Jan/nixos-config
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Compare commits

base: Jan:a61e56c10486c72470573acec984524342fc289f
Branches Tags
Jan:main
Jan:disko
..
compare: Jan:c991768cc2567701fb10ecf281d30babe43eb01e
Branches Tags
Jan:main
Jan:disko

No commits in common. "a61e56c10486c72470573acec984524342fc289f" and "c991768cc2567701fb10ecf281d30babe43eb01e" have entirely different histories.
a61e56c104 ... c991768cc2

2 changed files with 66 additions and 17 deletions
Show Stats Expand all files Collapse all files

24
flake.lock generated
View File

@ -7,11 +7,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1773889306, "lastModified": 1769524058,
"narHash": "sha256-PAqwnsBSI9SVC2QugvQ3xeYCB0otOwCacB1ueQj2tgw=", "narHash": "sha256-zygdD6X1PcVNR2PsyK4ptzrVEiAdbMqLos7utrMDEWE=",
"owner": "nix-community", "owner": "nix-community",
"repo": "disko", "repo": "disko",
"rev": "5ad85c82cc52264f4beddc934ba57f3789f28347", "rev": "71a3fc97d80881e91710fe721f1158d3b96ae14d",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -79,11 +79,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1774875815, "lastModified": 1770476834,
"narHash": "sha256-PzqwM4njoB3aznqwPZUawD4uOcJeu7N6GBTJKg81EQ4=", "narHash": "sha256-cyxgVsNfHnJ4Zn6G1EOzfTXbjTy7Ds9zMOsZaX7VZWs=",
"owner": "nix-community", "owner": "nix-community",
"repo": "home-manager", "repo": "home-manager",
"rev": "9340f51314713c83360bf72d75c8b404778ab5b1", "rev": "6cee0821577643e0b34e2c5d9a90d0b1b5cdca70",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -229,11 +229,11 @@
}, },
"nixpkgs_2": { "nixpkgs_2": {
"locked": { "locked": {
"lastModified": 1774709303, "lastModified": 1770197578,
"narHash": "sha256-D3Q07BbIA2KnTcSXIqqu9P586uWxN74zNoCH3h2ESHg=", "narHash": "sha256-AYqlWrX09+HvGs8zM6ebZ1pwUqjkfpnv8mewYwAo+iM=",
"owner": "nixos", "owner": "nixos",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "8110df5ad7abf5d4c0f6fb0f8f978390e77f9685", "rev": "00c21e4c93d963c50d4c0c89bfa84ed6e0694df2",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -279,11 +279,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1774760784, "lastModified": 1770145881,
"narHash": "sha256-D+tgywBHldTc0klWCIC49+6Zlp57Y4GGwxP1CqfxZrY=", "narHash": "sha256-ktjWTq+D5MTXQcL9N6cDZXUf9kX8JBLLBLT0ZyOTSYY=",
"owner": "Mic92", "owner": "Mic92",
"repo": "sops-nix", "repo": "sops-nix",
"rev": "8adb84861fe70e131d44e1e33c426a51e2e0bfa5", "rev": "17eea6f3816ba6568b8c81db8a4e6ca438b30b7c",
"type": "github" "type": "github"
}, },
"original": { "original": {

59
hosts/vm-k1s/configuration.nix
View File

@ -28,7 +28,7 @@
# Include NFS client module # Include NFS client module
boot.supportedFilesystems = [ "nfs" ]; boot.supportedFilesystems = [ "nfs" ];
# Set up K3S cluster with CoreDNS, FluxCD and Cilium # Set up K3S cluster with CoreDNS and FluxCD
services.k3s = { services.k3s = {
enable = true; enable = true;
extraFlags = [ extraFlags = [
@ -52,12 +52,26 @@
sops-decrypt-key = { sops-decrypt-key = {
source = config.sops.secrets."flux/sops-decrypt-key".path; source = config.sops.secrets."flux/sops-decrypt-key".path;
}; };
# "0-secrets-backup-namespaces" = {
# source = "/opt/k3s-secrets-backup/namespaces.yaml";
# };
# "1-secrets-backup" = {
# source = "/opt/k3s-secrets-backup/secrets.yaml";
# };
# TODO: Move to flux config, once it is possible to easily install flux without CNI
cilium-secrets-namespace = {
content = {
apiVersion = "v1";
kind = "Namespace";
metadata.name = "cilium-secrets";
};
};
# TODO: Move to flux config, once it is possible to easily install flux without CNI # TODO: Move to flux config, once it is possible to easily install flux without CNI
gateway-api = gateway-api =
let let
manifest = pkgs.fetchurl { manifest = pkgs.fetchurl {
url = "https://github.com/kubernetes-sigs/gateway-api/releases/download/v1.4.1/experimental-install.yaml"; url = "https://github.com/kubernetes-sigs/gateway-api/releases/download/v1.4.1/experimental-install.yaml";
hash = "sha256-VTMn4P8yoaK+RGv5OCPIQTz5JTrGptVAfuvR6NJp9p4="; hash = "sha256-08IN1MBDGTZWemkXypMfbc7RMQJCvmK57KB72YkuICU=";
}; };
in in
{ {
@ -143,8 +157,8 @@
cilium = { cilium = {
name = "cilium"; name = "cilium";
repo = "oci://quay.io/cilium/charts/cilium"; repo = "oci://quay.io/cilium/charts/cilium";
version = "1.18.8"; version = "1.18.6";
hash = "sha256-z1aDpWttEfQ+Af/l0Lxdafasm75QysRc8h7sPhWXr94="; hash = "sha256-+yr38lc5X1+eXCFE/rq/K0m4g/IiNFJHuhB+Nu24eUs=";
createNamespace = true; createNamespace = true;
targetNamespace = "cilium-system"; targetNamespace = "cilium-system";
values = { values = {
@ -230,9 +244,44 @@
}; };
}; };
# Backup secrets to avoid reissueing them
modules.impermanence.directories = [ modules.impermanence.directories = [
"/var/lib/rancher/k3s" "/opt/k3s-secrets-backup"
]; ];
systemd.timers.k3s-secrets-backup-timer = {
wantedBy = [ "timers.target" ];
timerConfig = {
OnBootSec = "15m";
OnUnitActiveSec = "1h";
Unit = "k3s-secrets-backup.service";
};
};
systemd.services.k3s-secrets-backup = {
script = ''
mkdir -p /opt/k3s-secrets-backup
touch /opt/k3s-secrets-backup/secrets.yaml
touch /opt/k3s-secrets-backup/namespaces.yaml
chmod 600 /opt/k3s-secrets-backup/secrets.yaml
chmod 600 /opt/k3s-secrets-backup/namespaces.yaml
${pkgs.k3s}/bin/kubectl get secrets -A -l controller.cert-manager\.io/fao=="true" -oyaml | ${pkgs.kubectl-neat}/bin/kubectl-neat > /opt/k3s-secrets-backup/secrets.yaml
echo "apiVersion: v1
kind: List
items:" > /opt/k3s-secrets-backup/namespaces.yaml
${pkgs.gnugrep}/bin/grep -oP '\snamespace: \K.*' /opt/k3s-secrets-backup/secrets.yaml | sort -u | while read -r ns; do
echo "- apiVersion: v1
kind: Namespace
metadata:
name: $ns"
done >> /opt/k3s-secrets-backup/namespaces.yaml
'';
serviceConfig = {
Type = "oneshot";
User = "root";
};
};
environment.variables = { environment.variables = {
KUBECONFIG = "/etc/rancher/k3s/k3s.yaml"; KUBECONFIG = "/etc/rancher/k3s/k3s.yaml";