aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorMax Audron <audron@cocaine.farm>2023-08-11 16:51:35 +0200
committerMax Audron <audron@cocaine.farm>2023-08-11 16:51:35 +0200
commit6e1d5200ced185ec7823d65a3877b710b4719130 (patch)
treee31c6c1f9e5675e858b914b66141571f4b611308
parentcleanup phaenn config (diff)
refactor k8s module
Diffstat
-rw-r--r--modules/cri-o/default.nix159
-rw-r--r--modules/k3s/default.nix128
-rw-r--r--modules/kubernetes/default.nix16
3 files changed, 2 insertions, 301 deletions
diff --git a/modules/cri-o/default.nix b/modules/cri-o/default.nix
deleted file mode 100644
index 0a1860a..0000000
--- a/modules/cri-o/default.nix
+++ /dev/null
@@ -1,159 +0,0 @@
-{ config, lib, pkgs, utils, ... }:
-
-with lib;
-let
- cfg = config.virtualisation.cri-o;
-
- crioPackage = (pkgs.cri-o.override { inherit (cfg) extraPackages; });
-
- format = pkgs.formats.toml { };
-
- cfgFile = format.generate "00-default.conf" cfg.settings;
-in
-{
- imports = [
- (mkRenamedOptionModule [ "virtualisation" "cri-o" "registries" ] [ "virtualisation" "containers" "registries" "search" ])
- ];
-
- meta = {
- maintainers = teams.podman.members;
- };
-
- options.virtualisation.cri-o = {
- enable = mkEnableOption "Container Runtime Interface for OCI (CRI-O)";
-
- storageDriver = mkOption {
- type = types.enum [ "btrfs" "overlay" "vfs" "zfs" ];
- default = "overlay";
- description = "Storage driver to be used";
- };
-
- logLevel = mkOption {
- type = types.enum [ "trace" "debug" "info" "warn" "error" "fatal" ];
- default = "info";
- description = "Log level to be used";
- };
-
- pauseImage = mkOption {
- type = types.nullOr types.str;
- default = null;
- description = "Override the default pause image for pod sandboxes";
- example = "k8s.gcr.io/pause:3.2";
- };
-
- pauseCommand = mkOption {
- type = types.nullOr types.str;
- default = null;
- description = "Override the default pause command";
- example = "/pause";
- };
-
- runtime = mkOption {
- type = types.nullOr types.str;
- default = null;
- description = "Override the default runtime";
- example = "crun";
- };
-
- extraPackages = mkOption {
- type = with types; listOf package;
- default = [ ];
- example = literalExpression ''
- [
- pkgs.gvisor
- ]
- '';
- description = ''
- Extra packages to be installed in the CRI-O wrapper.
- '';
- };
-
- package = mkOption {
- type = types.package;
- default = crioPackage;
- internal = true;
- description = ''
- The final CRI-O package (including extra packages).
- '';
- };
-
- networkDir = mkOption {
- type = types.nullOr types.path;
- default = null;
- description = "Override the network_dir option.";
- internal = true;
- };
-
- settings = mkOption {
- type = format.type;
- default = { };
- description = ''
- Configuration for cri-o, see
- <link xlink:href="https://github.com/cri-o/cri-o/blob/master/docs/crio.conf.5.md"/>.
- '';
- };
- };
-
- config = mkIf cfg.enable {
- environment.systemPackages = [ cfg.package pkgs.cri-tools ];
-
- environment.etc."crictl.yaml".source = utils.copyFile "${pkgs.cri-o-unwrapped.src}/crictl.yaml";
-
- virtualisation.cri-o.settings.crio = {
- storage_driver = cfg.storageDriver;
-
- image = {
- pause_image = mkIf (cfg.pauseImage != null) cfg.pauseImage;
- pause_command = mkIf (cfg.pauseCommand != null) cfg.pauseCommand;
- };
-
- network = {
- plugin_dirs = [ "${pkgs.cni-plugins}/bin" ];
- network_dir = mkIf (cfg.networkDir != null) cfg.networkDir;
- };
-
- runtime = {
- cgroup_manager = "systemd";
- log_level = cfg.logLevel;
- manage_ns_lifecycle = true;
- pinns_path = "${cfg.package}/bin/pinns";
- hooks_dir =
- optional (config.virtualisation.containers.ociSeccompBpfHook.enable)
- config.boot.kernelPackages.oci-seccomp-bpf-hook;
-
- default_runtime = mkIf (cfg.runtime != null) cfg.runtime;
- runtimes = mkIf (cfg.runtime != null) {
- "${cfg.runtime}" = { };
- };
- };
- };
-
- environment.etc."cni/net.d/10-crio-bridge.conf".source = utils.copyFile "${pkgs.cri-o-unwrapped.src}/contrib/cni/10-crio-bridge.conf";
- environment.etc."cni/net.d/99-loopback.conf".source = utils.copyFile "${pkgs.cri-o-unwrapped.src}/contrib/cni/99-loopback.conf";
- environment.etc."crio/crio.conf.d/00-default.conf".source = cfgFile;
-
- # Enable common /etc/containers configuration
- virtualisation.containers.enable = true;
-
- systemd.services.crio = {
- description = "Container Runtime Interface for OCI (CRI-O)";
- documentation = [ "https://github.com/cri-o/cri-o" ];
- wantedBy = [ "multi-user.target" ];
- after = [ "network.target" ];
- path = [ cfg.package ];
- serviceConfig = {
- Type = "notify";
- ExecStart = "${cfg.package}/bin/crio";
- ExecReload = "/bin/kill -s HUP $MAINPID";
- TasksMax = "infinity";
- LimitNOFILE = "1048576";
- LimitNPROC = "1048576";
- LimitCORE = "infinity";
- OOMScoreAdjust = "-999";
- TimeoutStartSec = "0";
- Restart = "on-abnormal";
- };
- restartTriggers = [ cfgFile ];
- };
- };
-}
diff --git a/modules/k3s/default.nix b/modules/k3s/default.nix
deleted file mode 100644
index e2aa335..0000000
--- a/modules/k3s/default.nix
+++ /dev/null
@@ -1,128 +0,0 @@
-{ config, lib, pkgs, ... }:
-
-with lib;
-let
- cfg = config.services.k3s;
-in
-{
- # interface
- options.services.k3s = {
- enable = mkEnableOption "k3s";
-
- package = mkOption {
- type = types.package;
- default = pkgs.k3s;
- defaultText = literalExpression "pkgs.k3s";
- description = "Package that should be used for k3s";
- };
-
- role = mkOption {
- description = ''
- Whether k3s should run as a server or agent.
- Note that the server, by default, also runs as an agent.
- '';
- default = "server";
- type = types.enum [ "server" "agent" ];
- };
-
- serverAddr = mkOption {
- type = types.str;
- description = "The k3s server to connect to. This option only makes sense for an agent.";
- example = "https://10.0.0.10:6443";
- default = "";
- };
-
- token = mkOption {
- type = types.str;
- description = ''
- The k3s token to use when connecting to the server. This option only makes sense for an agent.
- WARNING: This option will expose store your token unencrypted world-readable in the nix store.
- If this is undesired use the tokenFile option instead.
- '';
- default = "";
- };
-
- tokenFile = mkOption {
- type = types.nullOr types.path;
- description = "File path containing k3s token to use when connecting to the server. This option only makes sense for an agent.";
- default = null;
- };
-
- docker = mkOption {
- type = types.bool;
- default = false;
- description = "Use docker to run containers rather than the built-in containerd.";
- };
-
- extraFlags = mkOption {
- description = "Extra flags to pass to the k3s command.";
- type = types.str;
- default = "";
- example = "--no-deploy traefik --cluster-cidr 10.24.0.0/16";
- };
-
- disableAgent = mkOption {
- type = types.bool;
- default = false;
- description = "Only run the server. This option only makes sense for a server.";
- };
-
- configPath = mkOption {
- type = types.nullOr types.path;
- default = null;
- description = "File path containing the k3s YAML config. This is useful when the config is generated (for example on boot).";
- };
- };
-
- # implementation
-
- config = mkIf cfg.enable {
- assertions = [
- {
- assertion = cfg.role == "agent" -> (cfg.configPath != null || cfg.serverAddr != "");
- message = "serverAddr or configPath (with 'server' key) should be set if role is 'agent'";
- }
- {
- assertion = cfg.role == "agent" -> cfg.configPath != null || cfg.tokenFile != null || cfg.token != "";
- message = "token or tokenFile or configPath (with 'token' or 'token-file' keys) should be set if role is 'agent'";
- }
- ];
-
- virtualisation.docker = mkIf cfg.docker {
- enable = mkDefault true;
- };
-
- environment.systemPackages = [ config.services.k3s.package ];
-
- systemd.services.k3s = {
- description = "k3s service";
- after = [ "network.service" "firewall.service" ] ++ (optional cfg.docker "docker.service");
- wants = [ "network.service" "firewall.service" ];
- wantedBy = [ "multi-user.target" ];
- path = optional config.boot.zfs.enabled config.boot.zfs.package;
- serviceConfig = {
- # See: https://github.com/rancher/k3s/blob/dddbd16305284ae4bd14c0aade892412310d7edc/install.sh#L197
- Type = if cfg.role == "agent" then "exec" else "notify";
- KillMode = "process";
- Delegate = "yes";
- Restart = "always";
- RestartSec = "5s";
- LimitNOFILE = 1048576;
- LimitNPROC = "infinity";
- LimitCORE = "infinity";
- TasksMax = "infinity";
- ExecStart = concatStringsSep " \\\n " (
- [
- "${cfg.package}/bin/k3s ${cfg.role}"
- ] ++ (optional cfg.docker "--docker")
- ++ (optional cfg.disableAgent "--disable-agent")
- ++ (optional (cfg.serverAddr != "") "--server ${cfg.serverAddr}")
- ++ (optional (cfg.token != "") "--token ${cfg.token}")
- ++ (optional (cfg.tokenFile != null) "--token-file ${cfg.tokenFile}")
- ++ (optional (cfg.configPath != null) "--config ${cfg.configPath}")
- ++ [ cfg.extraFlags ]
- );
- };
- };
- };
-}
diff --git a/modules/kubernetes/default.nix b/modules/kubernetes/default.nix
index 0e6e522..1cf1f09 100644
--- a/modules/kubernetes/default.nix
+++ b/modules/kubernetes/default.nix
@@ -21,10 +21,6 @@ let
v6 = "${config.wireguard.v6.ula}::${config.wireguard.v6.address}";
};
in {
- disabledModules =
- [ "virtualisation/cri-o.nix" "services/cluster/k3s/default.nix" ];
- imports = [ ../cri-o ../k3s ];
-
options = {
kubernetes = {
role = mkOption {
@@ -64,13 +60,6 @@ in {
};
config = {
- nixpkgs.overlays = [
- (self: super: {
- cri-o = super.callPackage ../../pkgs/cri-o { };
- k3s = super.callPackage ../../pkgs/k3s { };
- })
- ];
-
networking.extraHosts = ''
10.10.0.1 ${clusterDomain}
fd15:3d8c:d429:beef::1 ${clusterDomain}
@@ -79,9 +68,6 @@ in {
environment.etc = {
"k3s/config.yaml" = {
text = generators.toJSON { } ({
- # cluster-init = true;
- token = "YPoyiPeBpQpB7oK8";
-
container-runtime-endpoint = "/run/crio/crio.sock";
node-ip = "${internalIP.v4},${internalIP.v6}";
@@ -118,8 +104,10 @@ in {
services.k3s = {
enable = true;
role = cfg.role;
+ token = "YPoyiPeBpQpB7oK8";
serverAddr = "https://10.10.0.1:6443";
configPath = "/etc/k3s/config.yaml";
+ disableAgent = cfg.role == "agent";
};
virtualisation.cri-o = {
generated by cgit v1.2.3 (git 2.46.0) at 2026-02-15 13:10:29 +0000