karaolidis/nix
1
1
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
a8ca3653b4f17b46b6f23958fda1086c5dc4b451
nix/hosts/common/configs/system/kubernetes/secrets/default.nix
Nikolaos Karaolidis a8ca3653b4 Add custom kubernetes module base 
Signed-off-by: Nikolaos Karaolidis <nick@karaolidis.com>
2025-01-29 16:16:17 +00:00

294 lines
7.5 KiB
Nix
Raw Blame History

{ config, ... }:
{
sops.secrets = {
"kubernetes/ca/kubernetes/crt" = {
owner = "kubernetes";
group = "users";
mode = "0440";
};
"kubernetes/ca/kubernetes/key" = {
owner = "kubernetes";
group = "users";
mode = "0440";
};
"kubernetes/ca/front-proxy/crt" = {
owner = "kubernetes";
group = "kubernetes";
mode = "0440";
};
"kubernetes/ca/front-proxy/key" = {
owner = "kubernetes";
group = "kubernetes";
mode = "0440";
};
"kubernetes/ca/etcd/crt" = {
owner = "etcd";
group = "kubernetes";
mode = "0440";
};
"kubernetes/ca/etcd/key" = {
owner = "etcd";
group = "kubernetes";
mode = "0440";
};
"kubernetes/cert/apiserver/server/crt" = {
owner = "kubernetes";
group = "kubernetes";
mode = "0440";
};
"kubernetes/cert/apiserver/server/key" = {
owner = "kubernetes";
group = "kubernetes";
mode = "0440";
};
"kubernetes/cert/apiserver/etcd-client/crt" = {
owner = "kubernetes";
group = "kubernetes";
mode = "0440";
};
"kubernetes/cert/apiserver/etcd-client/key" = {
owner = "kubernetes";
group = "kubernetes";
mode = "0440";
};
"kubernetes/cert/apiserver/kubelet-client/crt" = {
owner = "kubernetes";
group = "kubernetes";
mode = "0440";
};
"kubernetes/cert/apiserver/kubelet-client/key" = {
owner = "kubernetes";
group = "kubernetes";
mode = "0440";
};
"kubernetes/cert/front-proxy/crt" = {
owner = "kubernetes";
group = "kubernetes";
mode = "0440";
};
"kubernetes/cert/front-proxy/key" = {
owner = "kubernetes";
group = "kubernetes";
mode = "0440";
};
"kubernetes/cert/etcd/server/crt" = {
owner = "etcd";
group = "kubernetes";
mode = "0440";
};
"kubernetes/cert/etcd/server/key" = {
owner = "etcd";
group = "kubernetes";
mode = "0440";
};
"kubernetes/cert/etcd/peer/crt" = {
owner = "etcd";
group = "kubernetes";
mode = "0440";
};
"kubernetes/cert/etcd/peer/key" = {
owner = "etcd";
group = "kubernetes";
mode = "0440";
};
"kubernetes/cert/sa/key" = {
owner = "kubernetes";
group = "kubernetes";
mode = "0440";
};
"kubernetes/cert/sa/pub" = {
owner = "kubernetes";
group = "kubernetes";
mode = "0440";
};
"kubernetes/cert/accounts/scheduler/crt" = {
owner = "kubernetes";
group = "kubernetes";
mode = "0440";
};
"kubernetes/cert/accounts/scheduler/key" = {
owner = "kubernetes";
group = "kubernetes";
mode = "0440";
};
"kubernetes/cert/accounts/controller-manager/crt" = {
owner = "kubernetes";
group = "kubernetes";
mode = "0440";
};
"kubernetes/cert/accounts/controller-manager/key" = {
owner = "kubernetes";
group = "kubernetes";
mode = "0440";
};
"kubernetes/cert/accounts/addon-manager/crt" = {
owner = "kubernetes";
group = "kubernetes";
mode = "0440";
};
"kubernetes/cert/accounts/addon-manager/key" = {
owner = "kubernetes";
group = "kubernetes";
mode = "0440";
};
"kubernetes/cert/accounts/proxy/crt" = {
owner = "kubernetes";
group = "kubernetes";
mode = "0440";
};
"kubernetes/cert/accounts/proxy/key" = {
owner = "kubernetes";
group = "kubernetes";
mode = "0440";
};
"kubernetes/cert/accounts/admin/crt" = {
group = "kubernetes";
};
"kubernetes/cert/accounts/admin/key" = {
group = "kubernetes";
};
"kubernetes/token/kubelet-bootstrap/token" = {
owner = "kubernetes";
group = "kubernetes";
mode = "0440";
};
"kubernetes/token/kubelet-bootstrap/csv" = {
owner = "kubernetes";
group = "kubernetes";
mode = "0440";
};
};
services.kubernetes = {
cas = {
kubernetes = {
key = config.sops.secrets."kubernetes/ca/kubernetes/key".path;
crt = config.sops.secrets."kubernetes/ca/kubernetes/crt".path;
};
frontProxy = {
key = config.sops.secrets."kubernetes/ca/front-proxy/key".path;
crt = config.sops.secrets."kubernetes/ca/front-proxy/crt".path;
};
etcd = {
key = config.sops.secrets."kubernetes/ca/etcd/key".path;
crt = config.sops.secrets."kubernetes/ca/etcd/crt".path;
};
};
certs = {
apiserver = {
server = {
key = config.sops.secrets."kubernetes/cert/apiserver/server/key".path;
crt = config.sops.secrets."kubernetes/cert/apiserver/server/crt".path;
};
etcdClient = {
key = config.sops.secrets."kubernetes/cert/apiserver/etcd-client/key".path;
crt = config.sops.secrets."kubernetes/cert/apiserver/etcd-client/crt".path;
};
kubeletClient = {
key = config.sops.secrets."kubernetes/cert/apiserver/kubelet-client/key".path;
crt = config.sops.secrets."kubernetes/cert/apiserver/kubelet-client/crt".path;
};
};
etcd = {
server = {
key = config.sops.secrets."kubernetes/cert/etcd/server/key".path;
crt = config.sops.secrets."kubernetes/cert/etcd/server/crt".path;
};
peer = {
key = config.sops.secrets."kubernetes/cert/etcd/peer/key".path;
crt = config.sops.secrets."kubernetes/cert/etcd/peer/crt".path;
};
};
frontProxy = {
key = config.sops.secrets."kubernetes/cert/front-proxy/key".path;
crt = config.sops.secrets."kubernetes/cert/front-proxy/crt".path;
};
serviceAccount = {
private = config.sops.secrets."kubernetes/cert/sa/key".path;
public = config.sops.secrets."kubernetes/cert/sa/pub".path;
};
accounts = {
scheduler = {
key = config.sops.secrets."kubernetes/cert/accounts/scheduler/key".path;
crt = config.sops.secrets."kubernetes/cert/accounts/scheduler/crt".path;
};
controllerManager = {
key = config.sops.secrets."kubernetes/cert/accounts/controller-manager/key".path;
crt = config.sops.secrets."kubernetes/cert/accounts/controller-manager/crt".path;
};
addonManager = {
key = config.sops.secrets."kubernetes/cert/accounts/addon-manager/key".path;
crt = config.sops.secrets."kubernetes/cert/accounts/addon-manager/crt".path;
};
proxy = {
key = config.sops.secrets."kubernetes/cert/accounts/proxy/key".path;
crt = config.sops.secrets."kubernetes/cert/accounts/proxy/crt".path;
};
admin = {
key = config.sops.secrets."kubernetes/cert/accounts/admin/key".path;
crt = config.sops.secrets."kubernetes/cert/accounts/admin/crt".path;
};
};
};
kubelet.bootstrapToken = config.sops.secrets."kubernetes/token/kubelet-bootstrap/token".path;
apiserver.bootstrapTokenFile = config.sops.secrets."kubernetes/token/kubelet-bootstrap/csv".path;
};
systemd.services = {
kubelet.after = [ "sops-nix.service" ];
kube-apiserver.after = [ "sops-nix.service" ];
kube-controller-manager.after = [ "sops-nix.service" ];
kube-scheduler.after = [ "sops-nix.service" ];
kube-proxy.after = [ "sops-nix.service" ];
kube-addon-manager.after = [ "sops-nix.service" ];
etcd.after = [ "sops-nix.service" ];
};
}
Reference in New Issue View Git Blame Copy Permalink