"
];
};
# Mount tmpfs at /tmp
boot.tmp.useTmpfs = true;
# Enable TRIM
# services.fstrim.enable = lib.mkDefault true;
# nix.optimise.automatic = true;
# nix.optimise.dates = [ "03:45" ];
# nix.optimise.persistent = true;
environment.systemPackages = with pkgs; [
htop
];
# nix.sshServe.enable = true;
# nix.sshServe.keys = [ "ssh-dss AAAAB3NzaC1k... bob@example.org" ];
me.worker_node.enable = true;
me.dont_use_substituters.enable = true;
me.minimal_base.enable = true;
};
}

31
nix/kubernetes/hosts/worker1/hardware-configuration.nix Normal file
View File

@@ -0,0 +1,31 @@
{
config,
lib,
modulesPath,
...
}:
{
imports = [
(modulesPath + "/installer/scan/not-detected.nix")
];
config = {
boot.initrd.availableKernelModules = [
"nvme"
"xhci_pci"
"thunderbolt"
];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ ];
boot.extraModulePackages = [ ];
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
# (the default) this is the recommended approach. When using systemd-networkd it's
# still possible to use this option, but it's recommended to use it in conjunction
# with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
# networking.useDHCP = lib.mkDefault true;
# networking.interfaces.eno1.useDHCP = lib.mkDefault true;
# networking.interfaces.wlp58s0.useDHCP = lib.mkDefault true;
};
}

94
nix/kubernetes/hosts/worker1/vm_disk.nix Normal file
View File

@@ -0,0 +1,94 @@
{
config,
lib,
pkgs,
...
}:
{
imports = [ ];
config = {
# Mount the local disk
fileSystems = lib.mkIf config.me.mountPersistence {
"/.disk" = lib.mkForce {
device = "/dev/nvme0n1p1";
fsType = "ext4";
options = [
"noatime"
"discard"
];
neededForBoot = true;
};
"/.persist" = lib.mkForce {
device = "bind9p";
fsType = "9p";
options = [
"noatime"
"trans=virtio"
"version=9p2000.L"
"cache=mmap"
"msize=512000"
# "noauto"
# "x-systemd.automount"
];
neededForBoot = true;
};
"/persist" = {
fsType = "none";
device = "/.persist/persist";
options = [
"bind"
"rw"
];
depends = [
"/.persist/persist"
];
neededForBoot = true;
};
"/state" = {
fsType = "none";
device = "/.persist/state";
options = [
"bind"
"rw"
];
depends = [
"/.persist/state"
];
neededForBoot = true;
};
"/k8spv" = lib.mkForce {
device = "k8spv";
fsType = "9p";
options = [
"noatime"
"trans=virtio"
"version=9p2000.L"
"cache=mmap"
"msize=512000"
# "noauto"
# "x-systemd.automount"
];
neededForBoot = true;
};
"/disk" = {
fsType = "none";
device = "/.disk/persist";
options = [
"bind"
"rw"
];
depends = [
"/.disk/persist"
];
neededForBoot = true;
};
};
};
}

13
nix/kubernetes/hosts/worker2/DEPLOY_BOOT Executable file
View File

@@ -0,0 +1,13 @@
#!/usr/bin/env bash
#
set -euo pipefail
IFS=$'\n\t'
DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
: "${JOBS:="1"}"
TARGET=worker2
for f in /persist/manual/manual_add_to_store/*; do nix-store --add-fixed sha256 "$f"; done
nixos-rebuild boot --flake "$DIR/../../#worker2" --target-host "$TARGET" --build-host "$TARGET" --sudo --max-jobs "$JOBS" --log-format internal-json -v "${@}" |& nom --json

13
nix/kubernetes/hosts/worker2/DEPLOY_SWITCH Executable file
View File

@@ -0,0 +1,13 @@
#!/usr/bin/env bash
#
set -euo pipefail
IFS=$'\n\t'
DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
: "${JOBS:="1"}"
TARGET=worker2
for f in /persist/manual/manual_add_to_store/*; do nix-store --add-fixed sha256 "$f"; done
nixos-rebuild switch --flake "$DIR/../../#worker2" --target-host "$TARGET" --build-host "$TARGET" --sudo --max-jobs "$JOBS" --log-format internal-json -v "${@}" |& nom --json

10
nix/kubernetes/hosts/worker2/ISO Executable file
View File

@@ -0,0 +1,10 @@
#!/usr/bin/env bash
#
set -euo pipefail
IFS=$'\n\t'
DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
: "${JOBS:="1"}"
for f in /persist/manual/manual_add_to_store/*; do nix-store --add-fixed sha256 "$f"; done
nix build --extra-experimental-features nix-command --extra-experimental-features flakes "$DIR/../..#worker2.iso" --max-jobs "$JOBS" --log-format internal-json -v "${@}" |& nom --json

10
nix/kubernetes/hosts/worker2/SELF_BOOT Executable file
View File

@@ -0,0 +1,10 @@
#!/usr/bin/env bash
#
set -euo pipefail
IFS=$'\n\t'
DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
: "${JOBS:="1"}"
for f in /persist/manual/manual_add_to_store/*; do nix-store --add-fixed sha256 "$f"; done
nixos-rebuild boot --show-trace --sudo --max-jobs "$JOBS" --flake "$DIR/../../#worker2" --log-format internal-json -v "${@}" |& nom --json

10
nix/kubernetes/hosts/worker2/SELF_BUILD Executable file
View File

@@ -0,0 +1,10 @@
#!/usr/bin/env bash
#
set -euo pipefail
IFS=$'\n\t'
DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
: "${JOBS:="1"}"
for f in /persist/manual/manual_add_to_store/*; do nix-store --add-fixed sha256 "$f"; done
nixos-rebuild build --show-trace --sudo --max-jobs "$JOBS" --flake "$DIR/../../#worker2" --log-format internal-json -v "${@}" |& nom --json

10
nix/kubernetes/hosts/worker2/SELF_SWITCH Executable file
View File

@@ -0,0 +1,10 @@
#!/usr/bin/env bash
#
set -euo pipefail
IFS=$'\n\t'
DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
: "${JOBS:="1"}"
for f in /persist/manual/manual_add_to_store/*; do nix-store --add-fixed sha256 "$f"; done
nixos-rebuild switch --show-trace --sudo --max-jobs "$JOBS" --flake "$DIR/../../#worker2" --log-format internal-json -v "${@}" |& nom --json

10
nix/kubernetes/hosts/worker2/VM_ISO Executable file
View File

@@ -0,0 +1,10 @@
#!/usr/bin/env bash
#
set -euo pipefail
IFS=$'\n\t'
DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
: "${JOBS:="1"}"
for f in /persist/manual/manual_add_to_store/*; do nix-store --add-fixed sha256 "$f"; done
nix build --extra-experimental-features nix-command --extra-experimental-features flakes "$DIR/../..#worker2.vm_iso" --max-jobs "$JOBS" --log-format internal-json -v "${@}" |& nom --json

106
nix/kubernetes/hosts/worker2/default.nix Normal file
View File

@@ -0,0 +1,106 @@
# MANUAL: On client machines generate signing keys:
# nix-store --generate-binary-cache-key some-name /persist/manual/nix/nix-cache-key.sec /persist/manual/nix/nix-cache-key.pub
#
# Trust other machines and add the substituters:
# nix.binaryCachePublicKeys = [ "some-name:AzNW1MOlkNEsUAXS1jIFZ1QCFKXjV+Y/LrF37quAZ1A=" ];
# nix.binaryCaches = [ "https://test.example/nix-cache" ];
{
config,
lib,
pkgs,
...
}:
{
imports = [
./hardware-configuration.nix
./vm_disk.nix
];
config = {
networking =
let
interface = "enp0s2";
in
{
# Generate with `head -c4 /dev/urandom | od -A none -t x4`
hostId = "ce017961";
hostName = "worker2"; # Define your hostname.
interfaces = {
"${interface}" = {
ipv4.addresses = [
{
address = "10.215.1.226";
prefixLength = 24;
}
];
ipv6.addresses = [
{
address = "2620:11f:7001:7:ffff:ffff:0ad7:01e2";
prefixLength = 64;
}
];
};
};
defaultGateway = "10.215.1.1";
defaultGateway6 = {
# address = "2620:11f:7001:7::1";
address = "2620:11f:7001:7:ffff:ffff:0ad7:0101";
inherit interface;
};
dhcpcd.enable = lib.mkForce false;
useDHCP = lib.mkForce false;
};
time.timeZone = "America/New_York";
i18n.defaultLocale = "en_US.UTF-8";
me.boot.enable = true;
me.boot.secure = false;
me.mountPersistence = true;
boot.loader.timeout = lib.mkForce 0; # We can always generate a new ISO if we need to access other boot options.
me.optimizations = {
enable = true;
arch = "znver4";
# build_arch = "x86-64-v3";
system_features = [
"gccarch-znver4"
"gccarch-skylake"
"gccarch-kabylake"
# "gccarch-alderlake" missing WAITPKG
"gccarch-x86-64-v3"
"gccarch-x86-64-v4"
"benchmark"
"big-parallel"
"kvm"
"nixos-test"
];
};
# Mount tmpfs at /tmp
boot.tmp.useTmpfs = true;
# Enable TRIM
# services.fstrim.enable = lib.mkDefault true;
# nix.optimise.automatic = true;
# nix.optimise.dates = [ "03:45" ];
# nix.optimise.persistent = true;
environment.systemPackages = with pkgs; [
htop
];
# nix.sshServe.enable = true;
# nix.sshServe.keys = [ "ssh-dss AAAAB3NzaC1k... bob@example.org" ];
me.worker_node.enable = true;
me.dont_use_substituters.enable = true;
me.minimal_base.enable = true;
};
}

31
nix/kubernetes/hosts/worker2/hardware-configuration.nix Normal file
View File

@@ -0,0 +1,31 @@
{
config,
lib,
modulesPath,
...
}:
{
imports = [
(modulesPath + "/installer/scan/not-detected.nix")
];
config = {
boot.initrd.availableKernelModules = [
"nvme"
"xhci_pci"
"thunderbolt"
];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ ];
boot.extraModulePackages = [ ];
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
# (the default) this is the recommended approach. When using systemd-networkd it's
# still possible to use this option, but it's recommended to use it in conjunction
# with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
# networking.useDHCP = lib.mkDefault true;
# networking.interfaces.eno1.useDHCP = lib.mkDefault true;
# networking.interfaces.wlp58s0.useDHCP = lib.mkDefault true;
};
}

94
nix/kubernetes/hosts/worker2/vm_disk.nix Normal file
View File

@@ -0,0 +1,94 @@
{
config,
lib,
pkgs,
...
}:
{
imports = [ ];
config = {
# Mount the local disk
fileSystems = lib.mkIf config.me.mountPersistence {
"/.disk" = lib.mkForce {
device = "/dev/nvme0n1p1";
fsType = "ext4";
options = [
"noatime"
"discard"
];
neededForBoot = true;
};
"/.persist" = lib.mkForce {
device = "bind9p";
fsType = "9p";
options = [
"noatime"
"trans=virtio"
"version=9p2000.L"
"cache=mmap"
"msize=512000"
# "noauto"
# "x-systemd.automount"
];
neededForBoot = true;
};
"/persist" = {
fsType = "none";
device = "/.persist/persist";
options = [
"bind"
"rw"
];
depends = [
"/.persist/persist"
];
neededForBoot = true;
};
"/state" = {
fsType = "none";
device = "/.persist/state";
options = [
"bind"
"rw"
];
depends = [
"/.persist/state"
];
neededForBoot = true;
};
"/k8spv" = lib.mkForce {
device = "k8spv";
fsType = "9p";
options = [
"noatime"
"trans=virtio"
"version=9p2000.L"
"cache=mmap"
"msize=512000"
# "noauto"
# "x-systemd.automount"
];
neededForBoot = true;
};
"/disk" = {
fsType = "none";
device = "/.disk/persist";
options = [
"bind"
"rw"
];
depends = [
"/.disk/persist"
];
neededForBoot = true;
};
};
};
}

29
nix/kubernetes/keys/Makefile Normal file
View File

@@ -0,0 +1,29 @@
SHELL := bash
.ONESHELL:
.SHELLFLAGS := -eu -o pipefail -c
.DELETE_ON_ERROR:
MAKEFLAGS += --warn-undefined-variables
MAKEFLAGS += --no-builtin-rules
OUT=generated
ifeq ($(origin .RECIPEPREFIX), undefined)
$(error This Make does not support .RECIPEPREFIX. Please use GNU Make 4.0 or later)
endif
.RECIPEPREFIX = >
KUBERNETES_PUBLIC_ADDRESS := 74.80.180.138
WORKERS := worker0 worker1 worker2 controller0 controller1 controller2
.PHONY: all
all: \
$(OUT)/known_hosts
.PHONY: clean
clean:
> rm -rf $(OUT)
$(OUT)/:
> @mkdir -p $(@D)
$(OUT)/known_hosts: | $(OUT)/
> ssh-keyscan -p 65099 74.80.180.138 | sed 's/\[74.80.180.138\]:65099/\[10.215.1.210\]:22/g' > $@

62
nix/kubernetes/keys/contrib/base64/package.nix Normal file
View File

@@ -0,0 +1,62 @@
# From: https://gist.github.com/manveru/74eb41d850bc146b7e78c4cb059507e2
# From: https://discourse.nixos.org/t/string-to-base-64/32624/3
{ lib, ... }:
{
toBase64 =
text:
let
inherit (lib)
sublist
mod
stringToCharacters
concatMapStrings
;
inherit (lib.strings) charToInt;
inherit (builtins)
substring
foldl'
genList
elemAt
length
concatStringsSep
stringLength
;
lookup = stringToCharacters "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/";
sliceN =
size: list: n:
sublist (n * size) size list;
pows = [
(64 * 64 * 64)
(64 * 64)
64
1
];
intSextets = i: map (j: mod (i / j) 64) pows;
compose =
f: g: x:
f (g x);
intToChar = elemAt lookup;
convertTripletInt = sliceInt: concatMapStrings intToChar (intSextets sliceInt);
sliceToInt = foldl' (acc: val: acc * 256 + val) 0;
convertTriplet = compose convertTripletInt sliceToInt;
join = concatStringsSep "";
convertLastSlice =
slice:
let
len = length slice;
in
if len == 1 then
(substring 0 2 (convertTripletInt ((sliceToInt slice) * 256 * 256))) + "=="
else if len == 2 then
(substring 0 3 (convertTripletInt ((sliceToInt slice) * 256))) + "="
else
"";
len = stringLength text;
nFullSlices = len / 3;
bytes = map charToInt (stringToCharacters text);
tripletAt = sliceN 3 bytes;
head = genList (compose convertTriplet tripletAt) nFullSlices;
tail = convertLastSlice (tripletAt nFullSlices);
in
join (head ++ [ tail ]);
}

27
nix/kubernetes/keys/flake.lock generated Normal file
View File

@@ -0,0 +1,27 @@
{
"nodes": {
"nixpkgs": {
"locked": {
"lastModified": 1772773019,
"narHash": "sha256-E1bxHxNKfDoQUuvriG71+f+s/NT0qWkImXsYZNFFfCs=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "aca4d95fce4914b3892661bcb80b8087293536c6",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "nixos-unstable",
"repo": "nixpkgs",
"type": "github"
}
},
"root": {
"inputs": {
"nixpkgs": "nixpkgs"
}
}
},
"root": "root",
"version": 7
}

56
nix/kubernetes/keys/flake.nix Normal file
View File

@@ -0,0 +1,56 @@
{
description = "Build keys to manually deploy to kubernetes cluster.";
inputs = {
nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable";
};
outputs =
{ self, nixpkgs }:
let
forAllSystems = nixpkgs.lib.genAttrs nixpkgs.lib.systems.flakeExposed;
in
{
packages = forAllSystems (
system:
let
pkgs = import nixpkgs {
inherit system;
overlays = [ self.overlays.default ];
};
in
{
deploy_script = pkgs.k8s.deploy_script;
default = pkgs.k8s.all_keys;
bootstrap_script = pkgs.k8s.bootstrap_script;
mrmanager_repo_secrets = pkgs.k8s.mrmanager_repo_secrets;
}
);
overlays.default = (
final: prev: {
k8s = (final.callPackage ./scope.nix { inherit (final.lib) makeScope; });
}
);
}
// {
devShells = forAllSystems (
system:
let
pkgs = nixpkgs.legacyPackages.${system};
in
{
default = pkgs.mkShell {
nativeBuildInputs = with pkgs; [
pkg-config
];
buildInputs = with pkgs; [
kubernetes-helm # To generate cilium manifests
fluxcd # To generate flux manifests
cilium-cli # To check cilium status
];
};
}
);
};
}

8
nix/kubernetes/keys/generated/known_hosts Normal file
View File

@@ -0,0 +1,8 @@
# 74.80.180.138:65099 SSH-2.0-OpenSSH_9.3 FreeBSD-20230316
[10.215.1.210]:22 ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQC0hWY7Ighnlp3UfPfApyW9nEGG11f+on/kOkp6YdxTTVX0jvi00xvrZ8c23l48YDptmEKOMj7avUR+jdpRNaSwbw3Lm7swg+EpFZ73tnHK+r6HnOnNu8ECDvYOW10eI6vdRctFisRfyIKigmtmquxXYLhQDSA2INVW+Vuebdwa74VqKLLirUu7e3ymp8dH8ktcCAjWSd/+Ax7E+4AMa5WHFeTPBheA2GhfLhINDLpgdZ8WNZ4i3ow8MrQADiOVYUDPrXvI55MVWSQTQQcOco184Z67rtcCtqY/fcCp+38yzUT0Bm2syXM+HNOlFqM+fJBf0T9kiiy5XvWuN9bY+368JGOUUM6RsCUgERHSaU65nX3i8oIcNRt3w6sVsmRR8sX8x5qFjyEYuElIwKywcdtKpoklV6gu+lo+mIE8i95jJmXMj6lk3G83wMZICL9+dm+b8ckpRZEi6970EqahiPO3cV/Fa88gysf9HwiC8AxSc3m2BcOvaV3jadaT39Tymp8=
# 74.80.180.138:65099 SSH-2.0-OpenSSH_9.3 FreeBSD-20230316
# 74.80.180.138:65099 SSH-2.0-OpenSSH_9.3 FreeBSD-20230316
[10.215.1.210]:22 ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBH2euFJKLEDfTV9NTecrOoqL9FpiYvTbNp/Ty3FebJA5DKmVd1xBRz3sNs1R1ayn213vmRVLWSu2ikulbl65LLQ=
# 74.80.180.138:65099 SSH-2.0-OpenSSH_9.3 FreeBSD-20230316
[10.215.1.210]:22 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIM1qjGgD2UdD5Lc+zGFxHX/+h6FBNmGW+O30LG0tiHvC
# 74.80.180.138:65099 SSH-2.0-OpenSSH_9.3 FreeBSD-20230316

2072
nix/kubernetes/keys/package/bootstrap-script/files/manifests/flux.yaml Normal file
View File

File diff suppressed because it is too large Load Diff

50
nix/kubernetes/keys/package/bootstrap-script/files/manifests/flux_apply_git.yaml Normal file
View File

@@ -0,0 +1,50 @@
apiVersion: source.toolkit.fluxcd.io/v1
kind: GitRepository
metadata:
name: kubernetes
namespace: flux-system
spec:
interval: 5m0s
ref:
branch: nix
secretRef:
name: kubernetes-deploy-key
# url: ssh://git@74.80.180.138:65099/repos/mrmanager
url: ssh://git@10.215.1.210:22/repos/mrmanager
ignore: |
bootstrap
.sops.yaml
---
apiVersion: kustomize.toolkit.fluxcd.io/v1
kind: Kustomization
metadata:
name: apply1
namespace: flux-system
spec:
interval: 1m0s
path: "./k8s/1"
prune: true
sourceRef:
kind: GitRepository
name: kubernetes
decryption:
provider: sops
secretRef:
name: sops-gpg
---
apiVersion: kustomize.toolkit.fluxcd.io/v1
kind: Kustomization
metadata:
name: apply2
namespace: flux-system
spec:
interval: 1m0s
path: "./k8s/2"
prune: true
sourceRef:
kind: GitRepository
name: kubernetes
decryption:
provider: sops
secretRef:
name: sops-gpg

Some files were not shown because too many files have changed in this diff Show More