12 files changed, 101 insertions, 12 deletions

diff --git a/flake.nix b/flake.nix
index 9836895..808dbfc 100644
--- a/flake.nix
+++ b/flake.nix
@@ -11,7 +11,7 @@
       flake =
         let
           system = "x86_64-linux";
-          specialArgs = inputs;
+          specialArgs = inputs // { nodes = self.nixosConfigurations; };
           mkSystem = modules: nixpkgs.lib.nixosSystem {
             inherit specialArgs system;
             modules = modules;
@@ -20,8 +20,20 @@
         {
           nixosModules = import ./modules;
           nixosConfigurations = with self.nixosModules; {
-            vultr-image = mkSystem [ common users image vultr ];
-            nixos-test = mkSystem [ (import ./machines/nixos-test) common users ];
+            test1 = mkSystem [ (import ./machines/test) common users vultr wireguard crypto kubernetes ];
+            test2 = mkSystem [ (import ./machines/test2) common users vultr wireguard crypto kubernetes ];
+            # vultr-image = mkSystem [ common users image vultr ];
+            # nixbuilder = mkSystem [ (import ./machines/nixbuilder) common users gitlab {
+            #   users.users = {
+            #     nixbuilder = {
+            #       isNormalUser = true;
+            #       extraGroups = [ "wheel" "docker" ];
+            #       openssh.authorizedKeys.keys = [
+            #         "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGfuzswSmySvmTIiZpCKCEUpOXvETr8sTs49wX7US7yX nixbuilder"
+            #       ];
+            #     };
+            #   };
+            # } ];
           };
         };
       systems = [ "x86_64-linux" "x86_64-darwin" "aarch64-linux" "aarch64-darwin" ];
diff --git a/machines/nixos-test/default.nix b/machines/nixbuilder/default.nix
index 651ae82..afbfa1c 100644
--- a/machines/nixos-test/default.nix
+++ b/machines/nixbuilder/default.nix
@@ -7,7 +7,7 @@
 
   boot.tmp.cleanOnBoot = true;
   zramSwap.enable = true;
-  networking.hostName = "default";
+  networking.hostName = "cke-nix-builder";
   networking.domain = "";
   services.openssh.enable = true;
   users.users.root.openssh.authorizedKeys.keys = [
@@ -15,7 +15,8 @@
   ];
 
   _module.args.nixinate = {
-    host = "10.49.212.3";
+    host = "10.49.214.164";
+    sshUser = "audron";
     buildOn = "remote";
     substituteOnTarget = true;
     hermetic = false;
diff --git a/machines/nixos-test/hardware-configuration.nix b/machines/nixbuilder/hardware-configuration.nix
index 850f51f..850f51f 100644
--- a/machines/nixos-test/hardware-configuration.nix
+++ b/machines/nixbuilder/hardware-configuration.nix
diff --git a/machines/test/default.nix b/machines/test/default.nix
index 92294be..30ccc3f 100644
--- a/machines/test/default.nix
+++ b/machines/test/default.nix
@@ -3,11 +3,27 @@
 {
   networking = {
     domain = "vapor.systems";
-    hostName = "test";
+    hostName = "test1";
+  };
+
+  pubKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKUp0JDfsn8peaZn1N6NxtdQvaElWr1QPeOV1wdgCZDb";
+
+  wireguard = {
+    enable = true;
+    v4 = { address = "10.10.0.1"; };
+    v6 = { address = "1"; };
+    publicKey = "kgb+qZvIHkMx0Rn1E9+zvKK8Qw5vBOkQ5wtO0O1Um1o=";
+    allowedIPs = [ "10.102.5.0/24" "fd15:3d8c:d429:102:500::/72" ];
+    endpoint = "80.240.27.237";
+  };
+
+  kubernetes = {
+    role = "server";
+    advertiseAddress = "80.240.27.237";
   };
 
   _module.args.nixinate = {
-    host = "199.247.6.180";
+    host = "80.240.27.237";
     sshUser = "audron";
     buildOn = "remote";
     substituteOnTarget = true;
diff --git a/machines/test2/default.nix b/machines/test2/default.nix
new file mode 100644
index 0000000..11af08d
--- /dev/null
+++ b/machines/test2/default.nix
@@ -0,0 +1,31 @@
+{ config, lib, pkgs, ... }:
+
+{
+  networking = {
+    domain = "vapor.systems";
+    hostName = "test2";
+  };
+
+  pubKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJbOAlwYaK4yd7Y2AMZtIFjqY5ihAaVvNm3nduG17dPo";
+
+  wireguard = {
+    enable = true;
+    v4 = { address = "10.10.0.2"; };
+    v6 = { address = "2"; };
+    publicKey = "oV+exEWmcU3UHS6iSK4rnPZg57D0R84EVJKZyVmEdUc=";
+    allowedIPs = [ "10.102.5.0/24" "fd15:3d8c:d429:102:500::/72" ];
+    endpoint = "140.82.37.154";
+  };
+
+  kubernetes = {
+    role = "agent";
+  };
+
+  _module.args.nixinate = {
+    host = "140.82.37.154";
+    sshUser = "audron";
+    buildOn = "remote";
+    substituteOnTarget = true;
+    hermetic = false;
+  };
+}
diff --git a/modules/common/default.nix b/modules/common/default.nix
index f338823..b1df8b2 100644
--- a/modules/common/default.nix
+++ b/modules/common/default.nix
@@ -12,7 +12,7 @@
   };
 
   # Default Packages Set
-  environment.systemPackages = with pkgs; [ vim htop wget nftables wireguard-tools ];
+  environment.systemPackages = with pkgs; [ vim htop wget nftables wireguard-tools git ];
 
   # Security
   networking.firewall.enable = false;
diff --git a/modules/default.nix b/modules/default.nix
index 9c986a7..b2df22e 100644
--- a/modules/default.nix
+++ b/modules/default.nix
@@ -1,6 +1,7 @@
 {
   common = import ./common;
   crypto = import ./crypto;
+  gitlab = import ./gitlab;
   hetzner = import ./hetzner;
   image = import ./image;
   kubernetes = import ./kubernetes;
diff --git a/modules/gitlab/default.nix b/modules/gitlab/default.nix
new file mode 100644
index 0000000..078b467
--- /dev/null
+++ b/modules/gitlab/default.nix
@@ -0,0 +1,24 @@
+{ config, lib, pkgs, ... }:
+
+{
+  services.gitlab-runner = {
+    enable = true;
+    services.shell = {
+      registrationConfigFile = "/etc/gitlab/runner-registration";
+      executor = "shell";
+      tagList = [ "shell" "claranet-de-nix-runner" "nix" ];
+    };
+  };
+
+  systemd.services.gitlab-runner = {
+    serviceConfig = {
+      # Set `DynamicUser` under `systemd.services.gitlab-runner.serviceConfig`
+      # to `lib.mkForce false` in your configuration to run this service as root.
+      # You can also set `User` and `Group` options to run this service as desired user.
+      # Make sure to restart service or changes won't apply.
+      DynamicUser = lib.mkForce false;
+      # User = "nixbuilder";
+      # Group = "users";
+    };
+  };
+}
diff --git a/modules/kubernetes/default.nix b/modules/kubernetes/default.nix
index 20b766f..078545b 100644
--- a/modules/kubernetes/default.nix
+++ b/modules/kubernetes/default.nix
@@ -83,8 +83,6 @@ in {
             attrValues (mapAttrs (n: v: "${n}=${toString v}") cfg.taints);
 
           kubelet-arg = "cgroup-driver=systemd";
-
-          no-flannel = true;
         } // (if cfg.role == "server" then {
           advertise-address = "${internalIP.v4}";
 
@@ -110,8 +108,9 @@ in {
       role = cfg.role;
       token = "YPoyiPeBpQpB7oK8";
       serverAddr = "https://10.10.0.1:6443";
+      # clusterInit = true;
       configPath = "/etc/k3s/config.yaml";
-      disableAgent = cfg.role == "agent";
+      # disableAgent = cfg.role != "agent";
     };
   };
 }
diff --git a/modules/wireguard/default.nix b/modules/wireguard/default.nix
index 345af3e..73396dc 100644
--- a/modules/wireguard/default.nix
+++ b/modules/wireguard/default.nix
@@ -15,7 +15,7 @@ with lib; {
               in
               {
                 endpoint =
-                  "${node.config.deployment.targetHost}:${toString peer.port}";
+                  "${node.config.wireguard.endpoint}:${toString peer.port}";
                 publicKey = peer.publicKey;
                 persistentKeepalive = 25;
                 allowedIPs = [
diff --git a/modules/wireguard/options.nix b/modules/wireguard/options.nix
index 69013d0..60a93fc 100644
--- a/modules/wireguard/options.nix
+++ b/modules/wireguard/options.nix
@@ -15,6 +15,11 @@ with lib; {
         default = false;
       };
 
+      endpoint = mkOption {
+        type = types.str;
+        description = "Public endpoint of wireguard interface";
+      };
+
       port = mkOption {
         type = types.int;
         description = "Port of the wireguard interface (51820)";
diff --git a/secrets b/secrets
-Subproject c046615c7c2254a7b32d2e8969f068d163ab63e
+Subproject 8890cd313ce5dd17b4e723d90ce399cee5a3da8