From 7f30f1c9d8b6b885081ad81e3fa3c6849b3f3548 Mon Sep 17 00:00:00 2001 From: Max Audron Date: Wed, 27 Sep 2023 12:49:16 +0200 Subject: test kubernetes deployment --- flake.nix | 18 ++++++++++++--- machines/nixbuilder/default.nix | 24 ++++++++++++++++++++ machines/nixbuilder/hardware-configuration.nix | 9 ++++++++ machines/nixos-test/default.nix | 23 ------------------- machines/nixos-test/hardware-configuration.nix | 9 -------- machines/test/default.nix | 20 +++++++++++++++-- machines/test2/default.nix | 31 ++++++++++++++++++++++++++ modules/common/default.nix | 2 +- modules/default.nix | 1 + modules/gitlab/default.nix | 24 ++++++++++++++++++++ modules/kubernetes/default.nix | 5 ++--- modules/wireguard/default.nix | 2 +- modules/wireguard/options.nix | 5 +++++ secrets | 2 +- 14 files changed, 132 insertions(+), 43 deletions(-) create mode 100644 machines/nixbuilder/default.nix create mode 100644 machines/nixbuilder/hardware-configuration.nix delete mode 100644 machines/nixos-test/default.nix delete mode 100644 machines/nixos-test/hardware-configuration.nix create mode 100644 machines/test2/default.nix create mode 100644 modules/gitlab/default.nix diff --git a/flake.nix b/flake.nix index 9836895..808dbfc 100644 --- a/flake.nix +++ b/flake.nix @@ -11,7 +11,7 @@ flake = let system = "x86_64-linux"; - specialArgs = inputs; + specialArgs = inputs // { nodes = self.nixosConfigurations; }; mkSystem = modules: nixpkgs.lib.nixosSystem { inherit specialArgs system; modules = modules; @@ -20,8 +20,20 @@ { nixosModules = import ./modules; nixosConfigurations = with self.nixosModules; { - vultr-image = mkSystem [ common users image vultr ]; - nixos-test = mkSystem [ (import ./machines/nixos-test) common users ]; + test1 = mkSystem [ (import ./machines/test) common users vultr wireguard crypto kubernetes ]; + test2 = mkSystem [ (import ./machines/test2) common users vultr wireguard crypto kubernetes ]; + # vultr-image = mkSystem [ common users image vultr ]; + # nixbuilder = mkSystem [ (import ./machines/nixbuilder) common users gitlab { + # users.users = { + # nixbuilder = { + # isNormalUser = true; + # extraGroups = [ "wheel" "docker" ]; + # openssh.authorizedKeys.keys = [ + # "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGfuzswSmySvmTIiZpCKCEUpOXvETr8sTs49wX7US7yX nixbuilder" + # ]; + # }; + # }; + # } ]; }; }; systems = [ "x86_64-linux" "x86_64-darwin" "aarch64-linux" "aarch64-darwin" ]; diff --git a/machines/nixbuilder/default.nix b/machines/nixbuilder/default.nix new file mode 100644 index 0000000..afbfa1c --- /dev/null +++ b/machines/nixbuilder/default.nix @@ -0,0 +1,24 @@ +{ config, lib, pkgs, ... }: + +{ + imports = [ + ./hardware-configuration.nix + ]; + + boot.tmp.cleanOnBoot = true; + zramSwap.enable = true; + networking.hostName = "cke-nix-builder"; + networking.domain = ""; + services.openssh.enable = true; + users.users.root.openssh.authorizedKeys.keys = [ + ''ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO2eIUtbt7RM75ThjKfUjm24QkzkzCSj7hs+GLaaxMeH cardno:12_767_512'' + ]; + + _module.args.nixinate = { + host = "10.49.214.164"; + sshUser = "audron"; + buildOn = "remote"; + substituteOnTarget = true; + hermetic = false; + }; +} diff --git a/machines/nixbuilder/hardware-configuration.nix b/machines/nixbuilder/hardware-configuration.nix new file mode 100644 index 0000000..850f51f --- /dev/null +++ b/machines/nixbuilder/hardware-configuration.nix @@ -0,0 +1,9 @@ +{ modulesPath, ... }: +{ + imports = [ (modulesPath + "/profiles/qemu-guest.nix") ]; + boot.loader.grub.device = "/dev/sda"; + boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "xen_blkfront" "vmw_pvscsi" ]; + boot.initrd.kernelModules = [ "nvme" ]; + fileSystems."/" = { device = "/dev/sda2"; fsType = "ext4"; }; + +} diff --git a/machines/nixos-test/default.nix b/machines/nixos-test/default.nix deleted file mode 100644 index 651ae82..0000000 --- a/machines/nixos-test/default.nix +++ /dev/null @@ -1,23 +0,0 @@ -{ config, lib, pkgs, ... }: - -{ - imports = [ - ./hardware-configuration.nix - ]; - - boot.tmp.cleanOnBoot = true; - zramSwap.enable = true; - networking.hostName = "default"; - networking.domain = ""; - services.openssh.enable = true; - users.users.root.openssh.authorizedKeys.keys = [ - ''ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO2eIUtbt7RM75ThjKfUjm24QkzkzCSj7hs+GLaaxMeH cardno:12_767_512'' - ]; - - _module.args.nixinate = { - host = "10.49.212.3"; - buildOn = "remote"; - substituteOnTarget = true; - hermetic = false; - }; -} diff --git a/machines/nixos-test/hardware-configuration.nix b/machines/nixos-test/hardware-configuration.nix deleted file mode 100644 index 850f51f..0000000 --- a/machines/nixos-test/hardware-configuration.nix +++ /dev/null @@ -1,9 +0,0 @@ -{ modulesPath, ... }: -{ - imports = [ (modulesPath + "/profiles/qemu-guest.nix") ]; - boot.loader.grub.device = "/dev/sda"; - boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "xen_blkfront" "vmw_pvscsi" ]; - boot.initrd.kernelModules = [ "nvme" ]; - fileSystems."/" = { device = "/dev/sda2"; fsType = "ext4"; }; - -} diff --git a/machines/test/default.nix b/machines/test/default.nix index 92294be..30ccc3f 100644 --- a/machines/test/default.nix +++ b/machines/test/default.nix @@ -3,11 +3,27 @@ { networking = { domain = "vapor.systems"; - hostName = "test"; + hostName = "test1"; + }; + + pubKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKUp0JDfsn8peaZn1N6NxtdQvaElWr1QPeOV1wdgCZDb"; + + wireguard = { + enable = true; + v4 = { address = "10.10.0.1"; }; + v6 = { address = "1"; }; + publicKey = "kgb+qZvIHkMx0Rn1E9+zvKK8Qw5vBOkQ5wtO0O1Um1o="; + allowedIPs = [ "10.102.5.0/24" "fd15:3d8c:d429:102:500::/72" ]; + endpoint = "80.240.27.237"; + }; + + kubernetes = { + role = "server"; + advertiseAddress = "80.240.27.237"; }; _module.args.nixinate = { - host = "199.247.6.180"; + host = "80.240.27.237"; sshUser = "audron"; buildOn = "remote"; substituteOnTarget = true; diff --git a/machines/test2/default.nix b/machines/test2/default.nix new file mode 100644 index 0000000..11af08d --- /dev/null +++ b/machines/test2/default.nix @@ -0,0 +1,31 @@ +{ config, lib, pkgs, ... }: + +{ + networking = { + domain = "vapor.systems"; + hostName = "test2"; + }; + + pubKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJbOAlwYaK4yd7Y2AMZtIFjqY5ihAaVvNm3nduG17dPo"; + + wireguard = { + enable = true; + v4 = { address = "10.10.0.2"; }; + v6 = { address = "2"; }; + publicKey = "oV+exEWmcU3UHS6iSK4rnPZg57D0R84EVJKZyVmEdUc="; + allowedIPs = [ "10.102.5.0/24" "fd15:3d8c:d429:102:500::/72" ]; + endpoint = "140.82.37.154"; + }; + + kubernetes = { + role = "agent"; + }; + + _module.args.nixinate = { + host = "140.82.37.154"; + sshUser = "audron"; + buildOn = "remote"; + substituteOnTarget = true; + hermetic = false; + }; +} diff --git a/modules/common/default.nix b/modules/common/default.nix index f338823..b1df8b2 100644 --- a/modules/common/default.nix +++ b/modules/common/default.nix @@ -12,7 +12,7 @@ }; # Default Packages Set - environment.systemPackages = with pkgs; [ vim htop wget nftables wireguard-tools ]; + environment.systemPackages = with pkgs; [ vim htop wget nftables wireguard-tools git ]; # Security networking.firewall.enable = false; diff --git a/modules/default.nix b/modules/default.nix index 9c986a7..b2df22e 100644 --- a/modules/default.nix +++ b/modules/default.nix @@ -1,6 +1,7 @@ { common = import ./common; crypto = import ./crypto; + gitlab = import ./gitlab; hetzner = import ./hetzner; image = import ./image; kubernetes = import ./kubernetes; diff --git a/modules/gitlab/default.nix b/modules/gitlab/default.nix new file mode 100644 index 0000000..078b467 --- /dev/null +++ b/modules/gitlab/default.nix @@ -0,0 +1,24 @@ +{ config, lib, pkgs, ... }: + +{ + services.gitlab-runner = { + enable = true; + services.shell = { + registrationConfigFile = "/etc/gitlab/runner-registration"; + executor = "shell"; + tagList = [ "shell" "claranet-de-nix-runner" "nix" ]; + }; + }; + + systemd.services.gitlab-runner = { + serviceConfig = { + # Set `DynamicUser` under `systemd.services.gitlab-runner.serviceConfig` + # to `lib.mkForce false` in your configuration to run this service as root. + # You can also set `User` and `Group` options to run this service as desired user. + # Make sure to restart service or changes won't apply. + DynamicUser = lib.mkForce false; + # User = "nixbuilder"; + # Group = "users"; + }; + }; +} diff --git a/modules/kubernetes/default.nix b/modules/kubernetes/default.nix index 20b766f..078545b 100644 --- a/modules/kubernetes/default.nix +++ b/modules/kubernetes/default.nix @@ -83,8 +83,6 @@ in { attrValues (mapAttrs (n: v: "${n}=${toString v}") cfg.taints); kubelet-arg = "cgroup-driver=systemd"; - - no-flannel = true; } // (if cfg.role == "server" then { advertise-address = "${internalIP.v4}"; @@ -110,8 +108,9 @@ in { role = cfg.role; token = "YPoyiPeBpQpB7oK8"; serverAddr = "https://10.10.0.1:6443"; + # clusterInit = true; configPath = "/etc/k3s/config.yaml"; - disableAgent = cfg.role == "agent"; + # disableAgent = cfg.role != "agent"; }; }; } diff --git a/modules/wireguard/default.nix b/modules/wireguard/default.nix index 345af3e..73396dc 100644 --- a/modules/wireguard/default.nix +++ b/modules/wireguard/default.nix @@ -15,7 +15,7 @@ with lib; { in { endpoint = - "${node.config.deployment.targetHost}:${toString peer.port}"; + "${node.config.wireguard.endpoint}:${toString peer.port}"; publicKey = peer.publicKey; persistentKeepalive = 25; allowedIPs = [ diff --git a/modules/wireguard/options.nix b/modules/wireguard/options.nix index 69013d0..60a93fc 100644 --- a/modules/wireguard/options.nix +++ b/modules/wireguard/options.nix @@ -15,6 +15,11 @@ with lib; { default = false; }; + endpoint = mkOption { + type = types.str; + description = "Public endpoint of wireguard interface"; + }; + port = mkOption { type = types.int; description = "Port of the wireguard interface (51820)"; diff --git a/secrets b/secrets index c046615..8890cd3 160000 --- a/secrets +++ b/secrets @@ -1 +1 @@ -Subproject commit c046615c7c2254a7b32d2e8969f068d163ab63ec +Subproject commit 8890cd313ce5dd17b4e723d90ce399cee5a3da8c -- cgit v1.2.3