platform/manifests
1
1
Fork 0
Code Issues 7 Pull Requests 6 Actions Packages Projects Releases Wiki Activity

chore: Cleanup old nix code and add helmfile experiments

Browse Source
This commit is contained in:
Moritz Jörg
2025-06-02 12:32:14 +02:00
parent 96debd5181
commit 65d65ea126
38 changed files with 1109 additions and 1078 deletions
Download Patch File Download Diff File Expand all files Collapse all files
.envrc
+14 -1
View File
@@ -1 +1,14 @@
use nix
#!/usr/bin/env bash
# the shebang is ignored, but nice for editors
watch_file npins/sources.json
# Load .env file if it exists
dotenv_if_exists
# Activate development shell
if type -P lorri &>/dev/null; then
eval "$(lorri direnv)"
else
echo 'while direnv evaluated .envrc, could not find the command "lorri" [https://github.com/nix-community/lorri]'
use nix
fi
default.nix
-33
View File
@@ -1,33 +0,0 @@
let
sources = import ./nix;
system = builtins.currentSystem;
pkgs = import sources.nixpkgs {
inherit system;
config = { };
overlays = [ ];
};
nixpkgs = sources.nixpkgs;
nixhelm = sources.nixhelm;
nixidy = import sources.nixidy { inherit nixpkgs; };
kube = pkgs.callPackage "${sources.nix-kube-gen}/lib/default.nix" { inherit pkgs; };
in
nixidy.lib.mkEnvs {
libOverlay = self: super: {
apps = import ./modules/lib.nix { inherit pkgs kube; };
};
modules = [
(
{ lib, ... }:
{
nixidy.charts = lib.helm.mkChartAttrs "${nixhelm}/charts";
}
)
./modules
./apps
./policies
];
envs = {
prod.modules = [ ./envs/prod.nix ];
staging.modules = [ ./envs/staging.nix ];
};
}
flake.lock
Generated
-666
View File
@@ -1,666 +0,0 @@
{
"nodes": {
"cargo2nix": {
"inputs": {
"flake-compat": "flake-compat_3",
"flake-utils": "flake-utils_5",
"nixpkgs": "nixpkgs_3",
"rust-overlay": "rust-overlay"
},
"locked": {
"lastModified": 1699033427,
"narHash": "sha256-OVtd5IPbb4NvHibN+QvMrMxq7aZN5GFoINZSAXKjUdA=",
"owner": "cargo2nix",
"repo": "cargo2nix",
"rev": "c6f33051f412352f293e738cc8da6fd4c457080f",
"type": "github"
},
"original": {
"owner": "cargo2nix",
"ref": "release-0.11.0",
"repo": "cargo2nix",
"type": "github"
}
},
"flake-compat": {
"flake": false,
"locked": {
"lastModified": 1673956053,
"narHash": "sha256-4gtG9iQuiKITOjNQQeQIpoIB6b16fm+504Ch3sNKLd8=",
"owner": "edolstra",
"repo": "flake-compat",
"rev": "35bb57c0c8d8b62bbfd284272c928ceb64ddbde9",
"type": "github"
},
"original": {
"owner": "edolstra",
"repo": "flake-compat",
"type": "github"
}
},
"flake-compat_2": {
"flake": false,
"locked": {
"lastModified": 1696426674,
"narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=",
"owner": "edolstra",
"repo": "flake-compat",
"rev": "0f9255e01c2351cc7d116c072cb317785dd33b33",
"type": "github"
},
"original": {
"owner": "edolstra",
"repo": "flake-compat",
"type": "github"
}
},
"flake-compat_3": {
"flake": false,
"locked": {
"lastModified": 1696426674,
"narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=",
"owner": "edolstra",
"repo": "flake-compat",
"rev": "0f9255e01c2351cc7d116c072cb317785dd33b33",
"type": "github"
},
"original": {
"owner": "edolstra",
"repo": "flake-compat",
"type": "github"
}
},
"flake-utils": {
"inputs": {
"systems": "systems"
},
"locked": {
"lastModified": 1726560853,
"narHash": "sha256-X6rJYSESBVr3hBoH0WbKE5KvhPU5bloyZ2L4K60/fPQ=",
"owner": "numtide",
"repo": "flake-utils",
"rev": "c1dfcf08411b08f6b8615f7d8971a2bfa81d5e8a",
"type": "github"
},
"original": {
"owner": "numtide",
"repo": "flake-utils",
"type": "github"
}
},
"flake-utils_2": {
"inputs": {
"systems": "systems_2"
},
"locked": {
"lastModified": 1710146030,
"narHash": "sha256-SZ5L6eA7HJ/nmkzGG7/ISclqe6oZdOZTNoesiInkXPQ=",
"owner": "numtide",
"repo": "flake-utils",
"rev": "b1d9ab70662946ef0850d488da1c9019f3a9752a",
"type": "github"
},
"original": {
"id": "flake-utils",
"type": "indirect"
}
},
"flake-utils_3": {
"inputs": {
"systems": "systems_3"
},
"locked": {
"lastModified": 1710146030,
"narHash": "sha256-SZ5L6eA7HJ/nmkzGG7/ISclqe6oZdOZTNoesiInkXPQ=",
"owner": "numtide",
"repo": "flake-utils",
"rev": "b1d9ab70662946ef0850d488da1c9019f3a9752a",
"type": "github"
},
"original": {
"owner": "numtide",
"repo": "flake-utils",
"type": "github"
}
},
"flake-utils_4": {
"inputs": {
"systems": "systems_5"
},
"locked": {
"lastModified": 1701680307,
"narHash": "sha256-kAuep2h5ajznlPMD9rnQyffWG8EM/C73lejGofXvdM8=",
"owner": "numtide",
"repo": "flake-utils",
"rev": "4022d587cbbfd70fe950c1e2083a02621806a725",
"type": "github"
},
"original": {
"owner": "numtide",
"repo": "flake-utils",
"type": "github"
}
},
"flake-utils_5": {
"inputs": {
"systems": "systems_7"
},
"locked": {
"lastModified": 1694529238,
"narHash": "sha256-zsNZZGTGnMOf9YpHKJqMSsa0dXbfmxeoJ7xHlrt+xmY=",
"owner": "numtide",
"repo": "flake-utils",
"rev": "ff7b65b44d01cf9ba6a71320833626af21126384",
"type": "github"
},
"original": {
"owner": "numtide",
"repo": "flake-utils",
"type": "github"
}
},
"gitignore": {
"inputs": {
"nixpkgs": [
"pre-commit-hooks",
"nixpkgs"
]
},
"locked": {
"lastModified": 1709087332,
"narHash": "sha256-HG2cCnktfHsKV0s4XW83gU3F57gaTljL9KNSuG6bnQs=",
"owner": "hercules-ci",
"repo": "gitignore.nix",
"rev": "637db329424fd7e46cf4185293b9cc8c88c95394",
"type": "github"
},
"original": {
"owner": "hercules-ci",
"repo": "gitignore.nix",
"type": "github"
}
},
"haumea": {
"inputs": {
"nixpkgs": [
"nixhelm",
"nixpkgs"
]
},
"locked": {
"lastModified": 1685133229,
"narHash": "sha256-FePm/Gi9PBSNwiDFq3N+DWdfxFq0UKsVVTJS3cQPn94=",
"owner": "nix-community",
"repo": "haumea",
"rev": "34dd58385092a23018748b50f9b23de6266dffc2",
"type": "github"
},
"original": {
"owner": "nix-community",
"ref": "v0.2.2",
"repo": "haumea",
"type": "github"
}
},
"kubenix": {
"inputs": {
"flake-compat": "flake-compat",
"nixpkgs": [
"nixidy",
"nixpkgs"
],
"systems": "systems_6",
"treefmt": "treefmt"
},
"locked": {
"lastModified": 1718110643,
"narHash": "sha256-KrEOCx/bpN++sySOEL5EO5AhYsqRZZk+CXacueUeSl4=",
"owner": "hall",
"repo": "kubenix",
"rev": "a04066c45526c6d8410ba998134f692ff991b4f3",
"type": "github"
},
"original": {
"owner": "hall",
"repo": "kubenix",
"type": "github"
}
},
"nix-github-actions": {
"inputs": {
"nixpkgs": [
"nixhelm",
"poetry2nix",
"nixpkgs"
]
},
"locked": {
"lastModified": 1703863825,
"narHash": "sha256-rXwqjtwiGKJheXB43ybM8NwWB8rO2dSRrEqes0S7F5Y=",
"owner": "nix-community",
"repo": "nix-github-actions",
"rev": "5163432afc817cf8bd1f031418d1869e4c9d5547",
"type": "github"
},
"original": {
"owner": "nix-community",
"repo": "nix-github-actions",
"type": "github"
}
},
"nix-kube-generators": {
"locked": {
"lastModified": 1708155396,
"narHash": "sha256-A/BIeJjiRS7sBYP6tFJa/WHDPHe7DGTCkSEKXttYeAQ=",
"owner": "farcaller",
"repo": "nix-kube-generators",
"rev": "14dbd5e5b40615937900f71d9a9851b59b4d9a88",
"type": "github"
},
"original": {
"owner": "farcaller",
"repo": "nix-kube-generators",
"type": "github"
}
},
"nix-kube-generators_2": {
"locked": {
"lastModified": 1708155396,
"narHash": "sha256-A/BIeJjiRS7sBYP6tFJa/WHDPHe7DGTCkSEKXttYeAQ=",
"owner": "farcaller",
"repo": "nix-kube-generators",
"rev": "14dbd5e5b40615937900f71d9a9851b59b4d9a88",
"type": "github"
},
"original": {
"owner": "farcaller",
"repo": "nix-kube-generators",
"type": "github"
}
},
"nix-kube-generators_3": {
"locked": {
"lastModified": 1708155396,
"narHash": "sha256-A/BIeJjiRS7sBYP6tFJa/WHDPHe7DGTCkSEKXttYeAQ=",
"owner": "farcaller",
"repo": "nix-kube-generators",
"rev": "14dbd5e5b40615937900f71d9a9851b59b4d9a88",
"type": "github"
},
"original": {
"owner": "farcaller",
"repo": "nix-kube-generators",
"type": "github"
}
},
"nixhelm": {
"inputs": {
"flake-utils": "flake-utils_2",
"haumea": "haumea",
"nix-kube-generators": "nix-kube-generators_2",
"nixpkgs": [
"nixpkgs"
],
"poetry2nix": "poetry2nix"
},
"locked": {
"lastModified": 1728868745,
"narHash": "sha256-ZuaxkAtUL1visOmVMxgHk3j+H8/bMmm82tJfE1s35VY=",
"owner": "farcaller",
"repo": "nixhelm",
"rev": "f901d2ba3ce1bd0086d50efdcce3cc76bce04d80",
"type": "github"
},
"original": {
"owner": "farcaller",
"repo": "nixhelm",
"type": "github"
}
},
"nixidy": {
"inputs": {
"flake-utils": "flake-utils_4",
"kubenix": "kubenix",
"nix-kube-generators": "nix-kube-generators_3",
"nixpkgs": "nixpkgs"
},
"locked": {
"lastModified": 1728815994,
"narHash": "sha256-uF6HAoDMAX0cZbKH27k/0UpIteQMhyLkP1rYKUfj5ys=",
"owner": "arnarg",
"repo": "nixidy",
"rev": "6e20193c95a0aaca444289d7c69f4eb329d25234",
"type": "github"
},
"original": {
"owner": "arnarg",
"ref": "HEAD",
"repo": "nixidy",
"type": "github"
}
},
"nixpkgs": {
"locked": {
"lastModified": 1702151865,
"narHash": "sha256-9VAt19t6yQa7pHZLDbil/QctAgVsA66DLnzdRGqDisg=",
"owner": "nixos",
"repo": "nixpkgs",
"rev": "666fc80e7b2afb570462423cb0e1cf1a3a34fedd",
"type": "github"
},
"original": {
"owner": "nixos",
"ref": "nixos-unstable",
"repo": "nixpkgs",
"type": "github"
}
},
"nixpkgs-stable": {
"locked": {
"lastModified": 1720386169,
"narHash": "sha256-NGKVY4PjzwAa4upkGtAMz1npHGoRzWotlSnVlqI40mo=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "194846768975b7ad2c4988bdb82572c00222c0d7",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "nixos-24.05",
"repo": "nixpkgs",
"type": "github"
}
},
"nixpkgs_2": {
"locked": {
"lastModified": 1728492678,
"narHash": "sha256-9UTxR8eukdg+XZeHgxW5hQA9fIKHsKCdOIUycTryeVw=",
"owner": "nixos",
"repo": "nixpkgs",
"rev": "5633bcff0c6162b9e4b5f1264264611e950c8ec7",
"type": "github"
},
"original": {
"owner": "nixos",
"ref": "nixos-unstable",
"repo": "nixpkgs",
"type": "github"
}
},
"nixpkgs_3": {
"locked": {
"lastModified": 1697382362,
"narHash": "sha256-PvFjWFmSYOF6TjNZ/WjOeqa+sgaWm+83Fz37vEuATHA=",
"owner": "nixos",
"repo": "nixpkgs",
"rev": "ad9a253a0d34f313707f9c25fb8c95c65b1c8882",
"type": "github"
},
"original": {
"owner": "nixos",
"ref": "release-23.05",
"repo": "nixpkgs",
"type": "github"
}
},
"poetry2nix": {
"inputs": {
"flake-utils": "flake-utils_3",
"nix-github-actions": "nix-github-actions",
"nixpkgs": [
"nixhelm",
"nixpkgs"
],
"systems": "systems_4",
"treefmt-nix": "treefmt-nix"
},
"locked": {
"lastModified": 1718285706,
"narHash": "sha256-DScsBM+kZvxOva7QegfdtleebMXh30XPxDQr/1IGKYo=",
"owner": "nix-community",
"repo": "poetry2nix",
"rev": "a5be1bbbe0af0266147a88e0ec43b18c722f2bb9",
"type": "github"
},
"original": {
"owner": "nix-community",
"repo": "poetry2nix",
"type": "github"
}
},
"pre-commit-hooks": {
"inputs": {
"flake-compat": "flake-compat_2",
"gitignore": "gitignore",
"nixpkgs": [
"nixpkgs"
],
"nixpkgs-stable": "nixpkgs-stable"
},
"locked": {
"lastModified": 1728778939,
"narHash": "sha256-WybK5E3hpGxtCYtBwpRj1E9JoiVxe+8kX83snTNaFHE=",
"owner": "cachix",
"repo": "pre-commit-hooks.nix",
"rev": "ff68f91754be6f3427e4986d7949e6273659be1d",
"type": "github"
},
"original": {
"owner": "cachix",
"repo": "pre-commit-hooks.nix",
"type": "github"
}
},
"root": {
"inputs": {
"flake-utils": "flake-utils",
"nix-kube-generators": "nix-kube-generators",
"nixhelm": "nixhelm",
"nixidy": "nixidy",
"nixpkgs": "nixpkgs_2",
"pre-commit-hooks": "pre-commit-hooks",
"yaml2nix": "yaml2nix"
}
},
"rust-overlay": {
"inputs": {
"flake-utils": [
"yaml2nix",
"cargo2nix",
"flake-utils"
],
"nixpkgs": [
"yaml2nix",
"cargo2nix",
"nixpkgs"
]
},
"locked": {
"lastModified": 1697336027,
"narHash": "sha256-ctmmw7j4liyfSh63v9rdFZeIoNYCkCvgqvtEOB7KhX8=",
"owner": "oxalica",
"repo": "rust-overlay",
"rev": "e494404d36a41247987eeb1bfc2f1ca903e97764",
"type": "github"
},
"original": {
"owner": "oxalica",
"repo": "rust-overlay",
"type": "github"
}
},
"systems": {
"locked": {
"lastModified": 1681028828,
"narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
"owner": "nix-systems",
"repo": "default",
"rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
"type": "github"
},
"original": {
"owner": "nix-systems",
"repo": "default",
"type": "github"
}
},
"systems_2": {
"locked": {
"lastModified": 1681028828,
"narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
"owner": "nix-systems",
"repo": "default",
"rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
"type": "github"
},
"original": {
"owner": "nix-systems",
"repo": "default",
"type": "github"
}
},
"systems_3": {
"locked": {
"lastModified": 1681028828,
"narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
"owner": "nix-systems",
"repo": "default",
"rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
"type": "github"
},
"original": {
"owner": "nix-systems",
"repo": "default",
"type": "github"
}
},
"systems_4": {
"locked": {
"lastModified": 1681028828,
"narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
"owner": "nix-systems",
"repo": "default",
"rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
"type": "github"
},
"original": {
"id": "systems",
"type": "indirect"
}
},
"systems_5": {
"locked": {
"lastModified": 1681028828,
"narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
"owner": "nix-systems",
"repo": "default",
"rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
"type": "github"
},
"original": {
"owner": "nix-systems",
"repo": "default",
"type": "github"
}
},
"systems_6": {
"locked": {
"lastModified": 1681028828,
"narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
"owner": "nix-systems",
"repo": "default",
"rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
"type": "github"
},
"original": {
"id": "systems",
"type": "indirect"
}
},
"systems_7": {
"locked": {
"lastModified": 1681028828,
"narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
"owner": "nix-systems",
"repo": "default",
"rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
"type": "github"
},
"original": {
"owner": "nix-systems",
"repo": "default",
"type": "github"
}
},
"treefmt": {
"inputs": {
"nixpkgs": [
"nixidy",
"kubenix",
"nixpkgs"
]
},
"locked": {
"lastModified": 1688026376,
"narHash": "sha256-qJmkr9BWDpqblk4E9/rCsAEl39y2n4Ycw6KRopvpUcY=",
"owner": "numtide",
"repo": "treefmt-nix",
"rev": "df3f32b0cc253dfc7009b7317e8f0e7ccd70b1cf",
"type": "github"
},
"original": {
"owner": "numtide",
"repo": "treefmt-nix",
"type": "github"
}
},
"treefmt-nix": {
"inputs": {
"nixpkgs": [
"nixhelm",
"poetry2nix",
"nixpkgs"
]
},
"locked": {
"lastModified": 1717850719,
"narHash": "sha256-npYqVg+Wk4oxnWrnVG7416fpfrlRhp/lQ6wQ4DHI8YE=",
"owner": "numtide",
"repo": "treefmt-nix",
"rev": "4fc1c45a5f50169f9f29f6a98a438fb910b834ed",
"type": "github"
},
"original": {
"owner": "numtide",
"repo": "treefmt-nix",
"type": "github"
}
},
"yaml2nix": {
"inputs": {
"cargo2nix": "cargo2nix",
"flake-utils": [
"flake-utils"
],
"nixpkgs": [
"nixpkgs"
]
},
"locked": {
"lastModified": 1726132715,
"narHash": "sha256-DkHWWpvBco2yodyOk40LjTNcoaJ1bFKf0JY9OwWgy5M=",
"owner": "euank",
"repo": "yaml2nix",
"rev": "3a6df359da40ee49cb9ed597c2400342b76f2083",
"type": "github"
},
"original": {
"owner": "euank",
"repo": "yaml2nix",
"type": "github"
}
}
},
"root": "root",
"version": 7
}
flake.nix
-148
View File
@@ -1,148 +0,0 @@
{
description = "My ArgoCD configuration with nixidy.";
inputs = {
nixpkgs.url = "github:nixos/nixpkgs/nixos-unstable";
flake-utils.url = "github:numtide/flake-utils";
nixidy = {
url = "github:juselius/nixidy?ref=HEAD";
# url = "github:juselius/nixidy?ref=special-args";
# url = "/home/jonas/src/OceanBox/nixidy";
# inputs.nixpkgs.follows = "nixpkgs";
};
nixhelm = {
url = "github:farcaller/nixhelm";
inputs.nixpkgs.follows = "nixpkgs";
};
pre-commit-hooks = {
url = "github:cachix/pre-commit-hooks.nix";
inputs.nixpkgs.follows = "nixpkgs";
};
nix-kube-generators.url = "github:farcaller/nix-kube-generators";
yaml2nix = {
url = "github:euank/yaml2nix";
inputs.nixpkgs.follows = "nixpkgs";
inputs.flake-utils.follows = "flake-utils";
};
};
outputs =
{
self,
nixpkgs,
flake-utils,
nixidy,
nixhelm,
yaml2nix,
pre-commit-hooks,
nix-kube-generators,
}:
(flake-utils.lib.eachDefaultSystem (
system:
let
pkgs = import nixpkgs { inherit system; };
kube = nix-kube-generators.lib { inherit pkgs; };
lib = {
apps = import ./modules/lib.nix { inherit pkgs kube;};
};
in
{
nixidyEnvs = nixidy.lib.mkEnvs {
inherit pkgs;
extraSpecialArgs = { inherit lib; };
charts = nixhelm.chartsDerivations.${system};
modules = [
./modules
./apps
./policies
];
envs = {
prod.modules = [ ./envs/prod.nix ];
staging.modules = [ ./envs/staging.nix ];
};
};
checks = {
pre-commit-check = pre-commit-hooks.lib.${system}.run {
src = ./.;
hooks = {
nixfmt-rfc-style.enable = false;
deadnix.enable = false;
statix.enable = false;
};
};
};
packages = {
nixidy = nixidy.packages.${system}.default;
generators = {
cilium = nixidy.packages.${system}.generators.fromCRD {
name = "cilium";
src = pkgs.fetchFromGitHub {
owner = "cilium";
repo = "cilium";
rev = "v1.16.0";
hash = "sha256-LJrNGHF52hdKCuVwjvGifqsH+8hxkf/A3LZNpCHeR7E=";
};
crds = [
"pkg/k8s/apis/cilium.io/client/crds/v2/ciliumnetworkpolicies.yaml"
"pkg/k8s/apis/cilium.io/client/crds/v2/ciliumclusterwidenetworkpolicies.yaml"
];
};
kyverno = nixidy.packages.${system}.generators.fromCRD {
name = "kyverno";
src = pkgs.fetchFromGitHub {
owner = "kyverno";
repo = "kyverno";
rev = "v1.12.6";
hash = "sha256-FwVB1okxhWTzWlZljGEEH9KuSsJl9GmwnX7bn4iDx/M=";
};
crds = [
"config/crds/kyverno/kyverno.io_cleanuppolicies.yaml"
"config/crds/kyverno/kyverno.io_clustercleanuppolicies.yaml"
"config/crds/kyverno/kyverno.io_clusterpolicies.yaml"
"config/crds/kyverno/kyverno.io_globalcontextentries.yaml"
"config/crds/kyverno/kyverno.io_policies.yaml"
"config/crds/kyverno/kyverno.io_policyexceptions.yaml"
"config/crds/kyverno/kyverno.io_updaterequests.yaml"
];
};
};
};
apps = {
gen-crd = {
type = "app";
program =
(pkgs.writeShellScript "generate-modules" ''
set -eo pipefail
echo "generate cilium"
cat ${self.packages.${system}.generators.cilium} > modules/cilium-crd.nix
echo "generate kyverno"
cat ${self.packages.${system}.generators.kyverno} > modules/kyverno-crd.nix
'').outPath;
};
};
devShells.default = pkgs.mkShellNoCC {
inherit (self.checks.${system}.pre-commit-check) shellHook;
nativeBuildInputs = with pkgs; [
self.checks.${system}.pre-commit-check.enabledPackages
nixidy.packages.${system}.default
yaml2nix.packages.${system}.default
nixd
nixfmt-rfc-style
just
fzf
];
NIXD_FLAGS = "--inlay-hints";
};
}
));
}
generate.nix
-44
View File
@@ -1,44 +0,0 @@
let
sources = import ./nix;
system = builtins.currentSystem;
pkgs = import sources.nixpkgs {
inherit system;
config = { };
overlays = [ ];
};
nixpkgs = sources.nixpkgs;
nixidy = import sources.nixidy { inherit nixpkgs; };
in
{
cilium = nixidy.generators.fromCRD {
name = "cilium";
src = pkgs.fetchFromGitHub {
owner = "cilium";
repo = "cilium";
rev = "v1.16.0";
hash = "sha256-LJrNGHF52hdKCuVwjvGifqsH+8hxkf/A3LZNpCHeR7E=";
};
crds = [
"pkg/k8s/apis/cilium.io/client/crds/v2/ciliumnetworkpolicies.yaml"
"pkg/k8s/apis/cilium.io/client/crds/v2/ciliumclusterwidenetworkpolicies.yaml"
];
};
kyverno = nixidy.generators.fromCRD {
name = "kyverno";
src = pkgs.fetchFromGitHub {
owner = "kyverno";
repo = "kyverno";
rev = "v1.12.6";
hash = "sha256-FwVB1okxhWTzWlZljGEEH9KuSsJl9GmwnX7bn4iDx/M=";
};
crds = [
"config/crds/kyverno/kyverno.io_cleanuppolicies.yaml"
"config/crds/kyverno/kyverno.io_clustercleanuppolicies.yaml"
"config/crds/kyverno/kyverno.io_clusterpolicies.yaml"
"config/crds/kyverno/kyverno.io_globalcontextentries.yaml"
"config/crds/kyverno/kyverno.io_policies.yaml"
"config/crds/kyverno/kyverno.io_policyexceptions.yaml"
"config/crds/kyverno/kyverno.io_updaterequests.yaml"
];
};
}
helmfile.d/atlantis.yaml.gotmpl
-20
View File
@@ -35,23 +35,3 @@ releases:
- '{{`{{ .Environment.Name }}`}}'
- ../values/atlantis/manifests
- _atlantis-manifests
- name: atlantis-app
namespace: argocd
chart: _atlantis-app
condition: atlantis.enabled
missingFileHandler: Info
values:
- ../values/values-{{ requiredEnv "CLUSTER_NAME" }}.yaml
- ../values/atlantis/values.yaml.gotmpl
- ../values/atlantis/values-{{ requiredEnv "CLUSTER_NAME" }}.yaml.gotmpl
hooks:
- events: [ prepare, cleanup ]
showlogs: true
command: ../bin/helmify
args:
- '{{`{{ if eq .Event.Name "prepare" }}build{{ else }}clean{{ end }}`}}'
- '{{`{{ .Release.Chart }}`}}'
- '{{`{{ .Environment.Name }}`}}'
- ../values/atlantis/app.yaml
- _atlantis-app
helmfile.d/kyverno.yaml.gotmpl
+46
View File
@@ -0,0 +1,46 @@
bases:
- ../envs/environments.yaml.gotmpl
repositories:
- name: kyverno
url: 'https://kyverno.github.io/kyverno/'
commonLabels:
tier: system
apiVersions:
- monitoring.coreos.com/v1
releases:
- name: kyverno
namespace: kyverno
chart: kyverno/kyverno
version: 3.2.5
condition: kyverno.enabled
values:
- ../values/kyverno/values/kyverno.yaml.gotmpl
- ../values/kyverno/values/kyverno-{{ .Environment.Name }}.yaml.gotmpl
postRenderer: ../bin/kustomizer
postRendererArgs:
- ../values/postgres-operator/kustomize/{{ .Environment.Name }}
missingFileHandler: Info
- name: kyverno-manifests
namespace: kyverno
chart: _kyverno-manifests
condition: kyverno.enabled
values:
- ../values/values-{{ requiredEnv "CLUSTER_NAME" }}.yaml
- ../values/kyverno/values.yaml.gotmpl
- ../values/kyverno/values-{{ requiredEnv "CLUSTER_NAME" }}.yaml.gotmpl
missingFileHandler: Info
hooks:
- events: [ prepare, cleanup ]
showlogs: true
command: ../bin/helmify
args:
- '{{`{{ if eq .Event.Name "prepare" }}build{{ else }}clean{{ end }}`}}'
- '{{`{{ .Release.Chart }}`}}'
- '{{`{{ .Environment.Name }}`}}'
- ../values/kyverno/manifests
- _kyverno-manifests
helmfile.d/nix/argo.gotmpl.nix
+92
View File
@@ -0,0 +1,92 @@
{ var, ... }:
{
bases = [
"../envs/environments.yaml.gotmpl"
];
repositories = [
{
name = "argo";
url = "https://argoproj.github.io/argo-helm";
}
];
commonLabels = {
tier = "system";
};
releases = [
{
name = "argocd";
namespace = "argocd";
chart = "argo/argo-cd";
version = "7.5.2";
condition = "argo.enabled";
values = [
"../values/argo/values/argocd.yaml.gotmpl"
"../values/argo/values/argocd-${var.environment.name}.yaml.gotmpl"
];
postRenderer = "../bin/kustomizer";
postRendererArgs = [
"../values/argo/kustomize/${var.environment.name}"
];
missingFileHandler = "Info";
}
{
name = "argocd-apps";
namespace = "argocd";
chart = "argo/argocd-apps";
version = "0.0.1";
condition = "argo.apps.enabled";
values = [
"../values/argo/values/apps.yaml.gotmpl"
];
missingFileHandler = "Info";
}
{
name = "argo-rollouts";
namespace = "argocd";
chart = "argo/argo-rollouts";
version = "2.35.2";
condition = "argo.rollouts.enabled";
values = [
"../values/argo/values/rollouts.yaml.gotmpl"
];
missingFileHandler = "Info";
}
{
name = "argo-workflows";
namespace = "argocd";
chart = "argo/argo-workflows";
version = "0.45.0";
condition = "argo.workflows.enabled";
missingFileHandler = "Info";
}
{
name = "argo-manifests";
namespace = "argocd";
chart = "_argo";
condition = "argo.enabled";
values = [
# "../values/values-${var.CLUSTER_NAME}.yaml"
"../values/argo/values.yaml.gotmpl"
# "../values/argo/values-${var.CLUSTER_NAME}.yaml.gotmpl"
];
missingFileHandler = "Info";
hooks = [
{
events = [
"prepare"
"cleanup"
];
showlogs = true;
command = "../bin/helmify";
args = [
# "${if (var.event.name == "prepare") then "build" else "clean"}"
# "${var.release.chart}"
"${var.environment.name}"
"../values/argo/manifests"
"_argo"
];
}
];
}
];
}
helmfile.d/nix/helmfile.gotmpl.nix
+94
View File
@@ -0,0 +1,94 @@
{ var, escape_var, ... }:
[
{
bases = [
"../envs/environments.yaml.gotmpl"
];
repositories = [
{
name = "argo";
url = "https://argoproj.github.io/argo-helm";
}
];
commonLabels = {
tier = "system";
};
releases = [
{
name = "argocd";
namespace = "argocd";
chart = "argo/argo-cd";
version = "7.5.2";
condition = "argo.enabled";
values = [
"../values/argo/values/argocd.yaml.gotmpl"
"../values/argo/values/argocd-${var.environment.name}.yaml.gotmpl"
];
postRenderer = "../bin/kustomizer";
postRendererArgs = [
"../values/argo/kustomize/${var.environment.name}"
];
missingFileHandler = "Info";
}
{
name = "argocd-apps";
namespace = "argocd";
chart = "argo/argocd-apps";
version = "0.0.1";
condition = "argo.apps.enabled";
values = [
"../values/argo/values/apps.yaml.gotmpl"
];
missingFileHandler = "Info";
}
{
name = "argo-rollouts";
namespace = "argocd";
chart = "argo/argo-rollouts";
version = "2.35.2";
condition = "argo.rollouts.enabled";
values = [
"../values/argo/values/rollouts.yaml.gotmpl"
];
missingFileHandler = "Info";
}
{
name = "argo-workflows";
namespace = "argocd";
chart = "argo/argo-workflows";
version = "0.45.0";
condition = "argo.workflows.enabled";
missingFileHandler = "Info";
}
{
name = "argo-manifests";
namespace = "argocd";
chart = "_argo";
condition = "argo.enabled";
values = [
(escape_var "../values/values-{{requiredEnv \"CLUSTER_NAME\"}}.yaml")
"../values/argo/values.yaml.gotmpl"
(escape_var "../values/argo/values-{{requiredEnv \"CLUSTER_NAME\"}}.yaml.gotmpl")
];
missingFileHandler = "Info";
hooks = [
{
events = [
"prepare"
"cleanup"
];
showlogs = true;
command = "../bin/helmify";
args = [
(escape_var "{{ if eq .Event.Name \"prepare\" }}build{{ else }}clean{{ end }}")
(escape_var "{{ .Release.Chart | toJson }}")
(escape_var "{{ .Environment.Name | toJson }}")
"../values/argo/manifests"
"_argo"
];
}
];
}
];
}
]
helmfile.d/postgres-operator.yaml.gotmpl
+45
View File
@@ -0,0 +1,45 @@
bases:
- ../envs/environments.yaml.gotmpl
repositories:
- name: cloudnative-pg
url: 'https://cloudnative-pg.github.io/charts'
commonLabels:
tier: system
apiVersions:
- monitoring.coreos.com/v1
releases:
- name: postgres-operator
namespace: cnpg
chart: cloudnative-pg/cloudnative-pg
version: 0.18.2
condition: postgres_operator.enabled
values:
- ../values/postgres-operator/values/postgres-operator.yaml.gotmpl
- ../values/postgres-operator/values/postgres-operator-{{ .Environment.Name }}.yaml.gotmpl
postRenderer: ../bin/kustomizer
postRendererArgs:
- ../values/postgres-operator/kustomize/{{ .Environment.Name }}
missingFileHandler: Info
- name: postgres-operator-manifests
namespace: cnpg
chart: _postgres-operator-manifests
condition: postgres_operator.enabled
values:
- ../values/values-{{ requiredEnv "CLUSTER_NAME" }}.yaml
- ../values/postgres-operator/values.yaml.gotmpl
- ../values/postgres-operator/values-{{ requiredEnv "CLUSTER_NAME" }}.yaml.gotmpl
missingFileHandler: Info
hooks:
- events: [ prepare, cleanup ]
showlogs: true
command: ../bin/helmify
args:
- '{{`{{ if eq .Event.Name "prepare" }}build{{ else }}clean{{ end }}`}}'
- '{{`{{ .Release.Chart }}`}}'
- '{{`{{ .Environment.Name }}`}}'
- ../values/postgres-operator/manifests
- _postgres-operator-manifests
helmfile.d/prometheus.yaml.gotmpl
+42
View File
@@ -0,0 +1,42 @@
bases:
- ../envs/environments.yaml.gotmpl
repositories:
- name: prometheus
url: 'https://prometheus-community.github.io/helm-charts'
commonLabels:
tier: system
apiVersions:
- monitoring.coreos.com/v1
releases:
- name: prometheus
namespace: prometheus
chart: prometheus/kube-prometheus-stack
version: 62.7.0
condition: prometheus.enabled
values:
- ../values/prometheus/values/prometheus.yaml.gotmpl
- ../values/prometheus/values/prometheus-{{ .Environment.Name }}.yaml.gotmpl
missingFileHandler: Info
- name: prometheus-manifests
namespace: prometheus
chart: _prometheus-manifests
condition: prometheus.enabled
values:
- ../values/values-{{ requiredEnv "CLUSTER_NAME" }}.yaml
- ../values/prometheus/values.yaml.gotmpl
- ../values/prometheus/values-{{ requiredEnv "CLUSTER_NAME" }}.yaml.gotmpl
hooks:
- events: [ prepare, cleanup ]
showlogs: true
command: ../bin/helmify
args:
- '{{`{{ if eq .Event.Name "prepare" }}build{{ else }}clean{{ end }}`}}'
- '{{`{{ .Release.Chart }}`}}'
- '{{`{{ .Environment.Name }}`}}'
- ../values/prometheus/prometheus-manifests
- _prometheus-manifests
helmfile.d/velero.yaml.gotmpl
+42
View File
@@ -0,0 +1,42 @@
bases:
- ../envs/environments.yaml.gotmpl
repositories:
- name: velero
url: 'https://vmware-tanzu.github.io/helm-charts'
commonLabels:
tier: system
releases:
- name: velero
namespace: velero
chart: velero/velero
version: 0.18.2
condition: velero.enabled
values:
- ../values/velero/values/velero.yaml.gotmpl
- ../values/velero/values/velero-{{ .Environment.Name }}.yaml.gotmpl
postRenderer: ../bin/kustomizer
postRendererArgs:
- ../values/velero/kustomize/{{ .Environment.Name }}
missingFileHandler: Info
- name: velero-manifests
namespace: velero
chart: _velero-manifests
condition: velero.enabled
values:
- ../values/values-{{ requiredEnv "CLUSTER_NAME" }}.yaml
- ../values/velero/values.yaml.gotmpl
- ../values/velero/values-{{ requiredEnv "CLUSTER_NAME" }}.yaml.gotmpl
missingFileHandler: Info
hooks:
- events: [ prepare, cleanup ]
showlogs: true
command: ../bin/helmify
args:
- '{{`{{ if eq .Event.Name "prepare" }}build{{ else }}clean{{ end }}`}}'
- '{{`{{ .Release.Chart }}`}}'
- '{{`{{ .Environment.Name }}`}}'
- ../values/velero/manifests
- _velero-manifests
justfile
+10 -15
View File
@@ -1,17 +1,12 @@
default := "prod"
[private]
default:
just --choose
just --list -u
info target=default:
nix run .#nixidy -- info .#{{target}}
build target=default:
nix run .#nixidy -- build .#{{target}}
switch target=default:
nix run .#nixidy -- switch .#{{target}}
generate:
nix build .#generators.cilium
nix build .#generators.kyverno
# NOTE: Render a specifc helm chart
r HELMFILE ENV:
# helmfile --environment={{ENV}} lint --args --quiet --skip-deps --skip-refresh -f helmfile.d/{{HELMFILE}}.yaml.gotmpl
helmfile --environment={{ENV}} lint --args --quiet -f helmfile.d/{{HELMFILE}}.yaml.gotmpl
#
# NOTE: Render charts for one environment
# render ENV="staging":
nix/default.nix
-80
View File
@@ -1,80 +0,0 @@
# Generated by npins. Do not modify; will be overwritten regularly
let
data = builtins.fromJSON (builtins.readFile ./sources.json);
version = data.version;
mkSource =
spec:
assert spec ? type;
let
path =
if spec.type == "Git" then
mkGitSource spec
else if spec.type == "GitRelease" then
mkGitSource spec
else if spec.type == "PyPi" then
mkPyPiSource spec
else if spec.type == "Channel" then
mkChannelSource spec
else
builtins.throw "Unknown source type ${spec.type}";
in
spec // { outPath = path; };
mkGitSource =
{
repository,
revision,
url ? null,
hash,
branch ? null,
...
}:
assert repository ? type;
# At the moment, either it is a plain git repository (which has an url), or it is a GitHub/GitLab repository
# In the latter case, there we will always be an url to the tarball
if url != null then
(builtins.fetchTarball {
inherit url;
sha256 = hash; # FIXME: check nix version & use SRI hashes
})
else
assert repository.type == "Git";
let
urlToName =
url: rev:
let
matched = builtins.match "^.*/([^/]*)(\\.git)?$" repository.url;
short = builtins.substring 0 7 rev;
appendShort = if (builtins.match "[a-f0-9]*" rev) != null then "-${short}" else "";
in
"${if matched == null then "source" else builtins.head matched}${appendShort}";
name = urlToName repository.url revision;
in
builtins.fetchGit {
url = repository.url;
rev = revision;
inherit name;
# hash = hash;
};
mkPyPiSource =
{ url, hash, ... }:
builtins.fetchurl {
inherit url;
sha256 = hash;
};
mkChannelSource =
{ url, hash, ... }:
builtins.fetchTarball {
inherit url;
sha256 = hash;
};
in
if version == 3 then
builtins.mapAttrs (_: mkSource) data.pins
else
throw "Unsupported format version ${toString version} in sources.json. Try running `npins upgrade`"
nix/sources.json
-47
View File
@@ -1,47 +0,0 @@
{
"pins": {
"nix-kube-gen": {
"type": "Git",
"repository": {
"type": "GitHub",
"owner": "farcaller",
"repo": "nix-kube-generators"
},
"branch": "master",
"revision": "2be4f3cb99e179d9f94e6c8723862421437f8efb",
"url": "https://github.com/farcaller/nix-kube-generators/archive/2be4f3cb99e179d9f94e6c8723862421437f8efb.tar.gz",
"hash": "0pgpr0szig7plmj7i4hjfkpcm4vgy0ingqr115wqjzbx5yjc6c7j"
},
"nixhelm": {
"type": "Git",
"repository": {
"type": "GitHub",
"owner": "farcaller",
"repo": "nixhelm"
},
"branch": "master",
"revision": "cafa44fc8c2ad34baf6e5f1bdea3eb3a587a1f6d",
"url": "https://github.com/farcaller/nixhelm/archive/cafa44fc8c2ad34baf6e5f1bdea3eb3a587a1f6d.tar.gz",
"hash": "1waplza2c0wgq23v41ladfgqdq2wrbw889c973cm439940zj4mj1"
},
"nixidy": {
"type": "Git",
"repository": {
"type": "GitHub",
"owner": "arnarg",
"repo": "nixidy"
},
"branch": "main",
"revision": "d28f45aea4d7b93928f1ea94f22a03a3f6dc25f6",
"url": "https://github.com/arnarg/nixidy/archive/d28f45aea4d7b93928f1ea94f22a03a3f6dc25f6.tar.gz",
"hash": "0ijxdh2432wvwyff1f5yfrjn93lzayrswi1bkasjpwaps9v6ld4r"
},
"nixpkgs": {
"type": "Channel",
"name": "nixpkgs-unstable",
"url": "https://releases.nixos.org/nixpkgs/nixpkgs-24.11pre699031.2d2a9ddbe3f2/nixexprs.tar.xz",
"hash": "1vx044c8gdg1c8zmabzbi9xrgjgaz2bfqbl47xsgh517f580bycx"
}
},
"version": 3
}
npins/default.nix
+146
View File
@@ -0,0 +1,146 @@
/*
This file is provided under the MIT licence:
Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the Software), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED AS IS, WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
*/
# Generated by npins. Do not modify; will be overwritten regularly
let
data = builtins.fromJSON (builtins.readFile ./sources.json);
version = data.version;
# https://github.com/NixOS/nixpkgs/blob/0258808f5744ca980b9a1f24fe0b1e6f0fecee9c/lib/lists.nix#L295
range =
first: last: if first > last then [ ] else builtins.genList (n: first + n) (last - first + 1);
# https://github.com/NixOS/nixpkgs/blob/0258808f5744ca980b9a1f24fe0b1e6f0fecee9c/lib/strings.nix#L257
stringToCharacters = s: map (p: builtins.substring p 1 s) (range 0 (builtins.stringLength s - 1));
# https://github.com/NixOS/nixpkgs/blob/0258808f5744ca980b9a1f24fe0b1e6f0fecee9c/lib/strings.nix#L269
stringAsChars = f: s: concatStrings (map f (stringToCharacters s));
concatMapStrings = f: list: concatStrings (map f list);
concatStrings = builtins.concatStringsSep "";
# If the environment variable NPINS_OVERRIDE_${name} is set, then use
# the path directly as opposed to the fetched source.
# (Taken from Niv for compatibility)
mayOverride =
name: path:
let
envVarName = "NPINS_OVERRIDE_${saneName}";
saneName = stringAsChars (c: if (builtins.match "[a-zA-Z0-9]" c) == null then "_" else c) name;
ersatz = builtins.getEnv envVarName;
in
if ersatz == "" then
path
else
# this turns the string into an actual Nix path (for both absolute and
# relative paths)
builtins.trace "Overriding path of \"${name}\" with \"${ersatz}\" due to set \"${envVarName}\"" (
if builtins.substring 0 1 ersatz == "/" then
/. + ersatz
else
/. + builtins.getEnv "PWD" + "/${ersatz}"
);
mkSource =
name: spec:
assert spec ? type;
let
path =
if spec.type == "Git" then
mkGitSource spec
else if spec.type == "GitRelease" then
mkGitSource spec
else if spec.type == "PyPi" then
mkPyPiSource spec
else if spec.type == "Channel" then
mkChannelSource spec
else if spec.type == "Tarball" then
mkTarballSource spec
else
builtins.throw "Unknown source type ${spec.type}";
in
spec // { outPath = mayOverride name path; };
mkGitSource =
{
repository,
revision,
url ? null,
submodules,
hash,
branch ? null,
...
}:
assert repository ? type;
# At the moment, either it is a plain git repository (which has an url), or it is a GitHub/GitLab repository
# In the latter case, there we will always be an url to the tarball
if url != null && !submodules then
builtins.fetchTarball {
inherit url;
sha256 = hash; # FIXME: check nix version & use SRI hashes
}
else
let
url =
if repository.type == "Git" then
repository.url
else if repository.type == "GitHub" then
"https://github.com/${repository.owner}/${repository.repo}.git"
else if repository.type == "GitLab" then
"${repository.server}/${repository.repo_path}.git"
else
throw "Unrecognized repository type ${repository.type}";
urlToName =
url: rev:
let
matched = builtins.match "^.*/([^/]*)(\\.git)?$" url;
short = builtins.substring 0 7 rev;
appendShort = if (builtins.match "[a-f0-9]*" rev) != null then "-${short}" else "";
in
"${if matched == null then "source" else builtins.head matched}${appendShort}";
name = urlToName url revision;
in
builtins.fetchGit {
rev = revision;
inherit name;
# hash = hash;
inherit url submodules;
};
mkPyPiSource =
{ url, hash, ... }:
builtins.fetchurl {
inherit url;
sha256 = hash;
};
mkChannelSource =
{ url, hash, ... }:
builtins.fetchTarball {
inherit url;
sha256 = hash;
};
mkTarballSource =
{
url,
locked_url ? url,
hash,
...
}:
builtins.fetchTarball {
url = locked_url;
sha256 = hash;
};
in
if version == 5 then
builtins.mapAttrs mkSource data.pins
else
throw "Unsupported format version ${toString version} in sources.json. Try running `npins upgrade`"
npins/sources.json
+37
View File
@@ -0,0 +1,37 @@
{
"pins": {
"gomod2nix": {
"type": "Git",
"repository": {
"type": "GitHub",
"owner": "nix-community",
"repo": "gomod2nix"
},
"branch": "master",
"submodules": false,
"revision": "2cbd7fdd6eeab65c494cc426e18f4e4d2a5e35c0",
"url": "https://github.com/nix-community/gomod2nix/archive/2cbd7fdd6eeab65c494cc426e18f4e4d2a5e35c0.tar.gz",
"hash": "18hl5fz6aqg12ypkjramvlv43p413iwzy5zbvwl9m3kp5l4id2fi"
},
"helmfile-nix": {
"type": "Git",
"repository": {
"type": "GitHub",
"owner": "remarkable",
"repo": "helmfile-nix"
},
"branch": "main",
"submodules": false,
"revision": "03b3de30d44b6e90e9425bad10476dadd75bcba9",
"url": "https://github.com/remarkable/helmfile-nix/archive/03b3de30d44b6e90e9425bad10476dadd75bcba9.tar.gz",
"hash": "12bdar6cb459vw9ldk73npvydbcjgb4ic8w416yf4i4alky3d9ib"
},
"nixpkgs": {
"type": "Channel",
"name": "nixpkgs-unstable",
"url": "https://releases.nixos.org/nixpkgs/nixpkgs-25.05pre800239.b1bebd0fe266/nixexprs.tar.xz",
"hash": "0vnfj9d7kzk673i7s1vnkbx513a4gh5mfcd8fag2c7wi6hz471n6"
}
},
"version": 5
}
shell.nix
+26 -17
View File
@@ -1,25 +1,34 @@
let
sources = import ./nix;
sources = import ./npins;
system = builtins.currentSystem;
pkgs = import sources.nixpkgs {
inherit system;
config = { };
overlays = [ ];
overlays = [ (import "${sources.gomod2nix}/overlay.nix") ];
};
nixpkgs = sources.nixpkgs;
nixidy = import sources.nixidy { inherit nixpkgs; };
helmfile-nix = import sources.helmfile-nix { inherit pkgs; };
helmWrap =
with pkgs;
wrapHelm kubernetes-helm {
plugins = with kubernetes-helmPlugins; [
helm-diff
helm-git
];
};
helmfileWrap = pkgs.helmfile-wrapped.override { inherit (helmWrap) pluginsDir; };
in
{
shell = pkgs.mkShellNoCC {
name = "clstr";
nativeBuildInputs = with pkgs; [
helmfile
nixidy.nixidy
npins
nixfmt-rfc-style
just
fzf
];
NPINS_DIRECTORY = "nix";
};
pkgs.mkShellNoCC {
name = "clstr";
packages = with pkgs; [
npins
nix-converter
# helm
helmWrap
helmfileWrap
helmfile-nix
];
CLUSTER_NAME = "oceanbox";
}
statix.toml
-7
View File
@@ -1,7 +0,0 @@
disabled = [
# I think enforcing this can often produce
# code that is harder to read.
"manual_inherit_from"
# Does not improve readability
"repeated_keys"
]
values/atlantis/app.yaml → values/atlantis/manifests/atlantis.yaml
View File
values/kyverno/kustomize/base/kustomization.yaml
+4
View File
@@ -0,0 +1,4 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- _manifest.yaml
values/kyverno/kustomize/default/kustomization.yaml
+4
View File
@@ -0,0 +1,4 @@
generatorOptions:
disableNameSuffixHash: true
resources:
- ../base
values/kyverno/manifests/kyverno.yaml
+39
View File
@@ -0,0 +1,39 @@
{{- if .Values.clusterConfig.argo.enabled }}
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: kyverno
namespace: argocd
spec:
destination:
namespace: kyverno
server: 'https://kubernetes.default.svc'
sources:
- repoURL: {{ .Values.clusterConfig.manifests }}
targetRevision: HEAD
path: helmfiles/kyverno
plugin:
name: helmfile
env:
- name: CLUSTER_NAME
value: {{ .Values.clusterConfig.cluster }}
project: sys
syncPolicy:
managedNamespaceMetadata:
labels:
component: sys
syncOptions:
- CreateNamespace=true
- ApplyOutOfSyncOnly=true
# - ServerSideApply=true
{{- if .Values.kyverno.autosync }}
automated:
prune: true
# selfHeal: false
{{- end }}
ignoreDifferences:
- group: batch
kind: CronJob
jqPathExpressions:
- '.spec.jobTemplate.spec.template.spec.containers[]?.resources'
{{- end }}
values/kyverno/values.yaml.gotmpl
+11
View File
@@ -0,0 +1,11 @@
kyverno:
enabled: true
autosync: false
metrics: false
resources:
cleanupController:
memory: "128Mi"
reportsController:
memory: "128Mi"
backgroundController:
memory: "128Mi"
values/kyverno/values/kyverno.yaml.gotmpl
+41
View File
@@ -0,0 +1,41 @@
replicaCount: 3
{{ if .Values.kyverno.metrics }}
admissionController:
serviceMonitor:
enabled: true
metricsService:
create: true
backgroundController:
serviceMonitor:
enabled: true
metricsService:
create: true
cleanupController:
serviceMonitor:
enabled: true
metricsService:
create: true
reportsController:
serviceMonitor:
enabled: true
metricsService:
create: true
{{ end }}
cleanupController:
resources:
limits:
memory: {{ .Values.kyverno.resources.cleanupController.memory }}
requests:
memory: {{ .Values.kyverno.resources.cleanupController.memory }}
reportsController:
resources:
limits:
memory: {{ .Values.kyverno.resources.reportsController.memory }}
requests:
memory: {{ .Values.kyverno.resources.reportsController.memory }}
backgroundController:
resources:
limits:
memory: {{ .Values.kyverno.resources.backgroundController.memory }}
requests:
memory: {{ .Values.kyverno.resources.backgroundController.memory }}
values/postgres-operator/kustomize/base/kustomization.yaml
+4
View File
@@ -0,0 +1,4 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- _manifest.yaml
values/postgres-operator/kustomize/default/kustomization.yaml
+4
View File
@@ -0,0 +1,4 @@
generatorOptions:
disableNameSuffixHash: true
resources:
- ../base
values/postgres-operator/manifests/postgres-operator.yaml
+34
View File
@@ -0,0 +1,34 @@
{{- if .Values.clusterConfig.argo.enabled }}
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: postgres-operator
namespace: argocd
spec:
destination:
namespace: cnpg
server: 'https://kubernetes.default.svc'
sources:
- repoURL: {{ .Values.clusterConfig.manifests }}
targetRevision: HEAD
path: helmfiles/postgres-operator
plugin:
name: helmfile
env:
- name: CLUSTER_NAME
value: {{ .Values.clusterConfig.cluster }}
project: sys
syncPolicy:
managedNamespaceMetadata:
labels:
component: sys
syncOptions:
- CreateNamespace=true
- ApplyOutOfSyncOnly=true
# - ServerSideApply=true
{{- if .Values.postgres_operator.autosync }}
automated:
prune: true
# selfHeal: false
{{- end }}
{{- end }}
values/postgres-operator/values.yaml.gotmpl
+3
View File
@@ -0,0 +1,3 @@
postgres_operator:
enabled: true
autosync: false
values/prometheus/manifests/prometheus.yaml
+74
View File
@@ -0,0 +1,74 @@
{{- if .Values.clusterConfig.argo.enabled }}
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: prometheus
namespace: argocd
spec:
destination:
namespace: prometheus
server: 'https://kubernetes.default.svc'
sources:
- repoURL: {{ .Values.clusterConfig.manifests }}
targetRevision: HEAD
path: helmfiles/cilium
plugin:
name: helmfile
env:
- name: CLUSTER_NAME
value: {{ .Values.clusterConfig.cluster }}
project: sys
syncPolicy:
syncOptions:
- ServerSideApply=true
{{- if .Values.prometheus.autosync }}
automated:
prune: true
# selfHeal: false
{{- end }}
ignoreDifferences:
- group: apps
kind: Deployment
jqPathExpressions:
- '.spec.template.spec.containers[]?.resources'
- group: monitoring.coreos.com
kind: ServiceMonitor
jqPathExpressions:
- '.spec.endpoints[]?.relabelings'
- group: admissionregistration.k8s.io
kind: MutatingWebhookConfiguration
jqPathExpressions:
- '.webhooks[]?.clientConfig.caBundle'
- group: admissionregistration.k8s.io
kind: ValidatingWebhookConfiguration
jqPathExpressions:
- '.webhooks[]?.clientConfig.caBundle'
---
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: prometheus-crd
namespace: argocd
annotations:
argocd.argoproj.io/sync-wave: "-1"
finalizers:
- resources-finalizer.argocd.argoproj.io
spec:
destination:
namespace: prometheus
server: 'https://kubernetes.default.svc'
source:
repoURL: 'https://prometheus-community.github.io/helm-charts'
targetRevision: '14.0.0'
chart: prometheus-operator-crds
project: sys
syncPolicy:
managedNamespaceMetadata:
labels:
component: sys
automated: {}
syncOptions:
- ServerSideApply=true
- CreateNamespace=true
- ApplyOutOfSyncOnly=true
{{- end }}
values/prometheus/values-oceanbox.yaml.gotmpl
+15
View File
@@ -0,0 +1,15 @@
cilium:
enabled: true
nodePort:
enable: true
l2announcement:
enable: true
loadbalancerPool:
enabled: true
cidr:
- 10.255.241.11/32
- 10.255.241.12/32
- 10.255.241.13/32
- 10.255.241.14/32
- 10.255.241.15/32
values/prometheus/values.yaml.gotmpl
+32
View File
@@ -0,0 +1,32 @@
cilium:
enabled: false
autosync: true
spire:
enabled: false
envoy:
enabled: false
hubble:
ui: true
enabled: false
encryption:
enabled: true
type: wireguard
kubeProxyReplacement: true
l2announcement:
enabled: false
nodePort:
enabled: false
gatewayAPI:
enabled: false
ingressController:
enabled: false
defaultClass: false
loadbalancerMode: shared
policyAuditMode: false
upgradeCompatability: 1.15
k8sServiceHost: localhost
k8sServicePort: 7445
loadbalancerPool:
enabled: false
cidr: []
values/prometheus/values/prometheus.yaml.gotmpl
+106
View File
@@ -0,0 +1,106 @@
authentication:
mutual:
spire:
enabled: {{ .Values.cilium.spire.enabled }}
cgroup:
autoMount:
enabled: false
hostRoot: /sys/fs/cgroup
dashboards:
enabled: true
namespace: prometheus
enableXTSocketFallback: false
encryption:
enabled: {{ .Values.cilium.encryption.enabled }}
type: {{ .Values.cilium.encryption.type}}
envoy:
enabled: {{ .Values.cilium.envoy.enabled }}
prometheus:
serviceMonitor:
enabled: {{ .Values.cilium.envoy.enabled }}
extraConfig:
enable-envoy-config: "true"
hubble:
enabled: true
tls:
auto:
method: cronJob
metrics:
dashboards:
enabled: true
namespace: prometheus
enabled:
- dns:query;ignoreAAAA
- drop
- tcp
- flow
- icmp
- policy:sourceContext=app|workload-name|pod|reserved-identity;destinationContext=app|workload-name|pod|dns|reserved-identity;labelsContext=source_namespace,destination_namespace
- httpV2:exemplars=false;labelsContext=source_ip,source_namespace,source_workload,destination_ip,destination_namespace,destination_workload,traffic_direction
port: 12304
serviceMonitor:
enabled: true
redact:
enabled: true
relay:
enabled: true
prometheus:
enabled: true
serviceMonitor:
enabled: true
ui:
enabled: {{ .Values.cilium.hubble.ui }}
ipam:
mode: kubernetes
kubeProxyReplacement: {{ .Values.cilium.kubeProxyReplacement }}
l2announcements:
enabled: {{ .Values.cilium.l2announcement.enabled }}
k8sServiceHost: {{ .Values.cilium.k8sServiceHost }}
k8sServicePort: {{ .Values.cilium.k8sServicePort }}
nodePort:
enabled: {{ .Values.cilium.nodePort.enabled }}
gatewayAPI:
enabled: {{ .Values.cilium.gatewayAPI.enabled }}
ingressController:
enabled: {{ .Values.cilium.ingressController.enabled }}
default: {{ .Values.cilium.ingressController.defaultClass }}
loadbalancerMode: {{ .Values.cilium.ingressController.loadbalancerMode }}
operator:
dashboards:
enabled: true
namespace: prometheus
prometheus:
enabled: true
port: 12301
serviceMointor:
enabled: true
port: 12302
rollOutPods: true
policyAuditMode: {{ .Values.cilium.policyAuditMode }}
prometheus:
enabled: true
port: 12300
serviceMonitor:
enabled: true
rollOutCiliumPods: true
securityContext:
capabilities:
ciliumAgent:
- CHOWN
- KILL
- NET_ADMIN
- NET_RAW
- IPC_LOCK
- SYS_ADMIN
- SYS_RESOURCE
- DAC_OVERRIDE
- FOWNER
- SETGID
- SETUID
cleanCiliumState:
- NET_ADMIN
- SYS_ADMIN
- SYS_RESOURCE
{{- with .Values.cilium.upgradeCompatability}}
upgradeCompatability: {{ . }}
{{- end }}
values/velero/kustomize/base/kustomization.yaml
+4
View File
@@ -0,0 +1,4 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- _manifest.yaml
values/velero/kustomize/default/kustomization.yaml
+4
View File
@@ -0,0 +1,4 @@
generatorOptions:
disableNameSuffixHash: true
resources:
- ../base
values/velero/manifests/velero.yaml
+34
View File
@@ -0,0 +1,34 @@
{{- if .Values.clusterConfig.argo.enabled }}
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: velero
namespace: argocd
spec:
destination:
namespace: velero
server: 'https://kubernetes.default.svc'
sources:
- repoURL: {{ .Values.clusterConfig.manifests }}
targetRevision: HEAD
path: helmfiles/velero
plugin:
name: helmfile
env:
- name: CLUSTER_NAME
value: {{ .Values.clusterConfig.cluster }}
project: sys
syncPolicy:
managedNamespaceMetadata:
labels:
component: sys
syncOptions:
- CreateNamespace=true
- ApplyOutOfSyncOnly=true
# - ServerSideApply=true
{{- if .Values.velero.autosync }}
automated:
prune: true
# selfHeal: false
{{- end }}
{{- end }}
values/velero/values.yaml.gotmpl
+28
View File
@@ -0,0 +1,28 @@
velero:
enabled: true
autosync: true
kubeletRootDir: "/var/lib/kubernetes/pods"
bucket: velero-backup
bsl: default
# Opt-in or opt-out pvc backup
# https://velero.io/docs/main/file-system-backup/#to-back-up
backupAllVolumes: true
credentials:
secretName: "s3-credentials"
s3:
region: us-east-1
url: "https://nutanix-obj-s3.kube-system"
insecureSkipTLSVerify: true
resources:
velero:
request:
cpu: 500m
memory: 1Gi
limit:
memory: 2Gi
nodeAgent:
request:
cpu: 500m
memory: 1Gi
limit:
memory: 2Gi
values/velero/values/velero.yaml.gotmpl
+74
View File
@@ -0,0 +1,74 @@
initContainers:
- name: velero-plugin-for-aws
image: velero/velero-plugin-for-aws:v1.9.0
imagePullPolicy: IfNotPresent
volumeMounts:
- mountPath: /target
name: plugins
credentials:
useSecret: true
existingSecret: {{ .Values.velero.credentials.secretName }}
deployNodeAgent: true
nodeAgent:
podVolumePath: {{ .Values.velero.kubeletRootDir }}
resources:
requests:
cpu: {{ .Values.velero.resources.nodeAgent.request.cpu | default "500m" }}
memory: {{ .Values.velero.resources.nodeAgent.request.memory | default "1Gi" }}
limits:
memory: {{ .Values.velero.resources.nodeAgent.limit.memory | default "2Gi" }}
snapshotsEnabled: false
resources:
requests:
cpu: {{ .Values.velero.resources.velero.request.cpu | default "500m" }}
memory: {{ .Values.velero.resources.velero.request.memory | default "1Gi" }}
limits:
memory: {{ .Values.velero.resources.velero.limit.memory | default "1Gi" }}
configuration:
uploaderType: kopia
# Backup all volumes by default
defaultVolumesToFsBackup: {{ .Values.velero.backupAllVolumes }}
## https://velero.io/docs/v1.6/api-types/backupstoragelocation/
backupStorageLocation:
- name: {{ .Values.velero.bsl }}
bucket: {{ .Values.velero.bucket }}
provider: aws
default: true
## prefix is the directory under which all Velero data should be stored within the bucket. Optional.
prefix: {{ .Values.cluster_config.cluster }}/velero
accessMode: ReadWrite
config:
## ONLY us-east-1 region is supported by nutanix
region: {{ .Values.velero.s3.region }}
s3ForcePathStyle: "true"
s3Url: {{ .Values.velero.s3.url }}
{{- if .Values.velero.s3.insecureSkipTLSVerify }}
insecureSkipTLSVerify: true
{{- end }}
metrics:
serviceMonitor:
enabled: true
additionalLabels:
k8s-app: "velero"
release: "prometheus"
prometheusRule:
enabled: true
# namespace: ""
# Rules to be deployed
spec:
- alert: VeleroBackupPartialFailures
annotations:
message: Velero backup {{` {{ $labels.schedule }} `}} has {{` {{$value | humanizePercentage}} `}} partialy failed backups.
expr: |-
velero_backup_partial_failure_total{schedule!=""} / velero_backup_attempt_total{schedule!=""} > 0.25
for: 15m
labels:
severity: critical
- alert: VeleroBackupFailures
annotations:
message: Velero backup {{` {{$labels.schedule}} `}} has {{` {{$value | humanizePercentage}} `}} failed backups.
expr: |-
velero_backup_failure_total{schedule!=""} / velero_backup_attempt_total{schedule!=""} > 0.25
for: 15m
labels:
severity: critical