Make things more configurable

lib/initca.nix

@@ -1,4 +1,5 @@
-with import <nixpkgs> {};
+{ pkgs ? import <nixpkgs> {}, ...}:
+with pkgs;
 let
   initca' =
     let

lib/k8s.nix

@@ -1,14 +1,7 @@
 { pkgs, lib, settings, here, ...}:
 with lib;
 let
-  cluster-ca = pkgs.stdenv.mkDerivation {
-    name = "cluster-ca";
-    src = here + /ca;
-    buildCommand = ''
-     mkdir -p $out
-     cp $src/* $out
-    '';
-  };
+  cluster-ca = import ./initca.nix { inherit pgks; };
 
   cfssl-apitoken = pkgs.stdenv.mkDerivation {
     name = "cfssl-apitoken";
@@ -21,7 +14,7 @@ let
 
   kube-system-bootstrap = pkgs.stdenv.mkDerivation {
     name = "kube-system-bootstrap";
-    src = ../kube-system-bootstrap;
+    src = ./kube-system-bootstrap;
     buildCommand = ''
      mkdir -p $out/bin
      mkdir -p $out/share/kube-system-bootstrap
@@ -57,15 +50,19 @@ rec {
       masterAddress = settings.master;
       apiserverAddress = settings.apiserverAddress;
       clusterCidr = cidr;
-      kubelet.unschedulable = false;
       pki.genCfsslCACert = false;
       pki.genCfsslAPIToken = false;
       pki.caCertPathPrefix = "${cluster-ca}/ca";
 
+      kubelet = {
+        unschedulable = false;
+        clusterDomain = "${settings.clusterName}.local";
+      };
+
       apiserver = {
         advertiseAddress = settings.masterAddress;
         authorizationMode = [ "Node" "RBAC" ];
-        securePort = 8443;
+        securePort = 4443;
         insecurePort = 8080;
         extraOpts = "--requestheader-client-ca-file ${cluster-ca}/ca.pem";
       };
@@ -73,14 +70,14 @@ rec {
       addons = {
         dns = {
           enable = true;
-          # clusterDomain = "local";
+          clusterDomain = "${settings.clusterName}.local";
           reconcileMode = "EnsureExists";
         };
       };
     };
 
     networking.firewall = {
-      allowedTCPPorts = [ 53 5000 8080 8443 ]; #;4053 ];
+      allowedTCPPorts = [ 53 5000 8080 4443 ]; #;4053 ];
       allowedUDPPorts = [ 53 4053 ];
     };
 
@@ -103,11 +100,11 @@ rec {
 
     systemd.services.kube-system-bootstrap = {
       description = "Kubernetes certmgr bootstrapper";
-      after = [ "multi-user.target" ];
+      wantedBy = [ "multi-user.target" ];
+      after = [ "kubernetes.target" ];
       serviceConfig = {
         Type = "oneshot";
         RemainAfterExit = false;
-        # PATH=$PATH:${pkgs.bash}/bin:${pkgs.kubectl}/bin:${pkgs.kubernetes-helm}/bin:${pkgs.coreutils}/bin
         Environment = ''
           PATH=$PATH:/run/current-system/sw/bin
         '';
@@ -115,7 +112,10 @@ rec {
           #!${pkgs.bash}/bin/bash
           set -e
           if [ ! -f /var/lib/kubernetes/.kube-system-bootstrap.done ]; then
-            ${pkgs.bash}/bin/bash ${kube-system-bootstrap}/share/kube-system-bootstrap/kube-system-bootstrap ${cluster-ca}
+            ${pkgs.bash}/bin/bash
+            d=${kube-system-bootstrap}/share/kube-system-bootstrap
+            cd $d
+            $d/kube-system-bootstrap ${cluster-ca} ${settings.clusterName}
             touch /var/lib/kubernetes/.kube-system-bootstrap.done
           fi
         '';
@@ -129,7 +129,9 @@ rec {
       clusterCidr = cidr;
       masterAddress = settings.master;
       apiserverAddress = settings.apiserverAddress;
+      kubelet.clusterDomain = "${settings.clusterName}.local";
     };
+
     networking = {
       firewall = {
         enable = true;
@@ -143,7 +145,7 @@ rec {
     systemd.services.kube-certmgr-apitoken-bootstrap = {
       description = "Kubernetes certmgr bootstrapper";
       wantedBy = [ "certmgr.service" ];
-      before = [ "certmgr.target" ];
+      # before = [ "certmgr.service" ];
       script = install-apitoken;
       serviceConfig = {
         RestartSec = "10s";
@@ -157,7 +159,7 @@ rec {
      settings.adminAuthorizedKeys;
 
     imports = [
-      ../nixos/configuration.nix
+      ./nixos/configuration.nix
       (here + "/${name}.nix")
     ];
     security.pki.certificateFiles = [