{ config, lib, pkgs, ... }: let shellCommand = cmd: (lib.concatMapStringsSep " " lib.strings.escapeShellArg cmd); in { imports = [ ]; options.me = { kube_apiserver.enable = lib.mkOption { type = lib.types.bool; default = false; example = true; description = "Whether we want to install kube_apiserver."; }; kube_apiserver.internal_ip = lib.mkOption { # default = { }; example = "192.168.1.10"; type = lib.types.str; description = "IP address this server should advertise."; }; kube_apiserver.etcd_services = lib.mkOption { default = [ ]; example = [ "https://192.168.1.10:2379" ]; type = lib.types.listOf lib.types.str; description = "Endpoints for etcd servers."; }; }; config = lib.mkIf config.me.kube_apiserver.enable { systemd.services.kube-apiserver = { enable = true; description = "Kubernetes API Server"; documentation = [ "https://github.com/kubernetes/kubernetes" ]; wantedBy = [ "kubernetes.target" ]; # path = with pkgs; [ # zfs # ]; unitConfig.DefaultDependencies = "no"; serviceConfig = { Type = "notify"; ExecStart = ( shellCommand [ "${pkgs.kubernetes}/bin/kube-apiserver" "--advertise-address=${config.me.kube_apiserver.internal_ip}" "--allow-privileged=true" "--apiserver-count=3" "--audit-log-maxage=30" "--audit-log-maxbackup=3" "--audit-log-maxsize=100" "--audit-log-path=/var/log/audit.log" "--authorization-mode=Node,RBAC" "--bind-address=0.0.0.0" "--client-ca-file=/.persist/keys/kube/ca.pem" "--requestheader-client-ca-file=/var/lib/kubernetes/requestheader-client-ca.pem" ''--requestheader-allowed-names=""'' "--requestheader-extra-headers-prefix=X-Remote-Extra-" "--requestheader-group-headers=X-Remote-Group" "--requestheader-username-headers=X-Remote-User" "--proxy-client-cert-file=/var/lib/kubernetes/{{ node_name }}-proxy.pem" "--proxy-client-key-file=/var/lib/kubernetes/{{ node_name }}-proxy-key.pem" "--enable-admission-plugins=NamespaceLifecycle,NodeRestriction,LimitRanger,ServiceAccount,DefaultStorageClass,ResourceQuota" "--etcd-cafile=/.persist/keys/kube/ca.pem" "--etcd-certfile=/.persist/keys/kube/kubernetes.pem" "--etcd-keyfile=/.persist/keys/kube/kubernetes-key.pem" "--etcd-servers=${builtins.concatStringsSep "," config.me.kube_apiserver.etcd_services}" "--event-ttl=1h" "--encryption-provider-config=/.persist/keys/kube/encryption-config.yaml" "--kubelet-certificate-authority=/.persist/keys/kube/ca.pem" "--kubelet-client-certificate=/.persist/keys/kube/kubernetes.pem" "--kubelet-client-key=/.persist/keys/kube/kubernetes-key.pem" "--runtime-config='api/all=true'" "--service-account-key-file=/.persist/keys/kube/service-account.pem" "--service-account-signing-key-file=/.persist/keys/kube/service-account-key.pem" "--service-account-issuer=https://{{ kubernetes_public_address }}:6443" "--service-node-port-range=30000-32767" "--tls-cert-file=/.persist/keys/kube/kubernetes.pem" "--tls-private-key-file=/.persist/keys/kube/kubernetes-key.pem" "--tls-min-version=VersionTLS13" "--kubelet-preferred-address-types=InternalIP,ExternalDNS,ExternalIP,Hostname,InternalDNS" "--service-cluster-ip-range=10.197.0.0/16" "--enable-aggregator-routing=true" "--v=2" ] ); Restart = "on-failure"; RestartSec = 5; }; }; }; }