karaolidis/nix
1
1
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Add custom kubernetes module base

Browse Source 
Signed-off-by: Nikolaos Karaolidis <nick@karaolidis.com>
This commit is contained in:
Nick Karaolidis
2025-01-29 12:44:05 +00:00
parent 51ef8d6ac9
commit 3c1cfbceb8
14 changed files with 1286 additions and 546 deletions
Download Patch File Download Diff File Expand all files Collapse all files

191
hosts/common/configs/system/kubernetes/secrets/default.nix
View File

@@ -1,204 +1,293 @@
{ ... }:
{ config, ... }:
{
sops.secrets = {
"kubernetes/ca/crt" = {
"kubernetes/ca/kubernetes/crt" = {
owner = "kubernetes";
group = "users";
mode = "0440";
};
"kubernetes/ca/key" = {
"kubernetes/ca/kubernetes/key" = {
owner = "kubernetes";
group = "users";
mode = "0440";
};
"kubernetes/front-proxy/ca/crt" = {
"kubernetes/ca/front-proxy/crt" = {
owner = "kubernetes";
group = "kubernetes";
mode = "0440";
};
"kubernetes/front-proxy/ca/key" = {
"kubernetes/ca/front-proxy/key" = {
owner = "kubernetes";
group = "kubernetes";
mode = "0440";
};
"kubernetes/etcd/ca/crt" = {
"kubernetes/ca/etcd/crt" = {
owner = "etcd";
group = "kubernetes";
mode = "0440";
};
"kubernetes/etcd/ca/key" = {
"kubernetes/ca/etcd/key" = {
owner = "etcd";
group = "kubernetes";
mode = "0440";
};
"kubernetes/apiserver/cert/crt" = {
"kubernetes/cert/apiserver/server/crt" = {
owner = "kubernetes";
group = "kubernetes";
mode = "0440";
};
"kubernetes/apiserver/cert/key" = {
"kubernetes/cert/apiserver/server/key" = {
owner = "kubernetes";
group = "kubernetes";
mode = "0440";
};
"kubernetes/apiserver/kubelet-client/crt" = {
"kubernetes/cert/apiserver/etcd-client/crt" = {
owner = "kubernetes";
group = "kubernetes";
mode = "0440";
};
"kubernetes/apiserver/kubelet-client/key" = {
"kubernetes/cert/apiserver/etcd-client/key" = {
owner = "kubernetes";
group = "kubernetes";
mode = "0440";
};
"kubernetes/apiserver/etcd-client/crt" = {
"kubernetes/cert/apiserver/kubelet-client/crt" = {
owner = "kubernetes";
group = "kubernetes";
mode = "0440";
};
"kubernetes/apiserver/etcd-client/key" = {
"kubernetes/cert/apiserver/kubelet-client/key" = {
owner = "kubernetes";
group = "kubernetes";
mode = "0440";
};
"kubernetes/front-proxy/client/crt" = {
"kubernetes/cert/front-proxy/crt" = {
owner = "kubernetes";
group = "kubernetes";
mode = "0440";
};
"kubernetes/front-proxy/client/key" = {
"kubernetes/cert/front-proxy/key" = {
owner = "kubernetes";
group = "kubernetes";
mode = "0440";
};
"kubernetes/etcd/server/crt" = {
"kubernetes/cert/etcd/server/crt" = {
owner = "etcd";
group = "kubernetes";
mode = "0440";
};
"kubernetes/etcd/server/key" = {
"kubernetes/cert/etcd/server/key" = {
owner = "etcd";
group = "kubernetes";
mode = "0440";
};
"kubernetes/etcd/peer/crt" = {
"kubernetes/cert/etcd/peer/crt" = {
owner = "etcd";
group = "kubernetes";
mode = "0440";
};
"kubernetes/etcd/peer/key" = {
"kubernetes/cert/etcd/peer/key" = {
owner = "etcd";
group = "kubernetes";
mode = "0440";
};
"kubernetes/sa/key" = {
"kubernetes/cert/sa/key" = {
owner = "kubernetes";
group = "kubernetes";
mode = "0440";
};
"kubernetes/sa/pub" = {
"kubernetes/cert/sa/pub" = {
owner = "kubernetes";
group = "kubernetes";
mode = "0440";
};
"kubernetes/accounts/admin/crt" = {
group = "kubernetes";
};
"kubernetes/accounts/admin/key" = {
group = "kubernetes";
};
"kubernetes/accounts/controller-manager/crt" = {
"kubernetes/cert/accounts/scheduler/crt" = {
owner = "kubernetes";
group = "kubernetes";
mode = "0440";
};
"kubernetes/accounts/controller-manager/key" = {
"kubernetes/cert/accounts/scheduler/key" = {
owner = "kubernetes";
group = "kubernetes";
mode = "0440";
};
"kubernetes/accounts/addon-manager/crt" = {
"kubernetes/cert/accounts/controller-manager/crt" = {
owner = "kubernetes";
group = "kubernetes";
mode = "0440";
};
"kubernetes/accounts/addon-manager/key" = {
"kubernetes/cert/accounts/controller-manager/key" = {
owner = "kubernetes";
group = "kubernetes";
mode = "0440";
};
"kubernetes/accounts/scheduler/crt" = {
"kubernetes/cert/accounts/addon-manager/crt" = {
owner = "kubernetes";
group = "kubernetes";
mode = "0440";
};
"kubernetes/accounts/scheduler/key" = {
"kubernetes/cert/accounts/addon-manager/key" = {
owner = "kubernetes";
group = "kubernetes";
mode = "0440";
};
"kubernetes/accounts/proxy/crt" = {
"kubernetes/cert/accounts/proxy/crt" = {
owner = "kubernetes";
group = "kubernetes";
mode = "0440";
};
"kubernetes/accounts/proxy/key" = {
"kubernetes/cert/accounts/proxy/key" = {
owner = "kubernetes";
group = "kubernetes";
mode = "0440";
};
"kubernetes/accounts/flannel/crt" = {
"kubernetes/cert/accounts/admin/crt" = {
group = "kubernetes";
};
"kubernetes/cert/accounts/admin/key" = {
group = "kubernetes";
};
"kubernetes/token/kubelet-bootstrap/token" = {
owner = "kubernetes";
group = "kubernetes";
mode = "0440";
};
"kubernetes/accounts/flannel/key" = {
owner = "kubernetes";
group = "kubernetes";
mode = "0440";
};
"kubernetes/accounts/kubelet-bootstrap/token" = {
owner = "kubernetes";
group = "kubernetes";
mode = "0440";
};
"kubernetes/accounts/kubelet-bootstrap/csv" = {
"kubernetes/token/kubelet-bootstrap/csv" = {
owner = "kubernetes";
group = "kubernetes";
mode = "0440";
};
};
services.kubernetes = {
cas = {
kubernetes = {
key = config.sops.secrets."kubernetes/ca/kubernetes/key".path;
crt = config.sops.secrets."kubernetes/ca/kubernetes/crt".path;
};
frontProxy = {
key = config.sops.secrets."kubernetes/ca/front-proxy/key".path;
crt = config.sops.secrets."kubernetes/ca/front-proxy/crt".path;
};
etcd = {
key = config.sops.secrets."kubernetes/ca/etcd/key".path;
crt = config.sops.secrets."kubernetes/ca/etcd/crt".path;
};
};
certs = {
apiserver = {
server = {
key = config.sops.secrets."kubernetes/cert/apiserver/server/key".path;
crt = config.sops.secrets."kubernetes/cert/apiserver/server/crt".path;
};
etcdClient = {
key = config.sops.secrets."kubernetes/cert/apiserver/etcd-client/key".path;
crt = config.sops.secrets."kubernetes/cert/apiserver/etcd-client/crt".path;
};
kubeletClient = {
key = config.sops.secrets."kubernetes/cert/apiserver/kubelet-client/key".path;
crt = config.sops.secrets."kubernetes/cert/apiserver/kubelet-client/crt".path;
};
};
etcd = {
server = {
key = config.sops.secrets."kubernetes/cert/etcd/server/key".path;
crt = config.sops.secrets."kubernetes/cert/etcd/server/crt".path;
};
peer = {
key = config.sops.secrets."kubernetes/cert/etcd/peer/key".path;
crt = config.sops.secrets."kubernetes/cert/etcd/peer/crt".path;
};
};
frontProxy = {
key = config.sops.secrets."kubernetes/cert/front-proxy/key".path;
crt = config.sops.secrets."kubernetes/cert/front-proxy/crt".path;
};
serviceAccount = {
private = config.sops.secrets."kubernetes/cert/sa/key".path;
public = config.sops.secrets."kubernetes/cert/sa/pub".path;
};
accounts = {
scheduler = {
key = config.sops.secrets."kubernetes/cert/accounts/scheduler/key".path;
crt = config.sops.secrets."kubernetes/cert/accounts/scheduler/crt".path;
};
controllerManager = {
key = config.sops.secrets."kubernetes/cert/accounts/controller-manager/key".path;
crt = config.sops.secrets."kubernetes/cert/accounts/controller-manager/crt".path;
};
addonManager = {
key = config.sops.secrets."kubernetes/cert/accounts/addon-manager/key".path;
crt = config.sops.secrets."kubernetes/cert/accounts/addon-manager/crt".path;
};
proxy = {
key = config.sops.secrets."kubernetes/cert/accounts/proxy/key".path;
crt = config.sops.secrets."kubernetes/cert/accounts/proxy/crt".path;
};
admin = {
key = config.sops.secrets."kubernetes/cert/accounts/admin/key".path;
crt = config.sops.secrets."kubernetes/cert/accounts/admin/crt".path;
};
};
};
kubelet.bootstrapToken = config.sops.secrets."kubernetes/token/kubelet-bootstrap/token".path;
apiserver.bootstrapTokenFile = config.sops.secrets."kubernetes/token/kubelet-bootstrap/csv".path;
};
systemd.services = {
kubelet.after = [ "sops-nix.service" ];
kube-apiserver.after = [ "sops-nix.service" ];
kube-controller-manager.after = [ "sops-nix.service" ];
kube-scheduler.after = [ "sops-nix.service" ];
kube-proxy.after = [ "sops-nix.service" ];
kube-addon-manager.after = [ "sops-nix.service" ];
etcd.after = [ "sops-nix.service" ];
};
}