WIP: nixos modules
This commit is contained in:
Jonas Juselius
53
lib/base.nix
53
lib/base.nix
@@ -1,11 +1,13 @@
|
||||
{ pkgs, lib, settings, here ? "", ...}:
|
||||
{ pkgs, config, lib, ... }:
|
||||
with lib;
|
||||
rec {
|
||||
pki = import ./pki.nix { inherit pkgs; ca = settings.initca; };
|
||||
let
|
||||
cfg = config.k8s;
|
||||
|
||||
pki = import ./pki.nix { inherit pkgs; ca = cfg.initca; };
|
||||
|
||||
baseNixos = name: {
|
||||
users.extraUsers.admin.openssh.authorizedKeys.keys =
|
||||
settings.adminAuthorizedKeys;
|
||||
cfg.adminAuthorizedKeys;
|
||||
|
||||
boot.kernel.sysctl = {
|
||||
"kernel.mm.transparent_hugepage.enabled" = "never";
|
||||
@@ -14,7 +16,6 @@ rec {
|
||||
|
||||
imports = [
|
||||
./nixos/configuration.nix
|
||||
(here + "/${name}.nix")
|
||||
];
|
||||
|
||||
security.pki.certificateFiles = [
|
||||
@@ -23,7 +24,7 @@ rec {
|
||||
|
||||
networking = {
|
||||
hostName = name;
|
||||
extraHosts = settings.clusterHosts;
|
||||
extraHosts = cfg.clusterHosts;
|
||||
firewall.allowedTCPPortRanges = [ { from = 5000; to = 50000; } ];
|
||||
firewall.allowedTCPPorts = [ 80 443 111 ];
|
||||
firewall.allowedUDPPorts = [ 111 24007 24008 ];
|
||||
@@ -33,18 +34,16 @@ rec {
|
||||
];
|
||||
};
|
||||
|
||||
hostCerts =
|
||||
builtins.foldl'
|
||||
hostCerts = builtins.foldl'
|
||||
(a: x: a // { ${x.name} = pki.gencert {
|
||||
cn = x.name;
|
||||
ca = x.ca;
|
||||
o = settings.clusterName;
|
||||
o = cfg.clusterName;
|
||||
};
|
||||
}) {} settings.hosts;
|
||||
}) {} cfg.hosts;
|
||||
|
||||
|
||||
mkHost = host: self:
|
||||
{
|
||||
mkHost = host: self: {
|
||||
deployment.targetHost = host.address;
|
||||
require = [
|
||||
(baseNixos host.name)
|
||||
@@ -55,9 +54,37 @@ rec {
|
||||
let
|
||||
hosts =
|
||||
builtins.foldl'
|
||||
(a: x: a // { ${x.name} = mkHost x _; }) {} settings.hosts;
|
||||
(a: x: a // { ${x.name} = mkHost x _; }) {} cfg.hosts;
|
||||
hosts' = lib.recursiveUpdate hosts attrs;
|
||||
names = builtins.attrNames hosts;
|
||||
in
|
||||
builtins.foldl' (a: x: a // { ${x} = self: hosts'.${x}; }) {} names;
|
||||
in
|
||||
{
|
||||
options.k8s = {
|
||||
initca = mkOption {
|
||||
type = types.path;
|
||||
};
|
||||
|
||||
clusterName = mkOption {
|
||||
type = types.str;
|
||||
};
|
||||
|
||||
hosts = mkOption {
|
||||
type = types.listOf types.set;
|
||||
default = [];
|
||||
};
|
||||
|
||||
clusterHosts = mkOption {
|
||||
type = types.str;
|
||||
};
|
||||
|
||||
adminAuthorizedKeys = mkOption {
|
||||
type = types.listOf types.str;
|
||||
default = [];
|
||||
};
|
||||
};
|
||||
|
||||
config = {
|
||||
};
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user