Revert kubernetes

This commit is contained in:
minish 2024-11-03 21:30:30 -05:00
parent 9bd1f0cfa1
commit 21fe6a23f0
Signed by: min
SSH Key Fingerprint: SHA256:NFjjdbkd6u7aoMlcrDCVvz6o2UBtlAuPm8IQ2vhZ3Fg
11 changed files with 52 additions and 65 deletions

View File

@ -100,11 +100,11 @@
"nixpkgs-lib": "nixpkgs-lib" "nixpkgs-lib": "nixpkgs-lib"
}, },
"locked": { "locked": {
"lastModified": 1727826117, "lastModified": 1730504689,
"narHash": "sha256-K5ZLCyfO/Zj9mPFldf3iwS6oZStJcU4tSpiXTMYaaL0=", "narHash": "sha256-hgmguH29K2fvs9szpq2r3pz2/8cJd2LPS+b4tfNFCwE=",
"owner": "hercules-ci", "owner": "hercules-ci",
"repo": "flake-parts", "repo": "flake-parts",
"rev": "3d04084d54bedc3d6b8b736c70ef449225c361b1", "rev": "506278e768c2a08bec68eb62932193e341f55c90",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -149,11 +149,11 @@
"min-rip": { "min-rip": {
"flake": false, "flake": false,
"locked": { "locked": {
"lastModified": 1730496934, "lastModified": 1730603510,
"narHash": "sha256-W982rhZkCaadeHaDR17h0ROZ8tUibm209+QVw43cN98=", "narHash": "sha256-+oUMM43mVaXpf0yv7niHf6Q/2Vv8iuIESxwYEDxYt3A=",
"ref": "refs/heads/main", "ref": "refs/heads/main",
"rev": "a213353fbe2badb541a2906da5d92e0a79315847", "rev": "2f2e6f840237ac0a3664b51958f5070d5945fce5",
"revCount": 27, "revCount": 30,
"type": "git", "type": "git",
"url": "ssh://git@git.min.rip/min/min.rip.git" "url": "ssh://git@git.min.rip/min/min.rip.git"
}, },
@ -180,14 +180,14 @@
}, },
"nixpkgs-lib": { "nixpkgs-lib": {
"locked": { "locked": {
"lastModified": 1727825735, "lastModified": 1730504152,
"narHash": "sha256-0xHYkMkeLVQAMa7gvkddbPqpxph+hDzdu1XdGPJR+Os=", "narHash": "sha256-lXvH/vOfb4aGYyvFmZK/HlsNsr/0CVWlwYvo2rxJk3s=",
"type": "tarball", "type": "tarball",
"url": "https://github.com/NixOS/nixpkgs/archive/fb192fec7cc7a4c26d51779e9bab07ce6fa5597a.tar.gz" "url": "https://github.com/NixOS/nixpkgs/archive/cc2f28000298e1269cea6612cd06ec9979dd5d7f.tar.gz"
}, },
"original": { "original": {
"type": "tarball", "type": "tarball",
"url": "https://github.com/NixOS/nixpkgs/archive/fb192fec7cc7a4c26d51779e9bab07ce6fa5597a.tar.gz" "url": "https://github.com/NixOS/nixpkgs/archive/cc2f28000298e1269cea6612cd06ec9979dd5d7f.tar.gz"
} }
}, },
"nixpkgs-stable": { "nixpkgs-stable": {

View File

@ -18,7 +18,6 @@
nixpkgs.config.allowUnfree = true; nixpkgs.config.allowUnfree = true;
# Basic networking # Basic networking
networking.networkmanager.enable = true;
networking.firewall.enable = true; networking.firewall.enable = true;
# Locales # Locales
@ -33,7 +32,7 @@
eidola = { eidola = {
isNormalUser = true; isNormalUser = true;
extraGroups = ["networkmanager" "wheel"]; extraGroups = ["wheel"];
hashedPasswordFile = config.sops.secrets."user-pw".path; hashedPasswordFile = config.sops.secrets."user-pw".path;
openssh.authorizedKeys.keys = import ../../keys/ssh.nix; openssh.authorizedKeys.keys = import ../../keys/ssh.nix;
}; };
@ -70,6 +69,7 @@
port = 48722; port = 48722;
hostKeys = ["/persist/etc/secrets/initrd/ssh_host_ed25519_key"]; hostKeys = ["/persist/etc/secrets/initrd/ssh_host_ed25519_key"];
}; };
boot.initrd.network.udhcpc.enable = true;
system.stateVersion = "24.05"; system.stateVersion = "24.05";
} }

View File

@ -6,7 +6,7 @@
}; };
deployment = { deployment = {
host = "10.13.1.1"; host = "eidola.int.min.rip";
user = "root"; user = "root";
port = 22; port = 22;

View File

@ -2,6 +2,7 @@
netName = "m-infra"; netName = "m-infra";
# https://github.com/NixOS/nixpkgs/blob/nixos-24.05/nixos/modules/services/networking/nebula.nix#L12 # https://github.com/NixOS/nixpkgs/blob/nixos-24.05/nixos/modules/services/networking/nebula.nix#L12
userGroup = "nebula-${netName}"; userGroup = "nebula-${netName}";
interface = "nebula.${netName}";
lhs = {"10.13.0.1" = ["min.rip:4242"];}; # TODO: hardcoding lhs = {"10.13.0.1" = ["min.rip:4242"];}; # TODO: hardcoding
lhsInt = builtins.attrNames lhs; lhsInt = builtins.attrNames lhs;
in { in {
@ -11,6 +12,8 @@ in {
group = userGroup; group = userGroup;
}; };
networking.firewall.trustedInterfaces = [interface];
services.nebula.networks.${netName} = { services.nebula.networks.${netName} = {
ca = ../../keys/ca.crt; ca = ../../keys/ca.crt;
cert = ../../keys/n-srv-eidola.crt; cert = ../../keys/n-srv-eidola.crt;
@ -37,11 +40,17 @@ in {
proto = "icmp"; proto = "icmp";
host = "any"; host = "any";
} }
# Allow SSH from `internal` group # Allow anything from `internal` group
{
port = "any";
proto = "any";
groups = ["internal"];
}
# Allow SSH from anyone
{ {
port = 22; port = 22;
proto = "tcp"; proto = "tcp";
groups = ["internal"]; host = "any";
} }
]; ];
}; };

View File

@ -3,7 +3,8 @@
pkgs, pkgs,
... ...
}: let }: let
net = { # TODO: hardcoding (this module *may* be a good place to store values like this, though) net = {
# TODO: hardcoding (this module *may* be a good place to store values like this, though)
address = "107.152.41.67"; address = "107.152.41.67";
prefixLength = 24; prefixLength = 24;
subnet = "255.255.255.0"; subnet = "255.255.255.0";
@ -26,7 +27,6 @@ in {
nixpkgs.config.allowUnfree = true; nixpkgs.config.allowUnfree = true;
# Basic networking # Basic networking
networking.networkmanager.enable = true;
networking.firewall.enable = true; networking.firewall.enable = true;
# Networking - IP configuration # Networking - IP configuration
@ -62,7 +62,7 @@ in {
silver = { silver = {
isNormalUser = true; isNormalUser = true;
extraGroups = ["networkmanager" "wheel"]; extraGroups = ["wheel"];
hashedPasswordFile = config.sops.secrets."user-pw".path; hashedPasswordFile = config.sops.secrets."user-pw".path;
openssh.authorizedKeys.keys = import ../../keys/ssh.nix; openssh.authorizedKeys.keys = import ../../keys/ssh.nix;
}; };
@ -84,7 +84,12 @@ in {
enable = true; enable = true;
settings.PasswordAuthentication = false; settings.PasswordAuthentication = false;
settings.KbdInteractiveAuthentication = false; settings.KbdInteractiveAuthentication = false;
ports = [12208]; listenAddresses = [
{
addr = "10.13.0.1";
port = 22;
}
];
}; };
# My modules # My modules

View File

@ -6,9 +6,9 @@
}; };
deployment = { deployment = {
host = "10.13.0.1"; host = "silver.int.min.rip";
user = "root"; user = "root";
port = 12208; port = 22;
buildOnTarget = false; buildOnTarget = false;
}; };

View File

@ -15,12 +15,6 @@
"/var/lib/acme" "/var/lib/acme"
"/srv" "/srv"
# k8s
"/var/lib/containerd"
"/var/lib/kubernetes"
"/var/lib/kubelet"
"/var/lib/kube-proxy"
]; ];
files = [ files = [
"/etc/machine-id" "/etc/machine-id"

View File

@ -7,7 +7,6 @@
./gitea.nix ./gitea.nix
./synapse.nix ./synapse.nix
./nebula.nix ./nebula.nix
./k8s.nix
]; ];
security.acme = { security.acme = {

View File

@ -1,5 +1,5 @@
{config, ...}: let {config, ...}: let
sshExposeIp = "0.0.0.0"; # TODO: change this to the public-facing IP for prod (and ideally hardcode it somewhere else) sshExposeIp = "107.152.41.67"; # TODO: hardcoding
sshIntPort = 14022; sshIntPort = 14022;
httpIntPort = 14020; httpIntPort = 14020;
dom = "git.min.rip"; # TODO: hardcoding dom = "git.min.rip"; # TODO: hardcoding

View File

@ -1,30 +0,0 @@
{pkgs, ...}: let
kMasterIp = "10.13.0.1";
kMasterHostname = "silver";
kMasterApiServerPort = 6443;
in {
networking.extraHosts = "${kMasterIp} ${kMasterHostname}";
systemd.services.etcd.preStart = ''${pkgs.writeShellScript "etcd-wait" ''
while [ ! -f /var/lib/kubernetes/secrets/etcd.pem ]; do sleep 1; done
''}'';
services.kubernetes = {
roles = ["master" "node"];
masterAddress = kMasterHostname;
apiserverAddress = "https://${kMasterHostname}:${toString kMasterApiServerPort}";
apiserver = {
securePort = kMasterApiServerPort;
advertiseAddress = kMasterIp;
};
easyCerts = true;
# use coredns
addons.dns.enable = true;
# needed if you use swap
kubelet.extraOpts = "--fail-swap-on=false";
};
}

View File

@ -2,6 +2,7 @@
netName = "m-infra"; # TODO: hardcoding netName = "m-infra"; # TODO: hardcoding
# https://github.com/NixOS/nixpkgs/blob/nixos-24.05/nixos/modules/services/networking/nebula.nix#L12 # https://github.com/NixOS/nixpkgs/blob/nixos-24.05/nixos/modules/services/networking/nebula.nix#L12
userGroup = "nebula-${netName}"; userGroup = "nebula-${netName}";
interface = "nebula.${netName}";
in { in {
sops.secrets."svc-nebula-key" = { sops.secrets."svc-nebula-key" = {
mode = "0440"; mode = "0440";
@ -9,6 +10,11 @@ in {
group = userGroup; group = userGroup;
}; };
networking.firewall = {
trustedInterfaces = [interface];
allowedUDPPorts = [4242];
};
services.nebula.networks.${netName} = { services.nebula.networks.${netName} = {
ca = ../../../keys/ca.crt; ca = ../../../keys/ca.crt;
cert = ../../../keys/lh-silver.crt; cert = ../../../keys/lh-silver.crt;
@ -37,14 +43,18 @@ in {
proto = "icmp"; proto = "icmp";
host = "any"; host = "any";
} }
# Allow SSH from `internal` group # Allow anything from `internal` group
{ {
port = 12208; port = "any";
proto = "tcp"; proto = "any";
groups = ["internal"]; groups = ["internal"];
} }
# Allow SSH from anyone
{
port = 22;
proto = "tcp";
host = "any";
}
]; ];
}; };
networking.firewall.allowedUDPPorts = [4242];
} }