Revert kubernetes

flake.lock

@@ -100,11 +100,11 @@
         "nixpkgs-lib": "nixpkgs-lib"
       },
       "locked": {
-        "lastModified": 1727826117,
-        "narHash": "sha256-K5ZLCyfO/Zj9mPFldf3iwS6oZStJcU4tSpiXTMYaaL0=",
+        "lastModified": 1730504689,
+        "narHash": "sha256-hgmguH29K2fvs9szpq2r3pz2/8cJd2LPS+b4tfNFCwE=",
         "owner": "hercules-ci",
         "repo": "flake-parts",
-        "rev": "3d04084d54bedc3d6b8b736c70ef449225c361b1",
+        "rev": "506278e768c2a08bec68eb62932193e341f55c90",
         "type": "github"
       },
       "original": {
@@ -149,11 +149,11 @@
     "min-rip": {
       "flake": false,
       "locked": {
-        "lastModified": 1730496934,
-        "narHash": "sha256-W982rhZkCaadeHaDR17h0ROZ8tUibm209+QVw43cN98=",
+        "lastModified": 1730603510,
+        "narHash": "sha256-+oUMM43mVaXpf0yv7niHf6Q/2Vv8iuIESxwYEDxYt3A=",
         "ref": "refs/heads/main",
-        "rev": "a213353fbe2badb541a2906da5d92e0a79315847",
-        "revCount": 27,
+        "rev": "2f2e6f840237ac0a3664b51958f5070d5945fce5",
+        "revCount": 30,
         "type": "git",
         "url": "ssh://git@git.min.rip/min/min.rip.git"
       },
@@ -180,14 +180,14 @@
     },
     "nixpkgs-lib": {
       "locked": {
-        "lastModified": 1727825735,
-        "narHash": "sha256-0xHYkMkeLVQAMa7gvkddbPqpxph+hDzdu1XdGPJR+Os=",
+        "lastModified": 1730504152,
+        "narHash": "sha256-lXvH/vOfb4aGYyvFmZK/HlsNsr/0CVWlwYvo2rxJk3s=",
         "type": "tarball",
-        "url": "https://github.com/NixOS/nixpkgs/archive/fb192fec7cc7a4c26d51779e9bab07ce6fa5597a.tar.gz"
+        "url": "https://github.com/NixOS/nixpkgs/archive/cc2f28000298e1269cea6612cd06ec9979dd5d7f.tar.gz"
       },
       "original": {
         "type": "tarball",
-        "url": "https://github.com/NixOS/nixpkgs/archive/fb192fec7cc7a4c26d51779e9bab07ce6fa5597a.tar.gz"
+        "url": "https://github.com/NixOS/nixpkgs/archive/cc2f28000298e1269cea6612cd06ec9979dd5d7f.tar.gz"
       }
     },
     "nixpkgs-stable": {

nixos/hosts/eidola/configuration.nix

@@ -18,7 +18,6 @@
   nixpkgs.config.allowUnfree = true;
 
   # Basic networking
-  networking.networkmanager.enable = true;
   networking.firewall.enable = true;
 
   # Locales
@@ -33,7 +32,7 @@
 
     eidola = {
       isNormalUser = true;
-      extraGroups = ["networkmanager" "wheel"];
+      extraGroups = ["wheel"];
       hashedPasswordFile = config.sops.secrets."user-pw".path;
       openssh.authorizedKeys.keys = import ../../keys/ssh.nix;
     };
@@ -70,6 +69,7 @@
     port = 48722;
     hostKeys = ["/persist/etc/secrets/initrd/ssh_host_ed25519_key"];
   };
+  boot.initrd.network.udhcpc.enable = true;
 
   system.stateVersion = "24.05";
 }

nixos/hosts/eidola/default.nix

@@ -6,7 +6,7 @@
   };
 
   deployment = {
-    host = "10.13.1.1";
+    host = "eidola.int.min.rip";
     user = "root";
     port = 22;
 

nixos/hosts/eidola/nebula.nix

@@ -2,6 +2,7 @@
   netName = "m-infra";
   # https://github.com/NixOS/nixpkgs/blob/nixos-24.05/nixos/modules/services/networking/nebula.nix#L12
   userGroup = "nebula-${netName}";
+  interface = "nebula.${netName}";
   lhs = {"10.13.0.1" = ["min.rip:4242"];}; # TODO: hardcoding
   lhsInt = builtins.attrNames lhs;
 in {
@@ -11,6 +12,8 @@ in {
     group = userGroup;
   };
 
+  networking.firewall.trustedInterfaces = [interface];
+
   services.nebula.networks.${netName} = {
     ca = ../../keys/ca.crt;
     cert = ../../keys/n-srv-eidola.crt;
@@ -37,11 +40,17 @@ in {
         proto = "icmp";
         host = "any";
       }
-      # Allow SSH from `internal` group
+      # Allow anything from `internal` group
+      {
+        port = "any";
+        proto = "any";
+        groups = ["internal"];
+      }
+      # Allow SSH from anyone
       {
         port = 22;
         proto = "tcp";
-        groups = ["internal"];
+        host = "any";
       }
     ];
   };

nixos/hosts/silver/configuration.nix

@@ -3,7 +3,8 @@
   pkgs,
   ...
 }: let
-  net = { # TODO: hardcoding (this module *may* be a good place to store values like this, though)
+  net = {
+    # TODO: hardcoding (this module *may* be a good place to store values like this, though)
     address = "107.152.41.67";
     prefixLength = 24;
     subnet = "255.255.255.0";
@@ -26,7 +27,6 @@ in {
   nixpkgs.config.allowUnfree = true;
 
   # Basic networking
-  networking.networkmanager.enable = true;
   networking.firewall.enable = true;
 
   # Networking - IP configuration
@@ -62,7 +62,7 @@ in {
 
     silver = {
       isNormalUser = true;
-      extraGroups = ["networkmanager" "wheel"];
+      extraGroups = ["wheel"];
       hashedPasswordFile = config.sops.secrets."user-pw".path;
       openssh.authorizedKeys.keys = import ../../keys/ssh.nix;
     };
@@ -84,7 +84,12 @@ in {
     enable = true;
     settings.PasswordAuthentication = false;
     settings.KbdInteractiveAuthentication = false;
-    ports = [12208];
+    listenAddresses = [
+      {
+        addr = "10.13.0.1";
+        port = 22;
+      }
+    ];
   };
 
   # My modules

nixos/hosts/silver/default.nix

@@ -6,9 +6,9 @@
   };
 
   deployment = {
-    host = "10.13.0.1";
+    host = "silver.int.min.rip";
     user = "root";
-    port = 12208;
+    port = 22;
 
     buildOnTarget = false;
   };

nixos/hosts/silver/mounts.nix

@@ -15,12 +15,6 @@
       "/var/lib/acme"
 
       "/srv"
-
-      # k8s
-      "/var/lib/containerd"
-      "/var/lib/kubernetes"
-      "/var/lib/kubelet"
-      "/var/lib/kube-proxy"
     ];
     files = [
       "/etc/machine-id"

nixos/hosts/silver/services/default.nix

@@ -7,7 +7,6 @@
     ./gitea.nix
     ./synapse.nix
     ./nebula.nix
-    ./k8s.nix
   ];
 
   security.acme = {

nixos/hosts/silver/services/gitea.nix

@@ -1,5 +1,5 @@
 {config, ...}: let
-  sshExposeIp = "0.0.0.0"; # TODO: change this to the public-facing IP for prod (and ideally hardcode it somewhere else)
+  sshExposeIp = "107.152.41.67"; # TODO: hardcoding
   sshIntPort = 14022;
   httpIntPort = 14020;
   dom = "git.min.rip"; # TODO: hardcoding

nixos/hosts/silver/services/k8s.nix

@@ -1,30 +0,0 @@
-{pkgs, ...}: let
-  kMasterIp = "10.13.0.1";
-  kMasterHostname = "silver";
-  kMasterApiServerPort = 6443;
-in {
-  networking.extraHosts = "${kMasterIp} ${kMasterHostname}";
-
-  systemd.services.etcd.preStart = ''${pkgs.writeShellScript "etcd-wait" ''
-      while [ ! -f /var/lib/kubernetes/secrets/etcd.pem ]; do sleep 1; done
-    ''}'';
-
-  services.kubernetes = {
-    roles = ["master" "node"];
-    masterAddress = kMasterHostname;
-    apiserverAddress = "https://${kMasterHostname}:${toString kMasterApiServerPort}";
-
-    apiserver = {
-      securePort = kMasterApiServerPort;
-      advertiseAddress = kMasterIp;
-    };
-
-    easyCerts = true;
-
-    # use coredns
-    addons.dns.enable = true;
-
-    # needed if you use swap
-    kubelet.extraOpts = "--fail-swap-on=false";
-  };
-}

nixos/hosts/silver/services/nebula.nix

@@ -2,6 +2,7 @@
   netName = "m-infra"; # TODO: hardcoding
   # https://github.com/NixOS/nixpkgs/blob/nixos-24.05/nixos/modules/services/networking/nebula.nix#L12
   userGroup = "nebula-${netName}";
+  interface = "nebula.${netName}";
 in {
   sops.secrets."svc-nebula-key" = {
     mode = "0440";
@@ -9,6 +10,11 @@ in {
     group = userGroup;
   };
 
+  networking.firewall = {
+    trustedInterfaces = [interface];
+    allowedUDPPorts = [4242];
+  };
+
   services.nebula.networks.${netName} = {
     ca = ../../../keys/ca.crt;
     cert = ../../../keys/lh-silver.crt;
@@ -37,14 +43,18 @@ in {
         proto = "icmp";
         host = "any";
       }
-      # Allow SSH from `internal` group
+      # Allow anything from `internal` group
       {
-        port = 12208;
-        proto = "tcp";
+        port = "any";
+        proto = "any";
         groups = ["internal"];
       }
+      # Allow SSH from anyone
+      {
+        port = 22;
+        proto = "tcp";
+        host = "any";
+      }
     ];
   };
-
-  networking.firewall.allowedUDPPorts = [4242];
 }