91 lines
1.8 KiB
Nix
91 lines
1.8 KiB
Nix
{ pkgs, config, lib, ... }:
|
|
with lib;
|
|
let
|
|
cfg = config.k8s;
|
|
|
|
pki = import ./pki.nix { inherit pkgs; ca = cfg.initca; };
|
|
|
|
baseNixos = name: {
|
|
users.extraUsers.admin.openssh.authorizedKeys.keys =
|
|
cfg.adminAuthorizedKeys;
|
|
|
|
boot.kernel.sysctl = {
|
|
"kernel.mm.transparent_hugepage.enabled" = "never";
|
|
"net.core.somaxconn" = "512";
|
|
};
|
|
|
|
imports = [
|
|
./nixos/configuration.nix
|
|
];
|
|
|
|
security.pki.certificateFiles = [
|
|
pki.ca.cert
|
|
];
|
|
|
|
networking = {
|
|
hostName = name;
|
|
extraHosts = cfg.clusterHosts;
|
|
firewall.allowedTCPPortRanges = [ { from = 5000; to = 50000; } ];
|
|
firewall.allowedTCPPorts = [ 80 443 111 ];
|
|
firewall.allowedUDPPorts = [ 111 24007 24008 ];
|
|
};
|
|
environment.systemPackages = with pkgs; [
|
|
nfs-utils
|
|
];
|
|
};
|
|
|
|
hostCerts = builtins.foldl'
|
|
(a: x: a // { ${x.name} = pki.gencert {
|
|
cn = x.name;
|
|
ca = x.ca;
|
|
o = cfg.clusterName;
|
|
};
|
|
}) {} cfg.hosts;
|
|
|
|
|
|
mkHost = host: self: {
|
|
deployment.targetHost = host.address;
|
|
require = [
|
|
(baseNixos host.name)
|
|
];
|
|
};
|
|
|
|
baseDeployment = attrs:
|
|
let
|
|
hosts =
|
|
builtins.foldl'
|
|
(a: x: a // { ${x.name} = mkHost x _; }) {} cfg.hosts;
|
|
hosts' = lib.recursiveUpdate hosts attrs;
|
|
names = builtins.attrNames hosts;
|
|
in
|
|
builtins.foldl' (a: x: a // { ${x} = self: hosts'.${x}; }) {} names;
|
|
in
|
|
{
|
|
options.k8s = {
|
|
initca = mkOption {
|
|
type = types.path;
|
|
};
|
|
|
|
clusterName = mkOption {
|
|
type = types.str;
|
|
};
|
|
|
|
hosts = mkOption {
|
|
type = types.listOf types.set;
|
|
default = [];
|
|
};
|
|
|
|
clusterHosts = mkOption {
|
|
type = types.str;
|
|
};
|
|
|
|
adminAuthorizedKeys = mkOption {
|
|
type = types.listOf types.str;
|
|
default = [];
|
|
};
|
|
};
|
|
|
|
config = {
|
|
};
|
|
}
|