63 lines
1.4 KiB
Nix
63 lines
1.4 KiB
Nix
{ pkgs, lib, config, ... }:
|
|
with lib;
|
|
let
|
|
cfg = config.k8s;
|
|
in
|
|
rec {
|
|
pki = import ./pki.nix { inherit pkgs; ca = cfg.initca; };
|
|
|
|
baseNixos = name:
|
|
{
|
|
users.extraUsers.admin.openssh.authorizedKeys.keys =
|
|
cfg.adminAuthorizedKeys;
|
|
|
|
boot.kernel.sysctl = {
|
|
"kernel.mm.transparent_hugepage.enabled" = "never";
|
|
"net.core.somaxconn" = "512";
|
|
};
|
|
|
|
imports = [
|
|
./nixos/configuration.nix
|
|
];
|
|
|
|
security.pki.certificateFiles = [ pki.ca.cert ];
|
|
|
|
networking = {
|
|
hostName = name;
|
|
extraHosts = cfg.clusterHosts;
|
|
firewall.allowedTCPPortRanges = [ { from = 5000; to = 50000; } ];
|
|
firewall.allowedTCPPorts = [ 80 443 111 ];
|
|
firewall.allowedUDPPorts = [ 111 24007 24008 ];
|
|
};
|
|
environment.systemPackages = with pkgs; [
|
|
nfs-utils
|
|
];
|
|
};
|
|
|
|
hostCerts = builtins.foldl'
|
|
(a: x: a // { ${x.name} = pki.gencert {
|
|
cn = x.name;
|
|
ca = x.ca;
|
|
o = cfg.clusterName;
|
|
};
|
|
}) {} cfg.hosts;
|
|
|
|
|
|
mkHost = host: self: {
|
|
deployment.targetHost = host.address;
|
|
require = [
|
|
(baseNixos host.name)
|
|
];
|
|
};
|
|
|
|
baseDeployment = nodes: attrs:
|
|
let
|
|
hosts =
|
|
builtins.foldl'
|
|
(a: x: a // { ${x.name} = mkHost x _; }) {} nodes;
|
|
hosts' = lib.recursiveUpdate hosts attrs;
|
|
names = builtins.attrNames hosts;
|
|
in
|
|
builtins.foldl' (a: x: a // { ${x} = self: hosts'.${x}; }) {} names;
|
|
}
|