Initial deployment of k3s
This commit is contained in:
parent
93328de825
commit
e71a9620ff
|
@ -8,6 +8,13 @@ creation_rules:
|
||||||
key_groups:
|
key_groups:
|
||||||
- pgp:
|
- pgp:
|
||||||
- *min
|
- *min
|
||||||
|
- path_regex: secrets/k3s-token\.txt$
|
||||||
|
key_groups:
|
||||||
|
- pgp:
|
||||||
|
- *min
|
||||||
|
age:
|
||||||
|
- *silver
|
||||||
|
- *eidola
|
||||||
- path_regex: secrets/eidola\.yaml$
|
- path_regex: secrets/eidola\.yaml$
|
||||||
key_groups:
|
key_groups:
|
||||||
- pgp:
|
- pgp:
|
||||||
|
|
|
@ -9,6 +9,7 @@
|
||||||
./mounts.nix
|
./mounts.nix
|
||||||
./secrets.nix
|
./secrets.nix
|
||||||
./nebula.nix
|
./nebula.nix
|
||||||
|
./k3s.nix
|
||||||
];
|
];
|
||||||
|
|
||||||
networking.hostName = "eidola"; # Define your hostname.
|
networking.hostName = "eidola"; # Define your hostname.
|
||||||
|
|
|
@ -0,0 +1,13 @@
|
||||||
|
{config, ...}: {
|
||||||
|
sops.secrets."k3s-token" = {
|
||||||
|
sopsFile = ../../../secrets/k3s-token.txt;
|
||||||
|
format = "binary";
|
||||||
|
};
|
||||||
|
|
||||||
|
services.k3s = {
|
||||||
|
enable = true;
|
||||||
|
role = "agent";
|
||||||
|
serverAddr = "https://silver.int.min.rip:6443";
|
||||||
|
tokenFile = config.sops.secrets."k3s-token".path;
|
||||||
|
};
|
||||||
|
}
|
|
@ -10,6 +10,11 @@
|
||||||
"/var/lib/systemd/coredump"
|
"/var/lib/systemd/coredump"
|
||||||
"/var/lib/nixos"
|
"/var/lib/nixos"
|
||||||
"/var/db/sudo"
|
"/var/db/sudo"
|
||||||
|
|
||||||
|
"/var/lib/rancher/k3s"
|
||||||
|
"/var/lib/kubelet"
|
||||||
|
"/var/lib/cni"
|
||||||
|
"/var/lib/containerd"
|
||||||
];
|
];
|
||||||
files = [
|
files = [
|
||||||
"/etc/machine-id"
|
"/etc/machine-id"
|
||||||
|
|
|
@ -15,6 +15,11 @@
|
||||||
"/var/lib/acme"
|
"/var/lib/acme"
|
||||||
|
|
||||||
"/srv"
|
"/srv"
|
||||||
|
|
||||||
|
"/var/lib/rancher/k3s"
|
||||||
|
"/var/lib/kubelet"
|
||||||
|
"/var/lib/cni"
|
||||||
|
"/var/lib/containerd"
|
||||||
];
|
];
|
||||||
files = [
|
files = [
|
||||||
"/etc/machine-id"
|
"/etc/machine-id"
|
||||||
|
|
|
@ -7,6 +7,7 @@
|
||||||
./gitea.nix
|
./gitea.nix
|
||||||
./synapse.nix
|
./synapse.nix
|
||||||
./nebula.nix
|
./nebula.nix
|
||||||
|
./k3s.nix
|
||||||
];
|
];
|
||||||
|
|
||||||
security.acme = {
|
security.acme = {
|
||||||
|
|
|
@ -0,0 +1,25 @@
|
||||||
|
{
|
||||||
|
config,
|
||||||
|
lib,
|
||||||
|
...
|
||||||
|
}: {
|
||||||
|
sops.secrets."k3s-token" = {
|
||||||
|
sopsFile = ../../../../secrets/k3s-token.txt;
|
||||||
|
format = "binary";
|
||||||
|
};
|
||||||
|
|
||||||
|
services.k3s = {
|
||||||
|
enable = true;
|
||||||
|
role = "server";
|
||||||
|
clusterInit = true;
|
||||||
|
tokenFile = config.sops.secrets."k3s-token".path;
|
||||||
|
|
||||||
|
extraFlags = lib.concatStringsSep " " [
|
||||||
|
"--disable=traefik"
|
||||||
|
"--disable=servicelb"
|
||||||
|
"--disable=local-storage"
|
||||||
|
"--disable=helm-controller"
|
||||||
|
"--tls-san=silver.int.min.rip"
|
||||||
|
];
|
||||||
|
};
|
||||||
|
}
|
|
@ -55,6 +55,12 @@ in {
|
||||||
proto = "tcp";
|
proto = "tcp";
|
||||||
host = "any";
|
host = "any";
|
||||||
}
|
}
|
||||||
|
# Allow `kube-apiserver` from anyone
|
||||||
|
{
|
||||||
|
port = 6443;
|
||||||
|
proto = "tcp";
|
||||||
|
host = "any";
|
||||||
|
}
|
||||||
];
|
];
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
|
|
|
@ -9,4 +9,4 @@ rekey_dir() {
|
||||||
find $1 | xargs -i sops updatekeys -y {}
|
find $1 | xargs -i sops updatekeys -y {}
|
||||||
}
|
}
|
||||||
|
|
||||||
rekey_dir "secrets/*.yaml"
|
rekey_dir "secrets/*"
|
||||||
|
|
|
@ -0,0 +1,30 @@
|
||||||
|
{
|
||||||
|
"data": "ENC[AES256_GCM,data:vXYcfWeyHiWcH+m80Jpz+YVEMUxAcmE9eyBzwxTqKb0PSaiAQgnx8WWD503hJuAl/E5i70I0c0zj1foqTILGxw==,iv:LAp+2f4k7IXCclEFLifiZmKZUxNWLPiVmPzp4MTkGK0=,tag:2YoMCI+TR1QBx3aibXug7Q==,type:str]",
|
||||||
|
"sops": {
|
||||||
|
"kms": null,
|
||||||
|
"gcp_kms": null,
|
||||||
|
"azure_kv": null,
|
||||||
|
"hc_vault": null,
|
||||||
|
"age": [
|
||||||
|
{
|
||||||
|
"recipient": "age19yhycdgqczrvttszq97ccljh684x3r7f5dj4p0wdwqsrusqlcayse0vsh3",
|
||||||
|
"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBiSGNGY3I3eXl0RFFuRFNU\nMVVqTFowVzRsYUpqZlIrTFNKeFFFZGZnQ1FZCnl6VWxraENxeHJqOWZQMmpMTzZY\nVWdXTlg3OXBIMlUxMTRqb0FqbEdzWTAKLS0tIFBFTFRMQUhydEJpUjBGb0NPdytE\nMjlxenNDNzhXNkNoSWJJZjRKYSt4REkKQm9wMW0FDs9zY8XcC4XwmWq8vey2sjDF\nfPPVSJA9VJTj6Oec6u4A6aeNv9YjFbpnv3Q+Vy2YR1wjAgcjfu9qZQ==\n-----END AGE ENCRYPTED FILE-----\n"
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"recipient": "age1uqxzduupzes3tgfrrlret0n6thyldmlef60nqfzk689lmg6yayvsqpwxj6",
|
||||||
|
"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA2TlJoYWU3V3N1QS9rMTVq\ncmZTeElGQWZYMEh2My9NaHFCT0hJdWN0S2gwCk91ZlMxckxhRUx6STRiNEVudlNP\nQTNRSEV6NXR1b1lUZk9RVjhBbW5WREkKLS0tIGVYRFZnK2x5MWx0WTdXanhCdTFr\nWVFTVWFYNnF1anZEOWtyT296cnA0b1EKY6KcgefJDOnyVbs3C5USwAfrA3vihfh7\nxxYdIFffyxq6N3+8k2VXg9FSeY6wAKdQuNg/08bNuz4O9tcaGSozug==\n-----END AGE ENCRYPTED FILE-----\n"
|
||||||
|
}
|
||||||
|
],
|
||||||
|
"lastmodified": "2024-11-04T02:46:42Z",
|
||||||
|
"mac": "ENC[AES256_GCM,data:DLeiPKDuOLmylGu7d9pkeIPcPgz92zJ8j5SfOJOkV6k9FogMMxqqoOtg9BmvkyVh0AMO7PGcK/RLd7e2xvjr6g1AUMf8qywYZL3XDxKGr5yZJNldTQOssThvbMAny/ubyNsULTL54adqBV6MikfUd3mRSAV4Quj+yZkKtAuBgOE=,iv:uM0F+bpSAz8p8d33pRtvZGSejTtrCOl4+WHNUAzpLBI=,tag:sTMQuwVV8Ds/Gw2VkOh0Pg==,type:str]",
|
||||||
|
"pgp": [
|
||||||
|
{
|
||||||
|
"created_at": "2024-11-04T02:46:42Z",
|
||||||
|
"enc": "-----BEGIN PGP MESSAGE-----\n\nhQIMAwAAAAAAAAAAAQ/+LWksDzEz7A95gEXPailyDpngtQovg1dTKv9nMJMYo+hr\nnOS1iR0nITg5Ihantt9DEU18OzEEROZr4skAXoel/qP6GEstIHCA1BpzwTdn5QMC\nVCmOGgbjMFoXoCkgyPaUmclNnyZNldODALTmJ+vtY+7457kXCcnBXY4rd9lJNQ9I\n3l8jx9seQFSixA+8rhl5UnBQeGBCT1cMmNiLIr42tMLI9gQgKGbceTQ5AT5Exjks\nLy9IetYwq+VuyJDUnowgK1ZP92DrUVqalpWa2ZdVN3qSGSFEjUZjwKIkCObyu4Zr\nRU8T8VBi2pNAQuVRrpK1WC6TkoMC3QqoMimn8UAlYnpmuRvmJvksHbW3cqx5WxOx\nlWPI9JfyYhzXbzMxTdFUQ1TN6OT4OAPU5fQ59ivPJKqDxKKziauER1kXvwlaVkLR\n1l55HtzOwukJKXigNwxEHZPJzOnM8q+r//XDY4uEDAqogQGw7cFENEn9R/GZQ45c\nZnKBphx2va+6SweAa//w47DCdITLawb4VFOAeIf1m6dx5SY4aEIPefdz7bjwGqRC\nCdLsyrt6maQoJxz6odPOeuKwgoRIigH08FQrTR5VWEHH2bWouXsNfpl4FNRzSb/T\nm0bVKblFDiOcFVMk0roJBx8spm6PKTxBTVCyFh0EE9bS0eyJNp+LNzQ5mJHfgF/S\nXgHMw5JevU+7LUZkOZlzx1xfOSmKKLbPg+cts43wRQBTWgDdOZIgVigHwH0AdCJ0\niZdCA942v+urI20TKx1jbcnwofSndkzqSs4HGn4338ZyPzRGHrUMDzEfY8cx2Ro=\n=MKO9\n-----END PGP MESSAGE-----",
|
||||||
|
"fp": "78795D9EBD425CBB3E850BC45DF91852CB14CEFF"
|
||||||
|
}
|
||||||
|
],
|
||||||
|
"unencrypted_suffix": "_unencrypted",
|
||||||
|
"version": "3.8.1"
|
||||||
|
}
|
||||||
|
}
|
Loading…
Reference in New Issue