services/clanServices/k3s/default.nix

227 lines
7.3 KiB
Nix

{ lib, pkgs, ... }:
let
inherit (builtins) readFile;
in
{
_class = "clan.service";
manifest = {
name = "amarth-services/k3s";
description = "K3s service in order to set up a cluster";
categories = [ "System" "Network" "Containers" "Virtualisation" ];
readme = readFile ./README.md;
};
#==============================================================================================================
# Server configuration
#==============================================================================================================
roles.server = {
interface = { lib, ... }:
let
inherit (lib) mkOption mkEnableOption mkIf types toString;
in
{
options = {
port = mkOption {
type = types.port;
default = 6443;
example = "6443";
description = ''
Temporary option till I figure out something useful
'';
};
harbor.enable = mkEnableOption "Enable Harbor - container registry";
crossplane.enable = mkEnableOption "Enable Crossplane - control plane";
crossplane.resources.composite = mkOption {
type = with types; listOf (either path attrs);
default = [];
example = lib.literalExpression ''
[
../manifests/my-composite-resource.yml
{
apiVersion = "v1";
kind = "CompositeResourceDefinition";
metadata = {
name = "app-service";
};
spec = {
selector = {
"app.kubernetes.io/name" = "MyApp";
};
ports = [
{
name = "name-of-service-port";
protocol = "TCP";
port = 80;
targetPort = "http-web-svc";
}
];
};
}
];
'';
description = ''
Temporary option till I figure out something useful
'';
};
};
};
perInstance = { instanceName, settings, machine, roles, ... }: {
nixosModule = { config, pkgs, lib, ... }:
let
inherit (lib) mkOption mkEnableOption mkIf types toString;
in
{
environment.systemPackages = with pkgs; [ k9s linkerd ];
clan.core.vars.generators.k3s = {
share = false;
files = {
ip_v6 = {
deploy = false;
secret = false;
};
ip_v4 = {
deploy = false;
secret = false;
};
token = {
deploy = true;
secret = true;
};
};
runtimeInputs = with pkgs; [ pwgen ];
script = ''
echo "::1" > "$out/ip_v6"
echo "127.0.0.1" > "$out/ip_v4"
pwgen 50 1 > "$out/token"
'';
};
networking.firewall = {
allowedTCPPorts = [
6443 # k3s: required so that pods can reach the API server (running on port 6443 by default)
2379 # k3s, etcd clients: required if using a "High Availability Embedded etcd" configuration
2380 # k3s, etcd peers: required if using a "High Availability Embedded etcd" configuration
];
allowedUDPPorts = [
8472 # k3s, flannel: required if using multi-node for inter-node networking
];
};
systemd.paths = {
charts = {
wantedBy = ["k3s.service"];
pathConfig = {
PathModified = config.services.k3s.autoDeployCharts.crossplane.target.path;
};
};
};
services.k3s = {
enable = true;
role = "server";
tokenFile = config.clan.core.vars.generators.k3s.files.token.path;
clusterInit = true;
autoDeployCharts = {
harbor = mkIf settings.harbor.enable {
name = "harbor";
repo = "https://helm.goharbor.io";
version = "1.14.0";
hash = "sha256-fMP7q1MIbvzPGS9My91vbQ1d3OJMjwc+o8YE/BXZaYU=";
values = {
existingSecretAdminPassword = "harbor-admin";
expose = {
tls = {
enabled = true;
certSource = "secret";
secret.secretName = "my-tls-secret";
};
ingress = {
hosts.core = "example.com";
className = "nginx";
};
};
};
};
crossplane = mkIf settings.crossplane.enable {
name = "crossplane";
repo = "https://charts.crossplane.io/stable";
version = "2.0.2";
hash = "sha256-5gk/dvOJAy5O++QkrnS0oVZaanDgNmF0107qKyri3Js=";
targetNamespace = "crossplane-system";
createNamespace = true;
values = {
replicas = 1;
deploymentStrategy = "RollingUpdate";
};
extraDeploy = settings.crossplane.resources.composite;
};
};
};
};
# exports.port = settings.port;
# exports.address = "https://\${config.networking.fqdn}:${toString port}";
};
};
#==============================================================================================================
# Agent configuration
#==============================================================================================================
roles.agent = {
interface = { lib, ... }: {
options = {};
};
perInstance = { instanceName, settings, machine, roles, ... }: {
nixosModule = { config, ... }:
let
inherit (builtins) head pathExists readFile;
server = head (lib.attrNames (roles.server.machines or { not_found = {}; }));
# Read the server's ip address
ipAddressPath = "${config.clan.core.settings.directory}/vars/per-machine/${server}/k3s/ip_v4/value";
ipAddress = if pathExists ipAddressPath then readFile ipAddressPath else null;
# Read the server's token
# tokenPath = "${config.clan.core.settings.directory}/vars/per-machine/${server}/k3s/token";
# token = if pathExists tokenPath then readFile tokenPath else null;
in
{
networking.firewall = {
allowedTCPPorts = [
6443 # k3s: required so that pods can reach the API server (running on port 6443 by default)
2379 # k3s, etcd clients: required if using a "High Availability Embedded etcd" configuration
2380 # k3s, etcd peers: required if using a "High Availability Embedded etcd" configuration
];
allowedUDPPorts = [
8472 # k3s, flannel: required if using multi-node for inter-node networking
];
};
services = {
k3s = {
enable = true;
role = "agent";
tokenFile = "/var/lib/k3s/__TODO_FIGURE_OUT_TOKEN__"; #config.clan.core.vars.generators.k3s.files.token.path;
serverAddr = "https://${server}.${config.networking.domain}:6443";
};
};
};
};
};
}