From 1f91305b6eea9b9a5a2569abdeb5dbbe1ba4a95c Mon Sep 17 00:00:00 2001
From: Evan Reichard <evan@reichard.io>
Date: Sat, 25 Jan 2025 11:50:54 -0500
Subject: [PATCH] rke2 base config

---
 README.md      |   5 +-
 flake.nix      |  14 ++++++
 hosts/rke2.nix | 128 +++++++++++++++++++++++++++++++++++++++++++++++++
 3 files changed, 145 insertions(+), 2 deletions(-)
 create mode 100644 hosts/rke2.nix

diff --git a/README.md b/README.md
index 5d997a6..2b71292 100644
--- a/README.md
+++ b/README.md
@@ -9,7 +9,7 @@ scp -r * nixos@10.10.10.10:/tmp/
 ## Partition Drives
 
 ```bash
-# WARNING: Be sure to check drive mappings
+# Validate Disk
 sudo fdisk -l
 
 # Partition Disk
@@ -17,7 +17,7 @@ sudo nix \
     --experimental-features "nix-command flakes" \
     run github:nix-community/disko -- \
     --mode disko \
-    --flake /tmp#lin-va-llama1
+    --flake /tmp#lin-va-rke1
 ```
 
 ## Install NixOS
@@ -25,6 +25,7 @@ sudo nix \
 ```bash
 # Install
 sudo nixos-install --flake /tmp#lin-va-llama1
+sudo nixos-install --flake /tmp#lin-va-rke1
 
 # Reboot
 sudo reboot
diff --git a/flake.nix b/flake.nix
index 95072b3..20ab350 100644
--- a/flake.nix
+++ b/flake.nix
@@ -8,6 +8,7 @@
 
   outputs = { self, nixpkgs, disko }: {
     nixosConfigurations.lin-va-llama1 = nixpkgs.lib.nixosSystem {
+      # LLaMA C++ Server
       system = "x86_64-linux";
       modules = [
         disko.nixosModules.disko
@@ -18,6 +19,7 @@
       ];
     };
 
+    # K3s Server
     nixosConfigurations.lin-va-k3s1 = nixpkgs.lib.nixosSystem {
       system = "x86_64-linux";
       modules = [
@@ -28,5 +30,17 @@
         }
       ];
     };
+
+    # RKE2 Server
+    nixosConfigurations.lin-va-rke1 = nixpkgs.lib.nixosSystem {
+      system = "x86_64-linux";
+      modules = [
+        disko.nixosModules.disko
+        ./hosts/rke2.nix
+        {
+          networking.hostName = "lin-va-rke1";
+        }
+      ];
+    };
   };
 }
diff --git a/hosts/rke2.nix b/hosts/rke2.nix
new file mode 100644
index 0000000..fe57692
--- /dev/null
+++ b/hosts/rke2.nix
@@ -0,0 +1,128 @@
+{ config, pkgs, ... }:
+
+{
+  # Enable Flakes
+  nix.settings.experimental-features = [ "nix-command" "flakes" ];
+
+  # System Configuration
+  boot.kernelModules = [ "nvme_tcp" ]; # OpenEBS Mayastor Requirement
+  boot.kernel.sysctl = {
+    "vm.nr_hugepages" = 1024;
+  };
+  boot.loader.systemd-boot.enable = true;
+  boot.loader.efi.canTouchEfiVariables = true;
+  boot.loader.efi.efiSysMountPoint = "/boot";
+
+  # Disk Configuration
+  disko.devices = {
+    disk = {
+      nvme0n1 = {
+        type = "disk";
+        device = "/dev/nvme0n1";
+        content = {
+          type = "gpt";
+          partitions = {
+            boot = {
+              size = "512M";
+              type = "EF00"; # EFI
+              content = {
+                type = "filesystem";
+                format = "vfat";
+                mountpoint = "/boot";
+                mountOptions = [ "umask=0077" ];
+              };
+            };
+            root = {
+              size = "100%";
+              content = {
+                type = "filesystem";
+                format = "ext4";
+                mountpoint = "/";
+              };
+            };
+          };
+        };
+      };
+    };
+  };
+
+  # Network Configuration
+  networking = {
+    networkmanager.enable = true;
+    firewall = {
+      enable = true;
+
+      # https://docs.rke2.io/install/requirements#networking
+      allowedTCPPorts = [
+        # Control Plane
+        6443 # Kubernetes API
+        9345 # RKE2 supervisor API
+        2379 # etcd Client Port
+        2380 # etcd Peer Port
+        2381 # etcd Metrics Port
+
+        # Node Communication
+        10250 # kubelet metrics
+        9099 # Canal CNI health checks
+      ];
+
+      allowedUDPPorts = [
+        8472 # Canal CNI with VXLAN
+        # 51820 # Canal CNI with WireGuard IPv4 (if using encryption)
+        # 51821 # Canal CNI with WireGuard IPv6 (if using encryption)
+      ];
+    };
+  };
+
+  # Enable RKE2
+  services.rke2 = {
+    enable = true;
+
+    disable = [
+      "rke2-ingress-nginx"
+    ];
+
+    # -------------------
+    # --- Server Node ---
+    # -------------------
+    role = "server";
+
+    # -------------------
+    # --- Worker Node ---
+    # -------------------
+    # role = "agent";
+    # serverAddr = "https://10.0.0.10:6443"
+    # tokenFile = "";
+    # agentTokenFile = "";
+  };
+
+
+  # Enable SSH Server
+  services.openssh = {
+    enable = true;
+    settings = {
+      PasswordAuthentication = false; # Disable Password Login
+      PermitRootLogin = "prohibit-password"; # Disable Password Login
+    };
+  };
+
+  # User Configuration
+  users.users.root = {
+    openssh.authorizedKeys.keys = [
+      "ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAQEA8P84lWL/p13ZBFNwITm/dLWWL8s9pVmdOImM5gaJAiTLY+DheUvG6YsveB2/5STseiJ34g7Na9TW1mtTLL8zDqPvj3NbprQiYlLJKMbCk6dtfdD4nLMHl8B48e1h699XiZDp2/c+jJb0MkLOFrps+FbPqt7pFt1Pj29tFy8BCg0LGndu6KO+HqYS+aM5tp5hZESo1RReiJ8aHsu5X7wW46brN4gfyyu+8X4etSZAB9raWqlln9NKK7G6as6X+uPypvSjYGSTC8TSePV1iTPwOxPk2+1xBsK7EBLg3jNrrYaiXLnZvBOOhm11JmHzqEJ6386FfQO+0r4iDVxmvi+ojw== rsa-key-20141114"
+    ];
+    hashedPassword = null; # Disable Password Login
+  };
+
+  # System Packages
+  environment.systemPackages = with pkgs; [
+    k9s
+    kubectl
+    kubernetes-helm
+    nfs-utils
+    vim
+  ];
+
+  # System State Version
+  system.stateVersion = "24.11";
+}