.
This commit is contained in:
		
							parent
							
								
									781cc647ef
								
							
						
					
					
						commit
						4168001713
					
				
					 11 changed files with 123 additions and 195 deletions
				
			
		|  | @ -27,8 +27,53 @@ in | |||
|       }; | ||||
|     }; | ||||
| 
 | ||||
|     perInstance = instanceArgs: { | ||||
|       nixosModule = lib.modules.importApply ./roles/server.nix (instanceArgs // { inherit pkgs; }); | ||||
|     perInstance = { instanceName, settings, machine, roles, ... }: { | ||||
|       nixosModule = { config, ... }: { | ||||
|         clan.core.vars.generators = { | ||||
|           k3s = { | ||||
|             share = false; | ||||
|             files = { | ||||
|               ip_v6 = { | ||||
|                 deploy = false; | ||||
|                 secret = false; | ||||
|               }; | ||||
|               ip_v4 = { | ||||
|                 deploy = false; | ||||
|                 secret = false; | ||||
|               }; | ||||
|               token = { | ||||
|                 deploy = false; | ||||
|                 secret = true; | ||||
|               }; | ||||
|             }; | ||||
|             runtimeInputs = with pkgs; [ pwgen ]; | ||||
|             script = '' | ||||
|               echo "::1" > "$out/ip_v6" | ||||
|               echo "127.0.0.1" > "$out/ip_v4" | ||||
|               pwgen 50 1 > "$out/token" | ||||
|             ''; | ||||
|           }; | ||||
|         }; | ||||
| 
 | ||||
|         networking.firewall = { | ||||
|           allowedTCPPorts = [ | ||||
|             6443 # k3s: required so that pods can reach the API server (running on port 6443 by default) | ||||
|             2379 # k3s, etcd clients: required if using a "High Availability Embedded etcd" configuration | ||||
|             2380 # k3s, etcd peers: required if using a "High Availability Embedded etcd" configuration | ||||
|           ]; | ||||
| 
 | ||||
|           allowedUDPPorts = [ | ||||
|             8472 # k3s, flannel: required if using multi-node for inter-node networking | ||||
|           ]; | ||||
|         }; | ||||
| 
 | ||||
|         services.k3s = { | ||||
|           enable = true; | ||||
|           role = "server"; | ||||
|           token = config.clan.core.vars.generators.k3s.files.token.value; | ||||
|           clusterInit = true; | ||||
|         }; | ||||
|       }; | ||||
|     }; | ||||
|   }; | ||||
| 
 | ||||
|  | @ -40,8 +85,43 @@ in | |||
|       options = {}; | ||||
|     }; | ||||
| 
 | ||||
|     perInstance = instanceArgs: { | ||||
|       nixosModule = lib.modules.importApply ./roles/agent.nix (instanceArgs // { inherit pkgs; }); | ||||
|     perInstance = { instanceName, settings, machine, roles, ... }: { | ||||
|       nixosModule = { config, ... }:  | ||||
|         let | ||||
|           inherit (builtins) head pathExists readFile; | ||||
| 
 | ||||
|           controller = head (lib.attrNames roles.controller.machines or {}); | ||||
| 
 | ||||
|           # Read the controller's ip address | ||||
|           ipAddressPath = "${config.clan.core.settings.directory}/vars/per-machine/${controller}/k3s/ip_v4"; | ||||
|           ipAddress = if pathExists ipAddressPath then readFile ipAddressPath else null; | ||||
| 
 | ||||
|           # Read the controller's token | ||||
|           tokenPath = "${config.clan.core.settings.directory}/vars/per-machine/${controller}/k3s/token"; | ||||
|           token = if pathExists tokenPath then readFile tokenPath else null; | ||||
|         in | ||||
|         { | ||||
|           networking.firewall = { | ||||
|             allowedTCPPorts = [ | ||||
|               6443 # k3s: required so that pods can reach the API server (running on port 6443 by default) | ||||
|               2379 # k3s, etcd clients: required if using a "High Availability Embedded etcd" configuration | ||||
|               2380 # k3s, etcd peers: required if using a "High Availability Embedded etcd" configuration | ||||
|             ]; | ||||
| 
 | ||||
|             allowedUDPPorts = [ | ||||
|               8472 # k3s, flannel: required if using multi-node for inter-node networking | ||||
|             ]; | ||||
|           }; | ||||
| 
 | ||||
|           services = { | ||||
|             k3s = { | ||||
|               enable = true; | ||||
|               role = "agent"; | ||||
|               token = token; | ||||
|               serverAddr = "https://${ipAddress}:6443"; | ||||
|             }; | ||||
|           }; | ||||
|         }; | ||||
|     }; | ||||
|   }; | ||||
| } | ||||
|  |  | |||
|  | @ -6,10 +6,10 @@ in | |||
|   clan.modules.k3s = module; | ||||
| 
 | ||||
|   perSystem = { ... }: { | ||||
|     # clan.nixosTests.k3s = { | ||||
|     #   imports = [ ./tests/vm/default.nix ]; | ||||
|     clan.nixosTests.k3s = { | ||||
|       imports = [ ./tests/vm/default.nix ]; | ||||
| 
 | ||||
|     #   clan.modules."@amarth/k3s" = module; | ||||
|     # }; | ||||
|       clan.modules."@amarth/k3s" = module; | ||||
|     }; | ||||
|   }; | ||||
| } | ||||
|  |  | |||
|  | @ -1,38 +0,0 @@ | |||
| { config, lib, pkgs, roles, ... }: | ||||
| let | ||||
|   inherit (builtins) head pathExists readFile; | ||||
| 
 | ||||
|   controller = head (lib.attrNames roles.controller.machines or {}); | ||||
| 
 | ||||
|   # Read the controller's ip address | ||||
|   ipAddressPath = "${config.clan.core.settings.directory}/vars/per-machine/${controller}/k3s/ip_v4"; | ||||
|   ipAddress = if pathExists ipAddressPath then readFile ipAddressPath else null; | ||||
| 
 | ||||
|   # Read the controller's token | ||||
|   tokenPath = "${config.clan.core.settings.directory}/vars/per-machine/${controller}/k3s/token"; | ||||
|   token = if pathExists tokenPath then readFile tokenPath else null; | ||||
| in | ||||
| { | ||||
|   config = { | ||||
|     networking.firewall = { | ||||
|       allowedTCPPorts = [ | ||||
|         6443 # k3s: required so that pods can reach the API server (running on port 6443 by default) | ||||
|         2379 # k3s, etcd clients: required if using a "High Availability Embedded etcd" configuration | ||||
|         2380 # k3s, etcd peers: required if using a "High Availability Embedded etcd" configuration | ||||
|       ]; | ||||
| 
 | ||||
|       allowedUDPPorts = [ | ||||
|         8472 # k3s, flannel: required if using multi-node for inter-node networking | ||||
|       ]; | ||||
|     }; | ||||
| 
 | ||||
|     services = { | ||||
|       k3s = { | ||||
|         enable = true; | ||||
|         role = "agent"; | ||||
|         token = token; | ||||
|         serverAddr = "https://${ipAddress}:6443"; | ||||
|       }; | ||||
|     }; | ||||
|   }; | ||||
| } | ||||
|  | @ -1,51 +0,0 @@ | |||
| { config, lib, pkgs, ... }: | ||||
| { | ||||
|   config = { | ||||
|     clan.core.vars.generators = { | ||||
|       k3s = { | ||||
|         share = false; | ||||
|         files = { | ||||
|           ip_v6 = { | ||||
|             deploy = false; | ||||
|             secret = false; | ||||
|           }; | ||||
|           ip_v4 = { | ||||
|             deploy = false; | ||||
|             secret = false; | ||||
|           }; | ||||
|           token = { | ||||
|             deploy = false; | ||||
|             secret = true; | ||||
|           }; | ||||
|         }; | ||||
|         runtimeInputs = with pkgs; [ pwgen ]; | ||||
|         script = '' | ||||
|           echo "::1" > "$out/ip_v6" | ||||
|           echo "127.0.0.1" > "$out/ip_v4" | ||||
|           pwgen 50 1 > "$out/token" | ||||
|         ''; | ||||
|       }; | ||||
|     }; | ||||
| 
 | ||||
|     networking.firewall = { | ||||
|       allowedTCPPorts = [ | ||||
|         6443 # k3s: required so that pods can reach the API server (running on port 6443 by default) | ||||
|         2379 # k3s, etcd clients: required if using a "High Availability Embedded etcd" configuration | ||||
|         2380 # k3s, etcd peers: required if using a "High Availability Embedded etcd" configuration | ||||
|       ]; | ||||
| 
 | ||||
|       allowedUDPPorts = [ | ||||
|         8472 # k3s, flannel: required if using multi-node for inter-node networking | ||||
|       ]; | ||||
|     }; | ||||
| 
 | ||||
|     services = { | ||||
|       k3s = { | ||||
|         enable = true; | ||||
|         role = "server"; | ||||
|         token = config.clan.core.vars.generators.k3s.token.value; | ||||
|         clusterInit = true; | ||||
|       }; | ||||
|     }; | ||||
|   }; | ||||
| } | ||||
|  | @ -26,6 +26,7 @@ | |||
|         }; | ||||
|       }; | ||||
|     }; | ||||
|   }; | ||||
| 
 | ||||
|   nodes = { | ||||
|     node1 = {}; | ||||
|  | @ -36,5 +37,4 @@ | |||
|   testScript = '' | ||||
|     start_all() | ||||
|   ''; | ||||
|   }; | ||||
| } | ||||
|  | @ -21,7 +21,6 @@ in | |||
|     }; | ||||
| 
 | ||||
|     perInstance = { instanceName, settings, machine, roles, ... }: { | ||||
|       # nixosModule = lib.modules.importApply ./roles/controller.nix (instanceArgs // { inherit pkgs; }); | ||||
|       nixosModule = { config, ... }: { | ||||
|         clan.core.vars.generators.zitadel = { | ||||
|           share = false; | ||||
|  | @ -43,7 +42,7 @@ in | |||
|         services.zitadel = { | ||||
|           enable = true; | ||||
| 
 | ||||
|           masterKeyFile = config.clan.core.vars.generators.zitadel.masterKey.path; | ||||
|           masterKeyFile = config.clan.core.vars.generators.zitadel.files.masterKey.path; | ||||
| 
 | ||||
|           settings = { | ||||
|             Port = 9092; | ||||
|  | @ -92,8 +91,8 @@ in | |||
|       options = {}; | ||||
|     }; | ||||
| 
 | ||||
|     perInstance = instanceArgs: { | ||||
|       nixosModule = lib.modules.importApply ./roles/peer.nix (instanceArgs // { inherit pkgs; }); | ||||
|     perInstance = { instanceName, settings, machine, roles, ... }: { | ||||
|       nixosModule = {} | ||||
|     }; | ||||
|   }; | ||||
| } | ||||
|  |  | |||
|  | @ -6,10 +6,10 @@ in | |||
|   clan.modules.zitadel = module; | ||||
| 
 | ||||
|   perSystem = { ... }: { | ||||
|     # clan.nixosTests.zitadel = { | ||||
|     #   imports = [ ./tests/vm/default.nix ]; | ||||
|     clan.nixosTests.zitadel = { | ||||
|       imports = [ ./tests/vm/default.nix ]; | ||||
| 
 | ||||
|     #   clan.modules."@amarth/zitadel" = module; | ||||
|     # }; | ||||
|       clan.modules."@amarth/zitadel" = module; | ||||
|     }; | ||||
|   }; | ||||
| } | ||||
|  |  | |||
|  | @ -1,63 +0,0 @@ | |||
| { instanceName, settings, machine, roles, config, pkgs, ... }: { | ||||
|   config = { | ||||
|     clan.core.vars.generators = { | ||||
|       zitadel = { | ||||
|         share = false; | ||||
| 
 | ||||
|         files.masterKey = { deploy = true; secret = true; }; | ||||
|         files.initialAdminPassword = { deploy = true; secret = true; }; | ||||
| 
 | ||||
|         runtimeInputs = with pkgs; [ pwgen ]; | ||||
| 
 | ||||
|         script = '' | ||||
|           pwgen 50 1 > "$out/initialAdminPassword" | ||||
| 
 | ||||
|           # https://zitadel.com/docs/self-hosting/manage/configure#masterkey | ||||
|           # The master key has to be 32 bytes | ||||
|           head -c 32 /dev/urandom > "$out/masterKey" | ||||
|         ''; | ||||
|       }; | ||||
|     }; | ||||
| 
 | ||||
|     services.zitadel = { | ||||
|       enable = true; | ||||
| 
 | ||||
|       masterKeyFile = config.clan.core.vars.generators.zitadel.masterKey.path; | ||||
| 
 | ||||
|       settings = { | ||||
|         Port = 9092; | ||||
| 
 | ||||
|         ExternalDomain = "auth.amarth.cloud"; | ||||
|         ExternalPort = 443; | ||||
|         ExternalSecure = true; | ||||
| 
 | ||||
|         Metrics.Type = "otel"; | ||||
|         Tracing.Type = "otel"; | ||||
|         Telemetry.Enabled = true; | ||||
| 
 | ||||
|         SystemDefaults = { | ||||
|           PasswordHasher.Hasher.Algorithm = "argon2id"; | ||||
|           SecretHasher.Hasher.Algorithm = "argon2id"; | ||||
|         }; | ||||
|       }; | ||||
| 
 | ||||
|       steps.FirstInstance = { | ||||
|         InstanceName = settings.hostName; | ||||
| 
 | ||||
|         Org = { | ||||
|           Name = settings.displayName; | ||||
|           Human = { | ||||
|             UserName = "chris"; | ||||
|             FirstName = "Chris"; | ||||
|             LastName = "Kruining"; | ||||
|             Email = { | ||||
|               Address = "chris@kruining.eu"; | ||||
|               Verified = true; | ||||
|             }; | ||||
|             Password = config.clan.core.vars.generators.zitadel.initialAdminPassword.value; | ||||
|           }; | ||||
|         }; | ||||
|       }; | ||||
|     }; | ||||
|   }; | ||||
| } | ||||
|  | @ -1,3 +0,0 @@ | |||
| { instanceName, settings, machine, roles, config, ... }: { | ||||
|   config = {}; | ||||
| } | ||||
|  | @ -26,6 +26,7 @@ | |||
|         }; | ||||
|       }; | ||||
|     }; | ||||
|   }; | ||||
| 
 | ||||
|   nodes = { | ||||
|     node1 = {}; | ||||
|  | @ -36,5 +37,4 @@ | |||
|   testScript = '' | ||||
|     start_all() | ||||
|   ''; | ||||
|   }; | ||||
| } | ||||
|  |  | |||
							
								
								
									
										12
									
								
								flake.nix
									
										
									
									
									
								
							
							
						
						
									
										12
									
								
								flake.nix
									
										
									
									
									
								
							|  | @ -30,6 +30,7 @@ | |||
|       imports = [ | ||||
|         flake-parts.flakeModules.modules | ||||
|         inputs.clan-core.flakeModules.default | ||||
|         inputs.clan-core.flakeModules.testModule | ||||
|         inputs.devshell.flakeModule | ||||
| 
 | ||||
|         ./clanServices/flake-module.nix | ||||
|  | @ -42,10 +43,13 @@ | |||
|       clan = { | ||||
|         meta.name = "amarth-services"; | ||||
| 
 | ||||
|         # modules = { | ||||
|         #   "@amarth/zitadel" = flake-parts.lib.importApply ./clanServices/zitadel/default.nix {}; | ||||
|         #   "@amarth/k3s" = flake-parts.lib.importApply ./clanServices/k3s/default.nix {}; | ||||
|         # }; | ||||
|         inventory = { | ||||
|           machines = { | ||||
|             "test-darwin-machine" = { | ||||
|               machineClass = "darwin"; | ||||
|             }; | ||||
|           }; | ||||
|         }; | ||||
|       }; | ||||
| 
 | ||||
|       perSystem = { system, ... }: { | ||||
|  |  | |||
		Loading…
	
	Add table
		Add a link
		
	
		Reference in a new issue