oceanbox/platform
6
0
Fork 0
Code Issues 10 Pull Requests 1 Actions Packages Projects Releases Wiki Activity

WIP: nixos modules

Browse Source
This commit is contained in:
Jonas Juselius
2020-10-29 17:40:13 +01:00
parent bf23f3dc4d
commit a217f55231
2 changed files with 41 additions and 14 deletions
Download Patch File Download Diff File Expand all files Collapse all files

53
lib/base.nix
View File

@@ -1,11 +1,13 @@
{ pkgs, lib, settings, here ? "", ...}: { pkgs, config, lib, ... }:
with lib; with lib;
rec { let
pki = import ./pki.nix { inherit pkgs; ca = settings.initca; }; cfg = config.k8s;
pki = import ./pki.nix { inherit pkgs; ca = cfg.initca; };
baseNixos = name: { baseNixos = name: {
users.extraUsers.admin.openssh.authorizedKeys.keys = users.extraUsers.admin.openssh.authorizedKeys.keys =
settings.adminAuthorizedKeys; cfg.adminAuthorizedKeys;
boot.kernel.sysctl = { boot.kernel.sysctl = {
"kernel.mm.transparent_hugepage.enabled" = "never"; "kernel.mm.transparent_hugepage.enabled" = "never";
@@ -14,7 +16,6 @@ rec {
imports = [ imports = [
./nixos/configuration.nix ./nixos/configuration.nix
(here + "/${name}.nix")
]; ];
security.pki.certificateFiles = [ security.pki.certificateFiles = [
@@ -23,7 +24,7 @@ rec {
networking = { networking = {
hostName = name; hostName = name;
extraHosts = settings.clusterHosts; extraHosts = cfg.clusterHosts;
firewall.allowedTCPPortRanges = [ { from = 5000; to = 50000; } ]; firewall.allowedTCPPortRanges = [ { from = 5000; to = 50000; } ];
firewall.allowedTCPPorts = [ 80 443 111 ]; firewall.allowedTCPPorts = [ 80 443 111 ];
firewall.allowedUDPPorts = [ 111 24007 24008 ]; firewall.allowedUDPPorts = [ 111 24007 24008 ];
@@ -33,18 +34,16 @@ rec {
]; ];
}; };
hostCerts = hostCerts = builtins.foldl'
builtins.foldl'
(a: x: a // { ${x.name} = pki.gencert { (a: x: a // { ${x.name} = pki.gencert {
cn = x.name; cn = x.name;
ca = x.ca; ca = x.ca;
o = settings.clusterName; o = cfg.clusterName;
}; };
}) {} settings.hosts; }) {} cfg.hosts;
mkHost = host: self: mkHost = host: self: {
{
deployment.targetHost = host.address; deployment.targetHost = host.address;
require = [ require = [
(baseNixos host.name) (baseNixos host.name)
@@ -55,9 +54,37 @@ rec {
let let
hosts = hosts =
builtins.foldl' builtins.foldl'
(a: x: a // { ${x.name} = mkHost x _; }) {} settings.hosts; (a: x: a // { ${x.name} = mkHost x _; }) {} cfg.hosts;
hosts' = lib.recursiveUpdate hosts attrs; hosts' = lib.recursiveUpdate hosts attrs;
names = builtins.attrNames hosts; names = builtins.attrNames hosts;
in in
builtins.foldl' (a: x: a // { ${x} = self: hosts'.${x}; }) {} names; builtins.foldl' (a: x: a // { ${x} = self: hosts'.${x}; }) {} names;
in
{
options.k8s = {
initca = mkOption {
type = types.path;
};
clusterName = mkOption {
type = types.str;
};
hosts = mkOption {
type = types.listOf types.set;
default = [];
};
clusterHosts = mkOption {
type = types.str;
};
adminAuthorizedKeys = mkOption {
type = types.listOf types.str;
default = [];
};
};
config = {
};
} }

2
lib/k8s.nix
View File

@@ -1,4 +1,4 @@
{ pkgs, lib, settings, here ? "", ...}: { pkgs, lib, settings, here ? ./., ...}:
with import ./base.nix { inherit pkgs lib settings here; }; with import ./base.nix { inherit pkgs lib settings here; };
with lib; with lib;
let let