Add nixos and bootstrapping as submodules. Automate apitokens.

lib/k8s.nix

@@ -1,26 +1,63 @@
-{ pkgs, lib, settings, ...}:
+here: { pkgs, lib, settings, ...}:
 with lib;
 let
   cluster-ca = pkgs.stdenv.mkDerivation {
-      name = "cluster-ca";
-      src = ./ca;
-      buildCommand = ''
-        mkdir -p $out
-        cp $src/* $out
-      '';
+    name = "cluster-ca";
+    src = here + /ca;
+    buildCommand = ''
+     mkdir -p $out
+     cp $src/* $out
+    '';
   };
+
+  cfssl-apitoken = pkgs.stdenv.mkDerivation {
+    name = "cfssl-apitoken";
+    buildCommand = ''
+      head -c ${toString (32 / 2)} /dev/urandom | \
+      od -An -t x | tr -d ' ' > $out
+      chmod 400 $out
+    '';
+  };
+
   nixos-kubernetes-join-nodes = workers:
     let
       wrk = builtins.foldl' (a: s: a + " " + s) "" workers;
     in
-    pkgs.writeScriptBin "nixos-kubernetes-join-nodes" ''
-      #!/bin/sh
-      set -e
-      token=$(cat /var/lib/cfssl/apitoken.secret)
-      for i in ${wrk}; do
-         ssh root@$i "echo $token | sh nixos-kubernetes-node-join"
-      done
+      pkgs.writeScriptBin "nixos-kubernetes-join-nodes" ''
+        #!/bin/sh
+        set -e
+        token=$(cat /var/lib/cfssl/apitoken.secret)
+        for i in ${wrk}; do
+           ssh root@$i "echo $token | sh nixos-kubernetes-node-join"
+        done
+      '';
+
+  kube-system-bootstrap = pkgs.stdenv.mkDerivation {
+    name = "kube-system-bootstrap";
+    src = ../kube-system-bootstrap;
+    buildCommand = ''
+     mkdir -p $out/bin
+     mkdir -p $out/share/kube-system-bootstrap
+     cp -r $src/* $out/share/kube-system-bootstrap/
+     cd $out/bin
+     ln -s ../share/kube-system-bootstrap/bin/* .
+     ln -s ../share/kube-system-bootstrap/kube-system-bootstrap .
     '';
+  };
+
+  install-apitoken = pkgs.writeScript "kube-install-certmgr-apitoken" ''
+    #!${pkgs.bash}/bin/bash
+    set -e
+    if [ -d /var/lib/cfssl ]; then
+      cp ${cfssl-apitoken} /var/lib/cfssl/apitoken.secret
+      chown cfssl /var/lib/cfssl/apitoken.secret
+      chmod 600 /var/lib/cfssl/apitoken.secret
+    fi
+    cp ${cfssl-apitoken} /var/lib/kubernetes/secrets/apitoken.secret
+    chown root /var/lib/kubernetes/secrets/apitoken.secret
+    chmod 600 /var/lib/kubernetes/secrets/apitoken.secret
+  '';
+
   cidr = "10.10.0.0/16";
 in
 rec {
@@ -34,6 +71,7 @@ rec {
       clusterCidr = cidr;
       kubelet.unschedulable = false;
       pki.genCfsslCACert = false;
+      pki.genCfsslAPIToken = false;
       pki.caCertPathPrefix = "${cluster-ca}/ca";
       apiserver = {
         advertiseAddress = settings.masterAddress;
@@ -57,6 +95,7 @@ rec {
     environment.systemPackages = [
       pkgs.kubernetes-helm
       (nixos-kubernetes-join-nodes settings.workers)
+      kube-system-bootstrap
     ];
   };
 
@@ -81,8 +120,8 @@ rec {
 
   baseNixos = name: {
     imports = [
-      (../nixos/hardware-configuration + "/${name}.nix")
       ../nixos/configuration.nix
+      (here + "/${name}.nix")
     ];
     security.pki.certificateFiles = [
       "${cluster-ca}/ca.pem"
@@ -106,6 +145,19 @@ rec {
       firewall.allowedTCPPorts = [ 80 443 111 ];
       firewall.allowedUDPPorts = [ 111 24007 24008 ];
     };
+    users.extraUsers.admin.openssh.authorizedKeys.keys =
+     settings.adminAuthorizedKeys;
+
+    systemd.services.kube-certmgr-apitoken-bootstrap = {
+      description = "Kubernetes certmgr bootstrapper";
+      wantedBy = [ "cfssl.service" ];
+      before = [ "cfssl.target" ];
+      serviceConfig = {
+        Type = "oneshot";
+        RemainAfterExit = true;
+        ExecStart = "${install-apitoken}";
+      };
+    };
   };
 
   apiserver = ip: name: self: