From dbb1183018750126918397084715ab22e536736e Mon Sep 17 00:00:00 2001 From: Evan Reichard Date: Mon, 27 Jan 2025 10:02:49 -0500 Subject: [PATCH] fix --- hosts/rke2.nix | 224 ++++++++++++++++++++++--------------------------- 1 file changed, 102 insertions(+), 122 deletions(-) diff --git a/hosts/rke2.nix b/hosts/rke2.nix index fdfb532..0f9e27f 100644 --- a/hosts/rke2.nix +++ b/hosts/rke2.nix @@ -10,6 +10,7 @@ serverAddr = lib.mkOption { type = lib.types.str; description = "The server to join"; + default = ""; }; networkConfig = lib.mkOption { type = lib.types.submodule { @@ -41,142 +42,121 @@ }; }; - # ---------------------------------------- - # ---------- Base Configuration ---------- - # ---------------------------------------- + config = { + # ---------------------------------------- + # ---------- Base Configuration ---------- + # ---------------------------------------- - # System Configuration - system.stateVersion = "24.11"; - nix.settings.experimental-features = [ "nix-command" "flakes" ]; + # OpenEBS Mayastor Requirements + boot.kernelModules = [ "nvme_tcp" ]; + boot.kernel.sysctl = { + "vm.nr_hugepages" = 1024; + }; - # Boot Configuration - boot.kernelModules = [ "nvme_tcp" ]; # OpenEBS Mayastor Requirement - boot.kernel.sysctl = { - "vm.nr_hugepages" = 1024; - }; - boot.loader.systemd-boot.enable = true; - boot.loader.efi.canTouchEfiVariables = true; - boot.loader.efi.efiSysMountPoint = "/boot"; + # Network Configuration + networking = { + hostName = config.hostName; + networkmanager.enable = false; - # Network Configuration - networking = { - hostName = config.hostName; - networkmanager.enable = false; + # Interface Configuration + inherit (config.networkConfig) defaultGateway nameservers; + interfaces.${config.networkConfig.interface}.ipv4.addresses = [{ + inherit (config.networkConfig) address; + prefixLength = 24; + }]; - # Interface Configuration - inherit (config.networkConfig) defaultGateway nameservers; - interfaces.${config.networkConfig.interface}.ipv4.addresses = [{ - inherit (config.networkConfig) address; - prefixLength = 24; - }]; + firewall = { + enable = true; - firewall = { + allowedTCPPorts = [ + # RKE2 Ports - https://docs.rke2.io/install/requirements#networking + 6443 # Kubernetes API + 9345 # RKE2 supervisor API + 2379 # etcd Client Port + 2380 # etcd Peer Port + 2381 # etcd Metrics Port + 10250 # kubelet metrics + 9099 # Canal CNI health checks + + # OpenEBS Mayastor - https://openebs.io/docs/user-guides/replicated-storage-user-guide/replicated-pv-mayastor/rs-installation#network-requirements + 10124 # REST API + 8420 # NVMf + 4421 # NVMf + ]; + + allowedUDPPorts = [ + # RKE2 Ports - https://docs.rke2.io/install/requirements#networking + 8472 # Canal CNI with VXLAN + # 51820 # Canal CNI with WireGuard IPv4 (if using encryption) + # 51821 # Canal CNI with WireGuard IPv6 (if using encryption) + ]; + }; + }; + + # System Packages + environment.systemPackages = with pkgs; [ + htop + k9s + kubectl + kubernetes-helm + nfs-utils + vim + ]; + + # ---------------------------------------- + # ---------- RKE2 Configuration ---------- + # ---------------------------------------- + + # RKE2 Join Token + environment.etc."rancher/rke2/node-token" = lib.mkIf (config.serverAddr != "") { + source = ../rke2-token; + mode = "0600"; + user = "root"; + group = "root"; + }; + + # Enable RKE2 + services.rke2 = { enable = true; + role = "server"; - allowedTCPPorts = [ - # RKE2 Ports - https://docs.rke2.io/install/requirements#networking - 6443 # Kubernetes API - 9345 # RKE2 supervisor API - 2379 # etcd Client Port - 2380 # etcd Peer Port - 2381 # etcd Metrics Port - 10250 # kubelet metrics - 9099 # Canal CNI health checks + disable = [ + # Disable - Utilizing Traefik + "rke2-ingress-nginx" - # OpenEBS Mayastor - https://openebs.io/docs/user-guides/replicated-storage-user-guide/replicated-pv-mayastor/rs-installation#network-requirements - 10124 # REST API - 8420 # NVMf - 4421 # NVMf + # Distable - Utilizing OpenEBS's Snapshot Controller + "rke2-snapshot-controller" + "rke2-snapshot-controller-crd" + "rke2-snapshot-validation-webhook" ]; - allowedUDPPorts = [ - # RKE2 Ports - https://docs.rke2.io/install/requirements#networking - 8472 # Canal CNI with VXLAN - # 51820 # Canal CNI with WireGuard IPv4 (if using encryption) - # 51821 # Canal CNI with WireGuard IPv6 (if using encryption) + # OpenEBS Scheduleable + nodeLabel = [ + "openebs.io/engine=mayastor" ]; + + } // lib.optionalAttrs (config.serverAddr != "") { + serverAddr = config.serverAddr; + tokenFile = "/etc/rancher/rke2/node-token"; }; - }; - # User Configuration - users.users.root = { - openssh.authorizedKeys.keys = [ - "ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAQEA8P84lWL/p13ZBFNwITm/dLWWL8s9pVmdOImM5gaJAiTLY+DheUvG6YsveB2/5STseiJ34g7Na9TW1mtTLL8zDqPvj3NbprQiYlLJKMbCk6dtfdD4nLMHl8B48e1h699XiZDp2/c+jJb0MkLOFrps+FbPqt7pFt1Pj29tFy8BCg0LGndu6KO+HqYS+aM5tp5hZESo1RReiJ8aHsu5X7wW46brN4gfyyu+8X4etSZAB9raWqlln9NKK7G6as6X+uPypvSjYGSTC8TSePV1iTPwOxPk2+1xBsK7EBLg3jNrrYaiXLnZvBOOhm11JmHzqEJ6386FfQO+0r4iDVxmvi+ojw== rsa-key-20141114" - ]; - hashedPassword = null; # Disable Password Login - }; + # Bootstrap Kubernetes Manifests + # system.activationScripts.k8s-manifests = { + # deps = [ ]; + # text = '' + # mkdir -p /var/lib/rancher/rke2/server/manifests - # System Packages - environment.systemPackages = with pkgs; [ - htop - k9s - kubectl - kubernetes-helm - nfs-utils - vim - ]; + # # Base Configs + # cp ${../k8s/openebs.yaml} /var/lib/rancher/rke2/server/manifests/openebs-base.yaml + # cp ${../k8s/kasten.yaml} /var/lib/rancher/rke2/server/manifests/kasten-base.yaml - # Enable SSH Server - services.openssh = { - enable = true; - settings = { - PasswordAuthentication = false; # Disable Password Login - PermitRootLogin = "prohibit-password"; # Disable Password Login - }; - }; - - # ---------------------------------------- - # ---------- RKE2 Configuration ---------- - # ---------------------------------------- - - # RKE2 Join Token - environment.etc."rancher/rke2/node-token" = lib.mkIf (config.serverAddr != "") { - source = ../rke2-token; - mode = "0600"; - user = "root"; - group = "root"; - }; - - # Enable RKE2 - services.rke2 = { - enable = true; - - disable = [ - # Disable - Utilizing Traefik - "rke2-ingress-nginx" - - # Distable - Utilizing OpenEBS's Snapshot Controller - "rke2-snapshot-controller" - "rke2-snapshot-controller-crd" - "rke2-snapshot-validation-webhook" - ]; - - # OpenEBS Scheduleable - nodeLabel = [ - "openebs.io/engine=mayastor" - ]; - - role = "server"; - serverAddr = config.serverAddr; - tokenFile = lib.mkIf (config.serverAddr != "") "/etc/rancher/rke2/node-token"; - }; - - # Bootstrap Kubernetes Manifests - system.activationScripts.k8s-manifests = { - deps = [ ]; - text = '' - mkdir -p /var/lib/rancher/rke2/server/manifests - - # Base Configs - cp ${../k8s/openebs.yaml} /var/lib/rancher/rke2/server/manifests/openebs-base.yaml - cp ${../k8s/kasten.yaml} /var/lib/rancher/rke2/server/manifests/kasten-base.yaml - - # OpenEBS Disk Pool - cp ${pkgs.substituteAll { - src = ../k8s/openebs-disk-pool.yaml; - hostName = config.hostName; - dataDiskID = config.dataDiskID; - }} /var/lib/rancher/rke2/server/manifests/openebs-disk-pool-${config.hostName}.yaml - ''; + # # OpenEBS Disk Pool + # cp ${pkgs.substituteAll { + # src = ../k8s/openebs-disk-pool.yaml; + # hostName = config.hostName; + # dataDiskID = config.dataDiskID; + # }} /var/lib/rancher/rke2/server/manifests/openebs-disk-pool-${config.hostName}.yaml + # ''; + # }; }; }