Improve base deployment and pki handling

2020-02-27 15:42:16 +01:00
parent 8846047f04
commit 1257542e46
5 changed files with 135 additions and 189 deletions
--- a/lib/k8s.nix
+++ b/lib/k8s.nix
@@ -1,11 +1,9 @@
 { pkgs, lib, settings, here ? "", ...}:
+with import ./base.nix { inherit pkgs lib settings here; };
 with lib;
 let
  apiserverAddress = "https://${masterAddress}:4443";
  masterAddress = settings.master.address;
-  initca = settings.initca;
-
-  cluster-ca = import ./initca.nix { inherit pgks initca; };

  cfssl-apitoken =
    let
@@ -47,7 +45,7 @@ let
        export bash="${pkgs.bash}"
        export apiserver="${settings.master.name}"
        export apiserverAddress="${settings.master.address}"
-        export initca="${initca}"
+        export initca="${pki.initca}"
        export cluster="${clusterName}"
        export fileserver="${fileserver}"
        export acme_email="${acme_email}"
@@ -89,8 +87,8 @@ let
    '';

  kubeMaster = {
-    services.cfssl.ca = "${cluster-ca}/ca.pem";
-    services.cfssl.caKey = "${cluster-ca}/ca-key.pem";
+    services.cfssl.ca = pki.ca.cert;
+    services.cfssl.caKey = pki.ca.key;
    services.kubernetes = {
      roles = [ "master" ];
      inherit apiserverAddress;
@@ -98,7 +96,7 @@ let
      clusterCidr = settings.cidr;
      pki.genCfsslCACert = false;
      pki.genCfsslAPIToken = false;
-      pki.caCertPathPrefix = "${cluster-ca}/ca";
+      pki.caCertPathPrefix = "${pki.initca}";

      kubelet = {
        clusterDomain = "${settings.clusterName}.local";
@@ -110,7 +108,7 @@ let
        allowPrivileged = true;
        securePort = 4443;
        insecurePort = 8080;
-        extraOpts = "--requestheader-client-ca-file ${cluster-ca}/ca.pem";
+        extraOpts = "--requestheader-client-ca-file ${pki.ca.cert}";
        # verbosity = 4;
      };

@@ -195,42 +193,6 @@ let
    };
  };

-  baseNixos = name: {
-    users.extraUsers.admin.openssh.authorizedKeys.keys =
-     settings.adminAuthorizedKeys;
-
-    boot.kernel.sysctl = {
-      "kernel.mm.transparent_hugepage.enabled" = "never";
-      "net.core.somaxconn" = "512";
-    };
-
-    imports = [
-      ./nixos/configuration.nix
-      (here + "/${name}.nix")
-    ];
-    security.pki.certificateFiles = [
-      "${cluster-ca}/ca.pem"
-    ];
-    # services.glusterfs = {
-    #   enable = true;
-    #   # tlsSettings = {
-    #     # caCert = certs.ca.caFile;
-    #     # tlsKeyPath = certs.self.keyFile;
-    #     # tlsPem = certs.self.certFile;
-    #   };
-    # };
-    networking = {
-      hostName = name;
-      extraHosts = settings.clusterHosts;
-      firewall.allowedTCPPortRanges = [ { from = 5000; to = 50000; } ];
-      firewall.allowedTCPPorts = [ 80 443 111 ];
-      firewall.allowedUDPPorts = [ 111 24007 24008 ];
-    };
-    environment.systemPackages = with pkgs; [
-      nfs-utils
-    ];
-  };
-
  mkApiServer = host: self:
    {
      deployment.targetHost = host.address;
@@ -249,15 +211,9 @@ let
      ];
    };

-  mkHost = host: self:
-    {
-      deployment.targetHost = host.address;
-      require = [
-        (baseNixos host.name)
-      ];
-    };
-
  master = { "${settings.master.name}" = mkApiServer settings.master; };
+
+  deployment = builtins.foldl' (a: x:
+    a // { "${x.name}" = mkWorker x; }) master settings.workers;
 in
-  builtins.foldl'
-    (a: x: a // { "${x.name}" = mkWorker x; }) master settings.workers
+  deployment