From e71a9620ff493e4b6d3eef3a53945d0801c2b2cd Mon Sep 17 00:00:00 2001
From: min <minish@riseup.net>
Date: Sun, 3 Nov 2024 22:38:19 -0500
Subject: [PATCH] Initial deployment of k3s

---
 .sops.yaml                              |  7 ++++++
 nixos/hosts/eidola/configuration.nix    |  1 +
 nixos/hosts/eidola/k3s.nix              | 13 +++++++++++
 nixos/hosts/eidola/mounts.nix           |  5 +++++
 nixos/hosts/silver/mounts.nix           |  5 +++++
 nixos/hosts/silver/services/default.nix |  1 +
 nixos/hosts/silver/services/k3s.nix     | 25 +++++++++++++++++++++
 nixos/hosts/silver/services/nebula.nix  |  6 +++++
 scripts/rekey.sh                        |  2 +-
 secrets/k3s-token.txt                   | 30 +++++++++++++++++++++++++
 10 files changed, 94 insertions(+), 1 deletion(-)
 create mode 100644 nixos/hosts/eidola/k3s.nix
 create mode 100644 nixos/hosts/silver/services/k3s.nix
 create mode 100644 secrets/k3s-token.txt

diff --git a/.sops.yaml b/.sops.yaml
index 8f4ffd7..9ba12ef 100644
--- a/.sops.yaml
+++ b/.sops.yaml
@@ -8,6 +8,13 @@ creation_rules:
     key_groups:
       - pgp:
           - *min
+  - path_regex: secrets/k3s-token\.txt$
+    key_groups:
+      - pgp:
+          - *min
+        age:
+          - *silver
+          - *eidola
   - path_regex: secrets/eidola\.yaml$
     key_groups:
       - pgp:
diff --git a/nixos/hosts/eidola/configuration.nix b/nixos/hosts/eidola/configuration.nix
index 88bf7ee..2a49f57 100644
--- a/nixos/hosts/eidola/configuration.nix
+++ b/nixos/hosts/eidola/configuration.nix
@@ -9,6 +9,7 @@
     ./mounts.nix
     ./secrets.nix
     ./nebula.nix
+    ./k3s.nix
   ];
 
   networking.hostName = "eidola"; # Define your hostname.
diff --git a/nixos/hosts/eidola/k3s.nix b/nixos/hosts/eidola/k3s.nix
new file mode 100644
index 0000000..7dd14ed
--- /dev/null
+++ b/nixos/hosts/eidola/k3s.nix
@@ -0,0 +1,13 @@
+{config, ...}: {
+  sops.secrets."k3s-token" = {
+    sopsFile = ../../../secrets/k3s-token.txt;
+    format = "binary";
+  };
+
+  services.k3s = {
+    enable = true;
+    role = "agent";
+    serverAddr = "https://silver.int.min.rip:6443";
+    tokenFile = config.sops.secrets."k3s-token".path;
+  };
+}
diff --git a/nixos/hosts/eidola/mounts.nix b/nixos/hosts/eidola/mounts.nix
index 4816c59..ba0dd5e 100644
--- a/nixos/hosts/eidola/mounts.nix
+++ b/nixos/hosts/eidola/mounts.nix
@@ -10,6 +10,11 @@
       "/var/lib/systemd/coredump"
       "/var/lib/nixos"
       "/var/db/sudo"
+
+      "/var/lib/rancher/k3s"
+      "/var/lib/kubelet"
+      "/var/lib/cni"
+      "/var/lib/containerd"
     ];
     files = [
       "/etc/machine-id"
diff --git a/nixos/hosts/silver/mounts.nix b/nixos/hosts/silver/mounts.nix
index 81203a6..514e076 100644
--- a/nixos/hosts/silver/mounts.nix
+++ b/nixos/hosts/silver/mounts.nix
@@ -15,6 +15,11 @@
       "/var/lib/acme"
 
       "/srv"
+
+      "/var/lib/rancher/k3s"
+      "/var/lib/kubelet"
+      "/var/lib/cni"
+      "/var/lib/containerd"
     ];
     files = [
       "/etc/machine-id"
diff --git a/nixos/hosts/silver/services/default.nix b/nixos/hosts/silver/services/default.nix
index 1850d78..55dbf35 100644
--- a/nixos/hosts/silver/services/default.nix
+++ b/nixos/hosts/silver/services/default.nix
@@ -7,6 +7,7 @@
     ./gitea.nix
     ./synapse.nix
     ./nebula.nix
+    ./k3s.nix
   ];
 
   security.acme = {
diff --git a/nixos/hosts/silver/services/k3s.nix b/nixos/hosts/silver/services/k3s.nix
new file mode 100644
index 0000000..fa11a15
--- /dev/null
+++ b/nixos/hosts/silver/services/k3s.nix
@@ -0,0 +1,25 @@
+{
+  config,
+  lib,
+  ...
+}: {
+  sops.secrets."k3s-token" = {
+    sopsFile = ../../../../secrets/k3s-token.txt;
+    format = "binary";
+  };
+
+  services.k3s = {
+    enable = true;
+    role = "server";
+    clusterInit = true;
+    tokenFile = config.sops.secrets."k3s-token".path;
+
+    extraFlags = lib.concatStringsSep " " [
+      "--disable=traefik"
+      "--disable=servicelb"
+      "--disable=local-storage"
+      "--disable=helm-controller"
+      "--tls-san=silver.int.min.rip"
+    ];
+  };
+}
diff --git a/nixos/hosts/silver/services/nebula.nix b/nixos/hosts/silver/services/nebula.nix
index a1d2b78..b946a5d 100644
--- a/nixos/hosts/silver/services/nebula.nix
+++ b/nixos/hosts/silver/services/nebula.nix
@@ -55,6 +55,12 @@ in {
         proto = "tcp";
         host = "any";
       }
+      # Allow `kube-apiserver` from anyone
+      {
+        port = 6443;
+        proto = "tcp";
+        host = "any";
+      }
     ];
   };
 }
diff --git a/scripts/rekey.sh b/scripts/rekey.sh
index 1565bcd..58329f0 100755
--- a/scripts/rekey.sh
+++ b/scripts/rekey.sh
@@ -9,4 +9,4 @@ rekey_dir() {
   find $1 | xargs -i sops updatekeys -y {}
 }
 
-rekey_dir "secrets/*.yaml"
+rekey_dir "secrets/*"
diff --git a/secrets/k3s-token.txt b/secrets/k3s-token.txt
new file mode 100644
index 0000000..b015207
--- /dev/null
+++ b/secrets/k3s-token.txt
@@ -0,0 +1,30 @@
+{
+	"data": "ENC[AES256_GCM,data:vXYcfWeyHiWcH+m80Jpz+YVEMUxAcmE9eyBzwxTqKb0PSaiAQgnx8WWD503hJuAl/E5i70I0c0zj1foqTILGxw==,iv:LAp+2f4k7IXCclEFLifiZmKZUxNWLPiVmPzp4MTkGK0=,tag:2YoMCI+TR1QBx3aibXug7Q==,type:str]",
+	"sops": {
+		"kms": null,
+		"gcp_kms": null,
+		"azure_kv": null,
+		"hc_vault": null,
+		"age": [
+			{
+				"recipient": "age19yhycdgqczrvttszq97ccljh684x3r7f5dj4p0wdwqsrusqlcayse0vsh3",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBiSGNGY3I3eXl0RFFuRFNU\nMVVqTFowVzRsYUpqZlIrTFNKeFFFZGZnQ1FZCnl6VWxraENxeHJqOWZQMmpMTzZY\nVWdXTlg3OXBIMlUxMTRqb0FqbEdzWTAKLS0tIFBFTFRMQUhydEJpUjBGb0NPdytE\nMjlxenNDNzhXNkNoSWJJZjRKYSt4REkKQm9wMW0FDs9zY8XcC4XwmWq8vey2sjDF\nfPPVSJA9VJTj6Oec6u4A6aeNv9YjFbpnv3Q+Vy2YR1wjAgcjfu9qZQ==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1uqxzduupzes3tgfrrlret0n6thyldmlef60nqfzk689lmg6yayvsqpwxj6",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA2TlJoYWU3V3N1QS9rMTVq\ncmZTeElGQWZYMEh2My9NaHFCT0hJdWN0S2gwCk91ZlMxckxhRUx6STRiNEVudlNP\nQTNRSEV6NXR1b1lUZk9RVjhBbW5WREkKLS0tIGVYRFZnK2x5MWx0WTdXanhCdTFr\nWVFTVWFYNnF1anZEOWtyT296cnA0b1EKY6KcgefJDOnyVbs3C5USwAfrA3vihfh7\nxxYdIFffyxq6N3+8k2VXg9FSeY6wAKdQuNg/08bNuz4O9tcaGSozug==\n-----END AGE ENCRYPTED FILE-----\n"
+			}
+		],
+		"lastmodified": "2024-11-04T02:46:42Z",
+		"mac": "ENC[AES256_GCM,data:DLeiPKDuOLmylGu7d9pkeIPcPgz92zJ8j5SfOJOkV6k9FogMMxqqoOtg9BmvkyVh0AMO7PGcK/RLd7e2xvjr6g1AUMf8qywYZL3XDxKGr5yZJNldTQOssThvbMAny/ubyNsULTL54adqBV6MikfUd3mRSAV4Quj+yZkKtAuBgOE=,iv:uM0F+bpSAz8p8d33pRtvZGSejTtrCOl4+WHNUAzpLBI=,tag:sTMQuwVV8Ds/Gw2VkOh0Pg==,type:str]",
+		"pgp": [
+			{
+				"created_at": "2024-11-04T02:46:42Z",
+				"enc": "-----BEGIN PGP MESSAGE-----\n\nhQIMAwAAAAAAAAAAAQ/+LWksDzEz7A95gEXPailyDpngtQovg1dTKv9nMJMYo+hr\nnOS1iR0nITg5Ihantt9DEU18OzEEROZr4skAXoel/qP6GEstIHCA1BpzwTdn5QMC\nVCmOGgbjMFoXoCkgyPaUmclNnyZNldODALTmJ+vtY+7457kXCcnBXY4rd9lJNQ9I\n3l8jx9seQFSixA+8rhl5UnBQeGBCT1cMmNiLIr42tMLI9gQgKGbceTQ5AT5Exjks\nLy9IetYwq+VuyJDUnowgK1ZP92DrUVqalpWa2ZdVN3qSGSFEjUZjwKIkCObyu4Zr\nRU8T8VBi2pNAQuVRrpK1WC6TkoMC3QqoMimn8UAlYnpmuRvmJvksHbW3cqx5WxOx\nlWPI9JfyYhzXbzMxTdFUQ1TN6OT4OAPU5fQ59ivPJKqDxKKziauER1kXvwlaVkLR\n1l55HtzOwukJKXigNwxEHZPJzOnM8q+r//XDY4uEDAqogQGw7cFENEn9R/GZQ45c\nZnKBphx2va+6SweAa//w47DCdITLawb4VFOAeIf1m6dx5SY4aEIPefdz7bjwGqRC\nCdLsyrt6maQoJxz6odPOeuKwgoRIigH08FQrTR5VWEHH2bWouXsNfpl4FNRzSb/T\nm0bVKblFDiOcFVMk0roJBx8spm6PKTxBTVCyFh0EE9bS0eyJNp+LNzQ5mJHfgF/S\nXgHMw5JevU+7LUZkOZlzx1xfOSmKKLbPg+cts43wRQBTWgDdOZIgVigHwH0AdCJ0\niZdCA942v+urI20TKx1jbcnwofSndkzqSs4HGn4338ZyPzRGHrUMDzEfY8cx2Ro=\n=MKO9\n-----END PGP MESSAGE-----",
+				"fp": "78795D9EBD425CBB3E850BC45DF91852CB14CEFF"
+			}
+		],
+		"unencrypted_suffix": "_unencrypted",
+		"version": "3.8.1"
+	}
+}
\ No newline at end of file