diff --git a/clanServices/k3s/default.nix b/clanServices/k3s/default.nix index bcb8c3a..63e3222 100644 --- a/clanServices/k3s/default.nix +++ b/clanServices/k3s/default.nix @@ -27,8 +27,53 @@ in }; }; - perInstance = instanceArgs: { - nixosModule = lib.modules.importApply ./roles/server.nix (instanceArgs // { inherit pkgs; }); + perInstance = { instanceName, settings, machine, roles, ... }: { + nixosModule = { config, ... }: { + clan.core.vars.generators = { + k3s = { + share = false; + files = { + ip_v6 = { + deploy = false; + secret = false; + }; + ip_v4 = { + deploy = false; + secret = false; + }; + token = { + deploy = false; + secret = true; + }; + }; + runtimeInputs = with pkgs; [ pwgen ]; + script = '' + echo "::1" > "$out/ip_v6" + echo "127.0.0.1" > "$out/ip_v4" + pwgen 50 1 > "$out/token" + ''; + }; + }; + + networking.firewall = { + allowedTCPPorts = [ + 6443 # k3s: required so that pods can reach the API server (running on port 6443 by default) + 2379 # k3s, etcd clients: required if using a "High Availability Embedded etcd" configuration + 2380 # k3s, etcd peers: required if using a "High Availability Embedded etcd" configuration + ]; + + allowedUDPPorts = [ + 8472 # k3s, flannel: required if using multi-node for inter-node networking + ]; + }; + + services.k3s = { + enable = true; + role = "server"; + token = config.clan.core.vars.generators.k3s.files.token.value; + clusterInit = true; + }; + }; }; }; @@ -40,8 +85,43 @@ in options = {}; }; - perInstance = instanceArgs: { - nixosModule = lib.modules.importApply ./roles/agent.nix (instanceArgs // { inherit pkgs; }); + perInstance = { instanceName, settings, machine, roles, ... }: { + nixosModule = { config, ... }: + let + inherit (builtins) head pathExists readFile; + + controller = head (lib.attrNames roles.controller.machines or {}); + + # Read the controller's ip address + ipAddressPath = "${config.clan.core.settings.directory}/vars/per-machine/${controller}/k3s/ip_v4"; + ipAddress = if pathExists ipAddressPath then readFile ipAddressPath else null; + + # Read the controller's token + tokenPath = "${config.clan.core.settings.directory}/vars/per-machine/${controller}/k3s/token"; + token = if pathExists tokenPath then readFile tokenPath else null; + in + { + networking.firewall = { + allowedTCPPorts = [ + 6443 # k3s: required so that pods can reach the API server (running on port 6443 by default) + 2379 # k3s, etcd clients: required if using a "High Availability Embedded etcd" configuration + 2380 # k3s, etcd peers: required if using a "High Availability Embedded etcd" configuration + ]; + + allowedUDPPorts = [ + 8472 # k3s, flannel: required if using multi-node for inter-node networking + ]; + }; + + services = { + k3s = { + enable = true; + role = "agent"; + token = token; + serverAddr = "https://${ipAddress}:6443"; + }; + }; + }; }; }; } diff --git a/clanServices/k3s/flake-module.nix b/clanServices/k3s/flake-module.nix index 2ad0af1..187ef77 100644 --- a/clanServices/k3s/flake-module.nix +++ b/clanServices/k3s/flake-module.nix @@ -6,10 +6,10 @@ in clan.modules.k3s = module; perSystem = { ... }: { - # clan.nixosTests.k3s = { - # imports = [ ./tests/vm/default.nix ]; + clan.nixosTests.k3s = { + imports = [ ./tests/vm/default.nix ]; - # clan.modules."@amarth/k3s" = module; - # }; + clan.modules."@amarth/k3s" = module; + }; }; } diff --git a/clanServices/k3s/roles/agent.nix b/clanServices/k3s/roles/agent.nix deleted file mode 100644 index 14d90bf..0000000 --- a/clanServices/k3s/roles/agent.nix +++ /dev/null @@ -1,38 +0,0 @@ -{ config, lib, pkgs, roles, ... }: -let - inherit (builtins) head pathExists readFile; - - controller = head (lib.attrNames roles.controller.machines or {}); - - # Read the controller's ip address - ipAddressPath = "${config.clan.core.settings.directory}/vars/per-machine/${controller}/k3s/ip_v4"; - ipAddress = if pathExists ipAddressPath then readFile ipAddressPath else null; - - # Read the controller's token - tokenPath = "${config.clan.core.settings.directory}/vars/per-machine/${controller}/k3s/token"; - token = if pathExists tokenPath then readFile tokenPath else null; -in -{ - config = { - networking.firewall = { - allowedTCPPorts = [ - 6443 # k3s: required so that pods can reach the API server (running on port 6443 by default) - 2379 # k3s, etcd clients: required if using a "High Availability Embedded etcd" configuration - 2380 # k3s, etcd peers: required if using a "High Availability Embedded etcd" configuration - ]; - - allowedUDPPorts = [ - 8472 # k3s, flannel: required if using multi-node for inter-node networking - ]; - }; - - services = { - k3s = { - enable = true; - role = "agent"; - token = token; - serverAddr = "https://${ipAddress}:6443"; - }; - }; - }; -} diff --git a/clanServices/k3s/roles/server.nix b/clanServices/k3s/roles/server.nix deleted file mode 100644 index 90d1897..0000000 --- a/clanServices/k3s/roles/server.nix +++ /dev/null @@ -1,51 +0,0 @@ -{ config, lib, pkgs, ... }: -{ - config = { - clan.core.vars.generators = { - k3s = { - share = false; - files = { - ip_v6 = { - deploy = false; - secret = false; - }; - ip_v4 = { - deploy = false; - secret = false; - }; - token = { - deploy = false; - secret = true; - }; - }; - runtimeInputs = with pkgs; [ pwgen ]; - script = '' - echo "::1" > "$out/ip_v6" - echo "127.0.0.1" > "$out/ip_v4" - pwgen 50 1 > "$out/token" - ''; - }; - }; - - networking.firewall = { - allowedTCPPorts = [ - 6443 # k3s: required so that pods can reach the API server (running on port 6443 by default) - 2379 # k3s, etcd clients: required if using a "High Availability Embedded etcd" configuration - 2380 # k3s, etcd peers: required if using a "High Availability Embedded etcd" configuration - ]; - - allowedUDPPorts = [ - 8472 # k3s, flannel: required if using multi-node for inter-node networking - ]; - }; - - services = { - k3s = { - enable = true; - role = "server"; - token = config.clan.core.vars.generators.k3s.token.value; - clusterInit = true; - }; - }; - }; -} diff --git a/clanServices/k3s/tests/vm/default.nix b/clanServices/k3s/tests/vm/default.nix index b011702..27972f2 100644 --- a/clanServices/k3s/tests/vm/default.nix +++ b/clanServices/k3s/tests/vm/default.nix @@ -26,15 +26,15 @@ }; }; }; - - nodes = { - node1 = {}; - node2 = {}; - node3 = {}; - }; - - testScript = '' - start_all() - ''; }; + + nodes = { + node1 = {}; + node2 = {}; + node3 = {}; + }; + + testScript = '' + start_all() + ''; } \ No newline at end of file diff --git a/clanServices/zitadel/default.nix b/clanServices/zitadel/default.nix index 3639b70..ce8fd52 100644 --- a/clanServices/zitadel/default.nix +++ b/clanServices/zitadel/default.nix @@ -21,7 +21,6 @@ in }; perInstance = { instanceName, settings, machine, roles, ... }: { - # nixosModule = lib.modules.importApply ./roles/controller.nix (instanceArgs // { inherit pkgs; }); nixosModule = { config, ... }: { clan.core.vars.generators.zitadel = { share = false; @@ -43,7 +42,7 @@ in services.zitadel = { enable = true; - masterKeyFile = config.clan.core.vars.generators.zitadel.masterKey.path; + masterKeyFile = config.clan.core.vars.generators.zitadel.files.masterKey.path; settings = { Port = 9092; @@ -92,8 +91,8 @@ in options = {}; }; - perInstance = instanceArgs: { - nixosModule = lib.modules.importApply ./roles/peer.nix (instanceArgs // { inherit pkgs; }); + perInstance = { instanceName, settings, machine, roles, ... }: { + nixosModule = {} }; }; } diff --git a/clanServices/zitadel/flake-module.nix b/clanServices/zitadel/flake-module.nix index 3832389..1f58e32 100644 --- a/clanServices/zitadel/flake-module.nix +++ b/clanServices/zitadel/flake-module.nix @@ -6,10 +6,10 @@ in clan.modules.zitadel = module; perSystem = { ... }: { - # clan.nixosTests.zitadel = { - # imports = [ ./tests/vm/default.nix ]; + clan.nixosTests.zitadel = { + imports = [ ./tests/vm/default.nix ]; - # clan.modules."@amarth/zitadel" = module; - # }; + clan.modules."@amarth/zitadel" = module; + }; }; } diff --git a/clanServices/zitadel/roles/controller.nix b/clanServices/zitadel/roles/controller.nix deleted file mode 100644 index 9ee952d..0000000 --- a/clanServices/zitadel/roles/controller.nix +++ /dev/null @@ -1,63 +0,0 @@ -{ instanceName, settings, machine, roles, config, pkgs, ... }: { - config = { - clan.core.vars.generators = { - zitadel = { - share = false; - - files.masterKey = { deploy = true; secret = true; }; - files.initialAdminPassword = { deploy = true; secret = true; }; - - runtimeInputs = with pkgs; [ pwgen ]; - - script = '' - pwgen 50 1 > "$out/initialAdminPassword" - - # https://zitadel.com/docs/self-hosting/manage/configure#masterkey - # The master key has to be 32 bytes - head -c 32 /dev/urandom > "$out/masterKey" - ''; - }; - }; - - services.zitadel = { - enable = true; - - masterKeyFile = config.clan.core.vars.generators.zitadel.masterKey.path; - - settings = { - Port = 9092; - - ExternalDomain = "auth.amarth.cloud"; - ExternalPort = 443; - ExternalSecure = true; - - Metrics.Type = "otel"; - Tracing.Type = "otel"; - Telemetry.Enabled = true; - - SystemDefaults = { - PasswordHasher.Hasher.Algorithm = "argon2id"; - SecretHasher.Hasher.Algorithm = "argon2id"; - }; - }; - - steps.FirstInstance = { - InstanceName = settings.hostName; - - Org = { - Name = settings.displayName; - Human = { - UserName = "chris"; - FirstName = "Chris"; - LastName = "Kruining"; - Email = { - Address = "chris@kruining.eu"; - Verified = true; - }; - Password = config.clan.core.vars.generators.zitadel.initialAdminPassword.value; - }; - }; - }; - }; - }; -} diff --git a/clanServices/zitadel/roles/peer.nix b/clanServices/zitadel/roles/peer.nix deleted file mode 100644 index 65c9607..0000000 --- a/clanServices/zitadel/roles/peer.nix +++ /dev/null @@ -1,3 +0,0 @@ -{ instanceName, settings, machine, roles, config, ... }: { - config = {}; -} diff --git a/clanServices/zitadel/tests/vm/default.nix b/clanServices/zitadel/tests/vm/default.nix index 18af792..1cd790e 100644 --- a/clanServices/zitadel/tests/vm/default.nix +++ b/clanServices/zitadel/tests/vm/default.nix @@ -26,15 +26,15 @@ }; }; }; - - nodes = { - node1 = {}; - node2 = {}; - node3 = {}; - }; - - testScript = '' - start_all() - ''; }; + + nodes = { + node1 = {}; + node2 = {}; + node3 = {}; + }; + + testScript = '' + start_all() + ''; } diff --git a/flake.nix b/flake.nix index 3cc4029..74eb6c0 100644 --- a/flake.nix +++ b/flake.nix @@ -30,6 +30,7 @@ imports = [ flake-parts.flakeModules.modules inputs.clan-core.flakeModules.default + inputs.clan-core.flakeModules.testModule inputs.devshell.flakeModule ./clanServices/flake-module.nix @@ -42,10 +43,13 @@ clan = { meta.name = "amarth-services"; - # modules = { - # "@amarth/zitadel" = flake-parts.lib.importApply ./clanServices/zitadel/default.nix {}; - # "@amarth/k3s" = flake-parts.lib.importApply ./clanServices/k3s/default.nix {}; - # }; + inventory = { + machines = { + "test-darwin-machine" = { + machineClass = "darwin"; + }; + }; + }; }; perSystem = { system, ... }: {