diff --git a/bin/initca.sh b/bin/initca.sh index bf11407..b37ccbe 100755 --- a/bin/initca.sh +++ b/bin/initca.sh @@ -1,2 +1,3 @@ #!/usr/bin/env bash -nix-instantiate --add-root `pwd`/gcroots/certs --indirect -E "import ./certs.nix" +# nix-store --add-root `pwd`/gcroots/initca --indirect -r $(nix-instantiate ./initca.nix) +nix-build -o gcroots/initca ./initca.nix diff --git a/fs0.nix b/fs0.nix index a07bbc1..2129cf6 100644 --- a/fs0.nix +++ b/fs0.nix @@ -8,36 +8,36 @@ let ''; nixosConfig = node: ip: - let - cert = pki.trust node ''"${node}", "${ip}", "127.0.0.1"''; - in - { - imports = [ - (./nixos/hardware-configuration + "/${node}.nix") - ./nixos/configuration.nix - ]; - boot.kernelModules = [ - "dm_snapshot" - "dm_mirror" - "dm_thin_pool" - ]; - networking = { - hostName = node; - extraHosts = clusterHosts; - firewall.allowedTCPPortRanges = [ { from = 5000; to = 50000; } ]; - firewall.allowedTCPPorts = [ 111 ]; - firewall.allowedUDPPorts = [ 111 24007 24008 ]; - }; - services.glusterfs = { - enable = true; - tlsSettings = { - caCert = pki.ca.cert; - tlsKeyPath = cert.key; - tlsPem = cert.cert; + let + cert = pki.trust node ''"${node}", "${ip}", "127.0.0.1"''; + in + { + imports = [ + (./nixos/hardware-configuration + "/${node}.nix") + ./nixos/configuration.nix + ]; + boot.kernelModules = [ + "dm_snapshot" + "dm_mirror" + "dm_thin_pool" + ]; + networking = { + hostName = node; + extraHosts = clusterHosts; + firewall.allowedTCPPortRanges = [ { from = 5000; to = 50000; } ]; + firewall.allowedTCPPorts = [ 111 ]; + firewall.allowedUDPPorts = [ 111 24007 24008 ]; }; + services.glusterfs = { + enable = true; + tlsSettings = { + caCert = pki.ca.cert; + tlsKeyPath = cert.key; + tlsPem = cert.cert; + }; + }; + environment.systemPackages = [ pkgs.lvm2 ]; }; - environment.systemPackages = [ pkgs.lvm2 ]; - }; in { fs0-0 = { ... }: diff --git a/kube0.nix b/kube0.nix index d7ec43e..03e78f8 100644 --- a/kube0.nix +++ b/kube0.nix @@ -24,12 +24,12 @@ let "10.253.18.102", "127.0.0.1" ''; - k0-0 = pki.worker { name = "k0-0"; ip = "10.253.18.100"; }; - k0-1 = pki.worker { name = "k0-1"; ip = "10.253.18.101"; }; - k0-2 = pki.worker { name = "k0-2"; ip = "10.253.18.102"; }; - k0-3 = pki.worker { name = "k0-3"; ip = "10.253.18.103"; }; - k0-4 = pki.worker { name = "k0-4"; ip = "10.253.18.107"; }; - k0-5 = pki.worker { name = "k0-5"; ip = "10.253.18.108"; }; + k0-0 = pki.worker { name = "k0-0"; ip = "10.253.18.100"; }; + k0-1 = pki.worker { name = "k0-1"; ip = "10.253.18.101"; }; + k0-2 = pki.worker { name = "k0-2"; ip = "10.253.18.102"; }; + k0-3 = pki.worker { name = "k0-3"; ip = "10.253.18.103"; }; + k0-4 = pki.worker { name = "k0-4"; ip = "10.253.18.107"; }; + k0-5 = pki.worker { name = "k0-5"; ip = "10.253.18.108"; }; }; cluster = callPackage ./lib/k8s.nix { masterNode = "10.253.18.100"; @@ -58,7 +58,7 @@ in ]; services.dnsmasq.enable = true; fileSystems."/data" = { - device = "k0-0:gv0"; + device = "fs0-0:gv0"; fsType = "glusterfs"; }; environment.systemPackages = [ pkgs.lvm2 ]; diff --git a/lib/pki.nix b/lib/pki.nix index e2f2771..7c680e6 100644 --- a/lib/pki.nix +++ b/lib/pki.nix @@ -45,13 +45,24 @@ hosts = ""; }; in - pkgs.runCommand "ca" { + pkgs.runCommand "initca" { buildInputs = [ pkgs.cfssl ]; } '' cfssl genkey -initca ${ca_csr} | cfssljson -bare ca; \ mkdir -p $out; cp *.pem $out''; + + # make ca derivation sha depend on initca cfssl output + initca' = pkgs.stdenv.mkDerivation { + name = "ca"; + src = initca; + buildCommand = '' + mkdir -p $out; + cp -r $src/* $out + ''; + }; + ca = { - key = "${initca}/ca-key.pem"; - cert = "${initca}/ca.pem"; + key = "${initca'}/ca-key.pem"; + cert = "${initca'}/ca.pem"; }; cfssl = conf: '' diff --git a/nixos/configuration.nix b/nixos/configuration.nix index 393c188..af7d9b0 100644 --- a/nixos/configuration.nix +++ b/nixos/configuration.nix @@ -23,7 +23,7 @@ services.vmwareGuest.enable = true; # The NixOS release to be compatible with for stateful data such as databases. - system.nixos.stateVersion = "18.03"; + system.nixos.stateVersion = "18.09"; programs.fish.enable = true; programs.tmux.enable = true;