diff options
| -rw-r--r-- | modules/cri-o/default.nix | 159 | ||||
| -rw-r--r-- | modules/k3s/default.nix | 128 | ||||
| -rw-r--r-- | modules/kubernetes/default.nix | 16 |
3 files changed, 2 insertions, 301 deletions
diff --git a/modules/cri-o/default.nix b/modules/cri-o/default.nix deleted file mode 100644 index 0a1860a..0000000 --- a/modules/cri-o/default.nix +++ /dev/null @@ -1,159 +0,0 @@ -{ config, lib, pkgs, utils, ... }: - -with lib; -let - cfg = config.virtualisation.cri-o; - - crioPackage = (pkgs.cri-o.override { inherit (cfg) extraPackages; }); - - format = pkgs.formats.toml { }; - - cfgFile = format.generate "00-default.conf" cfg.settings; -in -{ - imports = [ - (mkRenamedOptionModule [ "virtualisation" "cri-o" "registries" ] [ "virtualisation" "containers" "registries" "search" ]) - ]; - - meta = { - maintainers = teams.podman.members; - }; - - options.virtualisation.cri-o = { - enable = mkEnableOption "Container Runtime Interface for OCI (CRI-O)"; - - storageDriver = mkOption { - type = types.enum [ "btrfs" "overlay" "vfs" "zfs" ]; - default = "overlay"; - description = "Storage driver to be used"; - }; - - logLevel = mkOption { - type = types.enum [ "trace" "debug" "info" "warn" "error" "fatal" ]; - default = "info"; - description = "Log level to be used"; - }; - - pauseImage = mkOption { - type = types.nullOr types.str; - default = null; - description = "Override the default pause image for pod sandboxes"; - example = "k8s.gcr.io/pause:3.2"; - }; - - pauseCommand = mkOption { - type = types.nullOr types.str; - default = null; - description = "Override the default pause command"; - example = "/pause"; - }; - - runtime = mkOption { - type = types.nullOr types.str; - default = null; - description = "Override the default runtime"; - example = "crun"; - }; - - extraPackages = mkOption { - type = with types; listOf package; - default = [ ]; - example = literalExpression '' - [ - pkgs.gvisor - ] - ''; - description = '' - Extra packages to be installed in the CRI-O wrapper. - ''; - }; - - package = mkOption { - type = types.package; - default = crioPackage; - internal = true; - description = '' - The final CRI-O package (including extra packages). - ''; - }; - - networkDir = mkOption { - type = types.nullOr types.path; - default = null; - description = "Override the network_dir option."; - internal = true; - }; - - settings = mkOption { - type = format.type; - default = { }; - description = '' - Configuration for cri-o, see - <link xlink:href="https://github.com/cri-o/cri-o/blob/master/docs/crio.conf.5.md"/>. - ''; - }; - }; - - config = mkIf cfg.enable { - environment.systemPackages = [ cfg.package pkgs.cri-tools ]; - - environment.etc."crictl.yaml".source = utils.copyFile "${pkgs.cri-o-unwrapped.src}/crictl.yaml"; - - virtualisation.cri-o.settings.crio = { - storage_driver = cfg.storageDriver; - - image = { - pause_image = mkIf (cfg.pauseImage != null) cfg.pauseImage; - pause_command = mkIf (cfg.pauseCommand != null) cfg.pauseCommand; - }; - - network = { - plugin_dirs = [ "${pkgs.cni-plugins}/bin" ]; - network_dir = mkIf (cfg.networkDir != null) cfg.networkDir; - }; - - runtime = { - cgroup_manager = "systemd"; - log_level = cfg.logLevel; - manage_ns_lifecycle = true; - pinns_path = "${cfg.package}/bin/pinns"; - hooks_dir = - optional (config.virtualisation.containers.ociSeccompBpfHook.enable) - config.boot.kernelPackages.oci-seccomp-bpf-hook; - - default_runtime = mkIf (cfg.runtime != null) cfg.runtime; - runtimes = mkIf (cfg.runtime != null) { - "${cfg.runtime}" = { }; - }; - }; - }; - - environment.etc."cni/net.d/10-crio-bridge.conf".source = utils.copyFile "${pkgs.cri-o-unwrapped.src}/contrib/cni/10-crio-bridge.conf"; - environment.etc."cni/net.d/99-loopback.conf".source = utils.copyFile "${pkgs.cri-o-unwrapped.src}/contrib/cni/99-loopback.conf"; - environment.etc."crio/crio.conf.d/00-default.conf".source = cfgFile; - - # Enable common /etc/containers configuration - virtualisation.containers.enable = true; - - systemd.services.crio = { - description = "Container Runtime Interface for OCI (CRI-O)"; - documentation = [ "https://github.com/cri-o/cri-o" ]; - wantedBy = [ "multi-user.target" ]; - after = [ "network.target" ]; - path = [ cfg.package ]; - serviceConfig = { - Type = "notify"; - ExecStart = "${cfg.package}/bin/crio"; - ExecReload = "/bin/kill -s HUP $MAINPID"; - TasksMax = "infinity"; - LimitNOFILE = "1048576"; - LimitNPROC = "1048576"; - LimitCORE = "infinity"; - OOMScoreAdjust = "-999"; - TimeoutStartSec = "0"; - Restart = "on-abnormal"; - }; - restartTriggers = [ cfgFile ]; - }; - }; -} diff --git a/modules/k3s/default.nix b/modules/k3s/default.nix deleted file mode 100644 index e2aa335..0000000 --- a/modules/k3s/default.nix +++ /dev/null @@ -1,128 +0,0 @@ -{ config, lib, pkgs, ... }: - -with lib; -let - cfg = config.services.k3s; -in -{ - # interface - options.services.k3s = { - enable = mkEnableOption "k3s"; - - package = mkOption { - type = types.package; - default = pkgs.k3s; - defaultText = literalExpression "pkgs.k3s"; - description = "Package that should be used for k3s"; - }; - - role = mkOption { - description = '' - Whether k3s should run as a server or agent. - Note that the server, by default, also runs as an agent. - ''; - default = "server"; - type = types.enum [ "server" "agent" ]; - }; - - serverAddr = mkOption { - type = types.str; - description = "The k3s server to connect to. This option only makes sense for an agent."; - example = "https://10.0.0.10:6443"; - default = ""; - }; - - token = mkOption { - type = types.str; - description = '' - The k3s token to use when connecting to the server. This option only makes sense for an agent. - WARNING: This option will expose store your token unencrypted world-readable in the nix store. - If this is undesired use the tokenFile option instead. - ''; - default = ""; - }; - - tokenFile = mkOption { - type = types.nullOr types.path; - description = "File path containing k3s token to use when connecting to the server. This option only makes sense for an agent."; - default = null; - }; - - docker = mkOption { - type = types.bool; - default = false; - description = "Use docker to run containers rather than the built-in containerd."; - }; - - extraFlags = mkOption { - description = "Extra flags to pass to the k3s command."; - type = types.str; - default = ""; - example = "--no-deploy traefik --cluster-cidr 10.24.0.0/16"; - }; - - disableAgent = mkOption { - type = types.bool; - default = false; - description = "Only run the server. This option only makes sense for a server."; - }; - - configPath = mkOption { - type = types.nullOr types.path; - default = null; - description = "File path containing the k3s YAML config. This is useful when the config is generated (for example on boot)."; - }; - }; - - # implementation - - config = mkIf cfg.enable { - assertions = [ - { - assertion = cfg.role == "agent" -> (cfg.configPath != null || cfg.serverAddr != ""); - message = "serverAddr or configPath (with 'server' key) should be set if role is 'agent'"; - } - { - assertion = cfg.role == "agent" -> cfg.configPath != null || cfg.tokenFile != null || cfg.token != ""; - message = "token or tokenFile or configPath (with 'token' or 'token-file' keys) should be set if role is 'agent'"; - } - ]; - - virtualisation.docker = mkIf cfg.docker { - enable = mkDefault true; - }; - - environment.systemPackages = [ config.services.k3s.package ]; - - systemd.services.k3s = { - description = "k3s service"; - after = [ "network.service" "firewall.service" ] ++ (optional cfg.docker "docker.service"); - wants = [ "network.service" "firewall.service" ]; - wantedBy = [ "multi-user.target" ]; - path = optional config.boot.zfs.enabled config.boot.zfs.package; - serviceConfig = { - # See: https://github.com/rancher/k3s/blob/dddbd16305284ae4bd14c0aade892412310d7edc/install.sh#L197 - Type = if cfg.role == "agent" then "exec" else "notify"; - KillMode = "process"; - Delegate = "yes"; - Restart = "always"; - RestartSec = "5s"; - LimitNOFILE = 1048576; - LimitNPROC = "infinity"; - LimitCORE = "infinity"; - TasksMax = "infinity"; - ExecStart = concatStringsSep " \\\n " ( - [ - "${cfg.package}/bin/k3s ${cfg.role}" - ] ++ (optional cfg.docker "--docker") - ++ (optional cfg.disableAgent "--disable-agent") - ++ (optional (cfg.serverAddr != "") "--server ${cfg.serverAddr}") - ++ (optional (cfg.token != "") "--token ${cfg.token}") - ++ (optional (cfg.tokenFile != null) "--token-file ${cfg.tokenFile}") - ++ (optional (cfg.configPath != null) "--config ${cfg.configPath}") - ++ [ cfg.extraFlags ] - ); - }; - }; - }; -} diff --git a/modules/kubernetes/default.nix b/modules/kubernetes/default.nix index 0e6e522..1cf1f09 100644 --- a/modules/kubernetes/default.nix +++ b/modules/kubernetes/default.nix @@ -21,10 +21,6 @@ let v6 = "${config.wireguard.v6.ula}::${config.wireguard.v6.address}"; }; in { - disabledModules = - [ "virtualisation/cri-o.nix" "services/cluster/k3s/default.nix" ]; - imports = [ ../cri-o ../k3s ]; - options = { kubernetes = { role = mkOption { @@ -64,13 +60,6 @@ in { }; config = { - nixpkgs.overlays = [ - (self: super: { - cri-o = super.callPackage ../../pkgs/cri-o { }; - k3s = super.callPackage ../../pkgs/k3s { }; - }) - ]; - networking.extraHosts = '' 10.10.0.1 ${clusterDomain} fd15:3d8c:d429:beef::1 ${clusterDomain} @@ -79,9 +68,6 @@ in { environment.etc = { "k3s/config.yaml" = { text = generators.toJSON { } ({ - # cluster-init = true; - token = "YPoyiPeBpQpB7oK8"; - container-runtime-endpoint = "/run/crio/crio.sock"; node-ip = "${internalIP.v4},${internalIP.v6}"; @@ -118,8 +104,10 @@ in { services.k3s = { enable = true; role = cfg.role; + token = "YPoyiPeBpQpB7oK8"; serverAddr = "https://10.10.0.1:6443"; configPath = "/etc/k3s/config.yaml"; + disableAgent = cfg.role == "agent"; }; virtualisation.cri-o = { |