Revert kubernetes
This commit is contained in:
parent
9bd1f0cfa1
commit
21fe6a23f0
22
flake.lock
22
flake.lock
|
@ -100,11 +100,11 @@
|
||||||
"nixpkgs-lib": "nixpkgs-lib"
|
"nixpkgs-lib": "nixpkgs-lib"
|
||||||
},
|
},
|
||||||
"locked": {
|
"locked": {
|
||||||
"lastModified": 1727826117,
|
"lastModified": 1730504689,
|
||||||
"narHash": "sha256-K5ZLCyfO/Zj9mPFldf3iwS6oZStJcU4tSpiXTMYaaL0=",
|
"narHash": "sha256-hgmguH29K2fvs9szpq2r3pz2/8cJd2LPS+b4tfNFCwE=",
|
||||||
"owner": "hercules-ci",
|
"owner": "hercules-ci",
|
||||||
"repo": "flake-parts",
|
"repo": "flake-parts",
|
||||||
"rev": "3d04084d54bedc3d6b8b736c70ef449225c361b1",
|
"rev": "506278e768c2a08bec68eb62932193e341f55c90",
|
||||||
"type": "github"
|
"type": "github"
|
||||||
},
|
},
|
||||||
"original": {
|
"original": {
|
||||||
|
@ -149,11 +149,11 @@
|
||||||
"min-rip": {
|
"min-rip": {
|
||||||
"flake": false,
|
"flake": false,
|
||||||
"locked": {
|
"locked": {
|
||||||
"lastModified": 1730496934,
|
"lastModified": 1730603510,
|
||||||
"narHash": "sha256-W982rhZkCaadeHaDR17h0ROZ8tUibm209+QVw43cN98=",
|
"narHash": "sha256-+oUMM43mVaXpf0yv7niHf6Q/2Vv8iuIESxwYEDxYt3A=",
|
||||||
"ref": "refs/heads/main",
|
"ref": "refs/heads/main",
|
||||||
"rev": "a213353fbe2badb541a2906da5d92e0a79315847",
|
"rev": "2f2e6f840237ac0a3664b51958f5070d5945fce5",
|
||||||
"revCount": 27,
|
"revCount": 30,
|
||||||
"type": "git",
|
"type": "git",
|
||||||
"url": "ssh://git@git.min.rip/min/min.rip.git"
|
"url": "ssh://git@git.min.rip/min/min.rip.git"
|
||||||
},
|
},
|
||||||
|
@ -180,14 +180,14 @@
|
||||||
},
|
},
|
||||||
"nixpkgs-lib": {
|
"nixpkgs-lib": {
|
||||||
"locked": {
|
"locked": {
|
||||||
"lastModified": 1727825735,
|
"lastModified": 1730504152,
|
||||||
"narHash": "sha256-0xHYkMkeLVQAMa7gvkddbPqpxph+hDzdu1XdGPJR+Os=",
|
"narHash": "sha256-lXvH/vOfb4aGYyvFmZK/HlsNsr/0CVWlwYvo2rxJk3s=",
|
||||||
"type": "tarball",
|
"type": "tarball",
|
||||||
"url": "https://github.com/NixOS/nixpkgs/archive/fb192fec7cc7a4c26d51779e9bab07ce6fa5597a.tar.gz"
|
"url": "https://github.com/NixOS/nixpkgs/archive/cc2f28000298e1269cea6612cd06ec9979dd5d7f.tar.gz"
|
||||||
},
|
},
|
||||||
"original": {
|
"original": {
|
||||||
"type": "tarball",
|
"type": "tarball",
|
||||||
"url": "https://github.com/NixOS/nixpkgs/archive/fb192fec7cc7a4c26d51779e9bab07ce6fa5597a.tar.gz"
|
"url": "https://github.com/NixOS/nixpkgs/archive/cc2f28000298e1269cea6612cd06ec9979dd5d7f.tar.gz"
|
||||||
}
|
}
|
||||||
},
|
},
|
||||||
"nixpkgs-stable": {
|
"nixpkgs-stable": {
|
||||||
|
|
|
@ -18,7 +18,6 @@
|
||||||
nixpkgs.config.allowUnfree = true;
|
nixpkgs.config.allowUnfree = true;
|
||||||
|
|
||||||
# Basic networking
|
# Basic networking
|
||||||
networking.networkmanager.enable = true;
|
|
||||||
networking.firewall.enable = true;
|
networking.firewall.enable = true;
|
||||||
|
|
||||||
# Locales
|
# Locales
|
||||||
|
@ -33,7 +32,7 @@
|
||||||
|
|
||||||
eidola = {
|
eidola = {
|
||||||
isNormalUser = true;
|
isNormalUser = true;
|
||||||
extraGroups = ["networkmanager" "wheel"];
|
extraGroups = ["wheel"];
|
||||||
hashedPasswordFile = config.sops.secrets."user-pw".path;
|
hashedPasswordFile = config.sops.secrets."user-pw".path;
|
||||||
openssh.authorizedKeys.keys = import ../../keys/ssh.nix;
|
openssh.authorizedKeys.keys = import ../../keys/ssh.nix;
|
||||||
};
|
};
|
||||||
|
@ -70,6 +69,7 @@
|
||||||
port = 48722;
|
port = 48722;
|
||||||
hostKeys = ["/persist/etc/secrets/initrd/ssh_host_ed25519_key"];
|
hostKeys = ["/persist/etc/secrets/initrd/ssh_host_ed25519_key"];
|
||||||
};
|
};
|
||||||
|
boot.initrd.network.udhcpc.enable = true;
|
||||||
|
|
||||||
system.stateVersion = "24.05";
|
system.stateVersion = "24.05";
|
||||||
}
|
}
|
||||||
|
|
|
@ -6,7 +6,7 @@
|
||||||
};
|
};
|
||||||
|
|
||||||
deployment = {
|
deployment = {
|
||||||
host = "10.13.1.1";
|
host = "eidola.int.min.rip";
|
||||||
user = "root";
|
user = "root";
|
||||||
port = 22;
|
port = 22;
|
||||||
|
|
||||||
|
|
|
@ -2,6 +2,7 @@
|
||||||
netName = "m-infra";
|
netName = "m-infra";
|
||||||
# https://github.com/NixOS/nixpkgs/blob/nixos-24.05/nixos/modules/services/networking/nebula.nix#L12
|
# https://github.com/NixOS/nixpkgs/blob/nixos-24.05/nixos/modules/services/networking/nebula.nix#L12
|
||||||
userGroup = "nebula-${netName}";
|
userGroup = "nebula-${netName}";
|
||||||
|
interface = "nebula.${netName}";
|
||||||
lhs = {"10.13.0.1" = ["min.rip:4242"];}; # TODO: hardcoding
|
lhs = {"10.13.0.1" = ["min.rip:4242"];}; # TODO: hardcoding
|
||||||
lhsInt = builtins.attrNames lhs;
|
lhsInt = builtins.attrNames lhs;
|
||||||
in {
|
in {
|
||||||
|
@ -11,6 +12,8 @@ in {
|
||||||
group = userGroup;
|
group = userGroup;
|
||||||
};
|
};
|
||||||
|
|
||||||
|
networking.firewall.trustedInterfaces = [interface];
|
||||||
|
|
||||||
services.nebula.networks.${netName} = {
|
services.nebula.networks.${netName} = {
|
||||||
ca = ../../keys/ca.crt;
|
ca = ../../keys/ca.crt;
|
||||||
cert = ../../keys/n-srv-eidola.crt;
|
cert = ../../keys/n-srv-eidola.crt;
|
||||||
|
@ -37,11 +40,17 @@ in {
|
||||||
proto = "icmp";
|
proto = "icmp";
|
||||||
host = "any";
|
host = "any";
|
||||||
}
|
}
|
||||||
# Allow SSH from `internal` group
|
# Allow anything from `internal` group
|
||||||
|
{
|
||||||
|
port = "any";
|
||||||
|
proto = "any";
|
||||||
|
groups = ["internal"];
|
||||||
|
}
|
||||||
|
# Allow SSH from anyone
|
||||||
{
|
{
|
||||||
port = 22;
|
port = 22;
|
||||||
proto = "tcp";
|
proto = "tcp";
|
||||||
groups = ["internal"];
|
host = "any";
|
||||||
}
|
}
|
||||||
];
|
];
|
||||||
};
|
};
|
||||||
|
|
|
@ -3,7 +3,8 @@
|
||||||
pkgs,
|
pkgs,
|
||||||
...
|
...
|
||||||
}: let
|
}: let
|
||||||
net = { # TODO: hardcoding (this module *may* be a good place to store values like this, though)
|
net = {
|
||||||
|
# TODO: hardcoding (this module *may* be a good place to store values like this, though)
|
||||||
address = "107.152.41.67";
|
address = "107.152.41.67";
|
||||||
prefixLength = 24;
|
prefixLength = 24;
|
||||||
subnet = "255.255.255.0";
|
subnet = "255.255.255.0";
|
||||||
|
@ -26,7 +27,6 @@ in {
|
||||||
nixpkgs.config.allowUnfree = true;
|
nixpkgs.config.allowUnfree = true;
|
||||||
|
|
||||||
# Basic networking
|
# Basic networking
|
||||||
networking.networkmanager.enable = true;
|
|
||||||
networking.firewall.enable = true;
|
networking.firewall.enable = true;
|
||||||
|
|
||||||
# Networking - IP configuration
|
# Networking - IP configuration
|
||||||
|
@ -62,7 +62,7 @@ in {
|
||||||
|
|
||||||
silver = {
|
silver = {
|
||||||
isNormalUser = true;
|
isNormalUser = true;
|
||||||
extraGroups = ["networkmanager" "wheel"];
|
extraGroups = ["wheel"];
|
||||||
hashedPasswordFile = config.sops.secrets."user-pw".path;
|
hashedPasswordFile = config.sops.secrets."user-pw".path;
|
||||||
openssh.authorizedKeys.keys = import ../../keys/ssh.nix;
|
openssh.authorizedKeys.keys = import ../../keys/ssh.nix;
|
||||||
};
|
};
|
||||||
|
@ -84,7 +84,12 @@ in {
|
||||||
enable = true;
|
enable = true;
|
||||||
settings.PasswordAuthentication = false;
|
settings.PasswordAuthentication = false;
|
||||||
settings.KbdInteractiveAuthentication = false;
|
settings.KbdInteractiveAuthentication = false;
|
||||||
ports = [12208];
|
listenAddresses = [
|
||||||
|
{
|
||||||
|
addr = "10.13.0.1";
|
||||||
|
port = 22;
|
||||||
|
}
|
||||||
|
];
|
||||||
};
|
};
|
||||||
|
|
||||||
# My modules
|
# My modules
|
||||||
|
|
|
@ -6,9 +6,9 @@
|
||||||
};
|
};
|
||||||
|
|
||||||
deployment = {
|
deployment = {
|
||||||
host = "10.13.0.1";
|
host = "silver.int.min.rip";
|
||||||
user = "root";
|
user = "root";
|
||||||
port = 12208;
|
port = 22;
|
||||||
|
|
||||||
buildOnTarget = false;
|
buildOnTarget = false;
|
||||||
};
|
};
|
||||||
|
|
|
@ -15,12 +15,6 @@
|
||||||
"/var/lib/acme"
|
"/var/lib/acme"
|
||||||
|
|
||||||
"/srv"
|
"/srv"
|
||||||
|
|
||||||
# k8s
|
|
||||||
"/var/lib/containerd"
|
|
||||||
"/var/lib/kubernetes"
|
|
||||||
"/var/lib/kubelet"
|
|
||||||
"/var/lib/kube-proxy"
|
|
||||||
];
|
];
|
||||||
files = [
|
files = [
|
||||||
"/etc/machine-id"
|
"/etc/machine-id"
|
||||||
|
|
|
@ -7,7 +7,6 @@
|
||||||
./gitea.nix
|
./gitea.nix
|
||||||
./synapse.nix
|
./synapse.nix
|
||||||
./nebula.nix
|
./nebula.nix
|
||||||
./k8s.nix
|
|
||||||
];
|
];
|
||||||
|
|
||||||
security.acme = {
|
security.acme = {
|
||||||
|
|
|
@ -1,5 +1,5 @@
|
||||||
{config, ...}: let
|
{config, ...}: let
|
||||||
sshExposeIp = "0.0.0.0"; # TODO: change this to the public-facing IP for prod (and ideally hardcode it somewhere else)
|
sshExposeIp = "107.152.41.67"; # TODO: hardcoding
|
||||||
sshIntPort = 14022;
|
sshIntPort = 14022;
|
||||||
httpIntPort = 14020;
|
httpIntPort = 14020;
|
||||||
dom = "git.min.rip"; # TODO: hardcoding
|
dom = "git.min.rip"; # TODO: hardcoding
|
||||||
|
|
|
@ -1,30 +0,0 @@
|
||||||
{pkgs, ...}: let
|
|
||||||
kMasterIp = "10.13.0.1";
|
|
||||||
kMasterHostname = "silver";
|
|
||||||
kMasterApiServerPort = 6443;
|
|
||||||
in {
|
|
||||||
networking.extraHosts = "${kMasterIp} ${kMasterHostname}";
|
|
||||||
|
|
||||||
systemd.services.etcd.preStart = ''${pkgs.writeShellScript "etcd-wait" ''
|
|
||||||
while [ ! -f /var/lib/kubernetes/secrets/etcd.pem ]; do sleep 1; done
|
|
||||||
''}'';
|
|
||||||
|
|
||||||
services.kubernetes = {
|
|
||||||
roles = ["master" "node"];
|
|
||||||
masterAddress = kMasterHostname;
|
|
||||||
apiserverAddress = "https://${kMasterHostname}:${toString kMasterApiServerPort}";
|
|
||||||
|
|
||||||
apiserver = {
|
|
||||||
securePort = kMasterApiServerPort;
|
|
||||||
advertiseAddress = kMasterIp;
|
|
||||||
};
|
|
||||||
|
|
||||||
easyCerts = true;
|
|
||||||
|
|
||||||
# use coredns
|
|
||||||
addons.dns.enable = true;
|
|
||||||
|
|
||||||
# needed if you use swap
|
|
||||||
kubelet.extraOpts = "--fail-swap-on=false";
|
|
||||||
};
|
|
||||||
}
|
|
|
@ -2,6 +2,7 @@
|
||||||
netName = "m-infra"; # TODO: hardcoding
|
netName = "m-infra"; # TODO: hardcoding
|
||||||
# https://github.com/NixOS/nixpkgs/blob/nixos-24.05/nixos/modules/services/networking/nebula.nix#L12
|
# https://github.com/NixOS/nixpkgs/blob/nixos-24.05/nixos/modules/services/networking/nebula.nix#L12
|
||||||
userGroup = "nebula-${netName}";
|
userGroup = "nebula-${netName}";
|
||||||
|
interface = "nebula.${netName}";
|
||||||
in {
|
in {
|
||||||
sops.secrets."svc-nebula-key" = {
|
sops.secrets."svc-nebula-key" = {
|
||||||
mode = "0440";
|
mode = "0440";
|
||||||
|
@ -9,6 +10,11 @@ in {
|
||||||
group = userGroup;
|
group = userGroup;
|
||||||
};
|
};
|
||||||
|
|
||||||
|
networking.firewall = {
|
||||||
|
trustedInterfaces = [interface];
|
||||||
|
allowedUDPPorts = [4242];
|
||||||
|
};
|
||||||
|
|
||||||
services.nebula.networks.${netName} = {
|
services.nebula.networks.${netName} = {
|
||||||
ca = ../../../keys/ca.crt;
|
ca = ../../../keys/ca.crt;
|
||||||
cert = ../../../keys/lh-silver.crt;
|
cert = ../../../keys/lh-silver.crt;
|
||||||
|
@ -37,14 +43,18 @@ in {
|
||||||
proto = "icmp";
|
proto = "icmp";
|
||||||
host = "any";
|
host = "any";
|
||||||
}
|
}
|
||||||
# Allow SSH from `internal` group
|
# Allow anything from `internal` group
|
||||||
{
|
{
|
||||||
port = 12208;
|
port = "any";
|
||||||
proto = "tcp";
|
proto = "any";
|
||||||
groups = ["internal"];
|
groups = ["internal"];
|
||||||
}
|
}
|
||||||
|
# Allow SSH from anyone
|
||||||
|
{
|
||||||
|
port = 22;
|
||||||
|
proto = "tcp";
|
||||||
|
host = "any";
|
||||||
|
}
|
||||||
];
|
];
|
||||||
};
|
};
|
||||||
|
|
||||||
networking.firewall.allowedUDPPorts = [4242];
|
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in New Issue