Jan/nixos-config
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

feat: Move to Cilium

Browse Source
This commit is contained in:
Jan-Bulthuis 2026-01-17 13:32:26 +01:00
parent cf10e1e963
commit 8456412bf3
1 changed files with 60 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

60
hosts/vm-k1s/configuration.nix
View File

@ -33,6 +33,9 @@
enable = true; enable = true;
extraFlags = [ extraFlags = [
"--cluster-domain ${inputs.secrets.lab.k3s.clusterDomain}" "--cluster-domain ${inputs.secrets.lab.k3s.clusterDomain}"
"--flannel-backend=none"
"--disable-network-policy"
"--disable-kube-proxy"
]; ];
disable = [ disable = [
# "coredns" # CoreDNS is required for Flux to be able to bootstrap the cluster (Flux needs to resolve the git repo) # "coredns" # CoreDNS is required for Flux to be able to bootstrap the cluster (Flux needs to resolve the git repo)
@ -55,8 +58,62 @@
"1-secrets-backup" = { "1-secrets-backup" = {
source = "/opt/k3s-secrets-backup/secrets.yaml"; source = "/opt/k3s-secrets-backup/secrets.yaml";
}; };
# TODO: Move to flux config, once it is possible to easily install flux without CNI
cilium-secrets-namespace = {
content = {
apiVersion = "v1";
kind = "Namespace";
metadata.name = "cilium-secrets";
};
};
# TODO: Move to flux config, once it is possible to easily install flux without CNI
gateway-api =
let
manifest = pkgs.fetchurl {
url = "https://github.com/kubernetes-sigs/gateway-api/releases/download/v1.4.1/experimental-install.yaml";
hash = "sha256-08IN1MBDGTZWemkXypMfbc7RMQJCvmK57KB72YkuICU=";
};
in
{
source = manifest;
};
}; };
autoDeployCharts = { autoDeployCharts = {
# TODO: Move to flux config, once it is possible to easily install flux without CNI
cilium = {
name = "cilium";
repo = "oci://quay.io/cilium/charts/cilium";
version = "1.18.6";
hash = "sha256-+yr38lc5X1+eXCFE/rq/K0m4g/IiNFJHuhB+Nu24eUs=";
createNamespace = true;
targetNamespace = "cilium-system";
values = {
operator.replicas = 1;
kubeProxyReplacement = true;
ipam.operator.clusterPoolIPv4PodCIDRList = [ "10.11.0.0/16" ];
cluster = {
id = 1;
name = "vm-k1s";
};
k8sServiceHost = "10.10.50.60";
k8sServicePort = 6443;
policyEnforcementMode = "always";
gatewayAPI = {
enabled = true;
gatewayClass.create = "true";
secretsNamespace.create = false;
};
tls.secretsNamespace.create = false;
hubble = {
relay.enabled = true;
ui.enabled = true;
peerService.clusterDomain = inputs.secrets.lab.k3s.clusterDomain;
};
};
extraFieldDefinitions = {
spec.bootstrap = true;
};
};
flux-operator = { flux-operator = {
name = "flux-operator"; name = "flux-operator";
repo = "oci://ghcr.io/controlplaneio-fluxcd/charts/flux-operator"; repo = "oci://ghcr.io/controlplaneio-fluxcd/charts/flux-operator";
@ -152,11 +209,14 @@
environment.variables = { environment.variables = {
KUBECONFIG = "/etc/rancher/k3s/k3s.yaml"; KUBECONFIG = "/etc/rancher/k3s/k3s.yaml";
CILIUM_NAMESPACE = "cilium-system";
}; };
environment.systemPackages = with pkgs; [ environment.systemPackages = with pkgs; [
fluxcd fluxcd
k9s k9s
cilium-cli
hubble
]; ];
# Use correct disko profile # Use correct disko profile