talexander/machine_setup
1
0
Fork 0
Code Issues Pull Requests Releases Activity
machine_setup/nix/kubernetes/roles/etcd/default.nix
Tom Alexander f8b8005ab2
Move the encryption config into a package.
2026-02-06 11:28:38 -05:00

110 lines
3.2 KiB
Nix
Raw Blame History

{
config,
lib,
pkgs,
self,
...
}:
{
imports = [ ];
options.me = {
etcd.enable = lib.mkOption {
type = lib.types.bool;
default = false;
example = true;
description = "Whether we want to install etcd.";
};
etcd.cluster_name = lib.mkOption {
type = lib.types.str;
default = false;
example = "lorem";
description = "The unique name for the cluster.";
};
etcd.internal_ip = lib.mkOption {
default = { };
example = lib.literalExpression ''
{
"172.16.0.10" = true;
"192.168.1.10" = lib.mkForce false;
}
'';
type = lib.types.coercedTo (lib.types.listOf lib.types.str) (
enabled: lib.listToAttrs (map (fs: lib.nameValuePair fs true) enabled)
) (lib.types.attrsOf lib.types.bool);
description = "List internal IP addresses for accessing this node.";
};
etcd.initial_cluster = lib.mkOption {
default = [ ];
example = [
"controller0=https://10.215.1.221:2380" # 2620:11f:7001:7:ffff:ffff:0ad7:01dd
"controller1=https://10.215.1.222:2380" # 2620:11f:7001:7:ffff:ffff:0ad7:01de
"controller2=https://10.215.1.223:2380" # 2620:11f:7001:7:ffff:ffff:0ad7:01df
];
type = lib.types.listOf lib.types.str;
description = "List of controller nodes to form the initial etcd cluster.";
};
};
config = lib.mkIf config.me.etcd.enable {
services.etcd = {
enable = true;
openFirewall = true;
name = config.networking.hostName;
certFile = "/.persist/keys/etcd/kube-api-server.crt";
keyFile = "/.persist/keys/etcd/kube-api-server.key";
peerCertFile = "/.persist/keys/etcd/kube-api-server.crt";
peerKeyFile = "/.persist/keys/etcd/kube-api-server.key";
trustedCaFile = "/.persist/keys/etcd/ca.crt";
peerTrustedCaFile = "/.persist/keys/etcd/ca.crt";
peerClientCertAuth = true;
clientCertAuth = true;
initialAdvertisePeerUrls = (
builtins.map (iip: "https://${iip}:2380") (builtins.attrNames config.me.etcd.internal_ip)
);
listenPeerUrls = (
builtins.map (iip: "https://${iip}:2380") (builtins.attrNames config.me.etcd.internal_ip)
);
listenClientUrls = (
[
"https://127.0.0.1:2379"
]
++ (builtins.map (iip: "https://${iip}:2379") (builtins.attrNames config.me.etcd.internal_ip))
);
advertiseClientUrls = (
builtins.map (iip: "https://${iip}:2379") (builtins.attrNames config.me.etcd.internal_ip)
);
initialClusterToken = config.me.etcd.cluster_name;
initialCluster = config.me.etcd.initial_cluster;
initialClusterState = "new";
};
environment.persistence."/disk" = lib.mkIf (config.me.mountPersistence) {
hideMounts = true;
directories = [
{
directory = config.services.etcd.dataDir; # "/var/lib/etcd"
user = "etcd";
group = "etcd";
mode = "0700";
}
];
};
users.users.etcd.uid = 10016;
users.groups.etcd.gid = 10016;
environment.systemPackages = with pkgs; [
net-tools # for debugging
tcpdump
e2fsprogs # mkfs.ext4
gptfdisk # cgdisk
];
networking.firewall.enable = false;
};
}
Reference in New Issue View Git Blame Copy Permalink