diff --git a/applyset-deploy.sh b/applyset-deploy.sh index d6cf7b9..07a09c0 100644 --- a/applyset-deploy.sh +++ b/applyset-deploy.sh @@ -1,7 +1,18 @@ #!/usr/bin/env bash set -euo pipefail -IFS=$'\n\t' +echo Uploading closure... +for server in $SERVERS; do + echo Uploading closure to $server... + nix copy --to "ssh://root@$server.dmz" $MANIFEST + ssh "root@$server.dmz" "mkdir -p $GCROOTDIR && ln -sf $MANIFEST $GCROOTDIR/${NAME}.yml" +done + +echo Applying Kubernetes manifest... export KUBECTL_APPLYSET=true -vals eval -fail-on-missing-key-in-map <$MANIFEST | kubectl apply -f - --prune --applyset $APPLYSET --namespace $NAMESPACE +vals eval -fail-on-missing-key-in-map <$MANIFEST | \ +kubectl apply -f - \ + --prune \ + --applyset applyset-$NAME \ + --namespace $NAMESPACE diff --git a/flake.lock b/flake.lock index a26535c..47c7d7f 100644 --- a/flake.lock +++ b/flake.lock @@ -141,6 +141,22 @@ } }, "flake-compat_3": { + "flake": false, + "locked": { + "lastModified": 1673956053, + "narHash": "sha256-4gtG9iQuiKITOjNQQeQIpoIB6b16fm+504Ch3sNKLd8=", + "owner": "edolstra", + "repo": "flake-compat", + "rev": "35bb57c0c8d8b62bbfd284272c928ceb64ddbde9", + "type": "github" + }, + "original": { + "owner": "edolstra", + "repo": "flake-compat", + "type": "github" + } + }, + "flake-compat_4": { "flake": false, "locked": { "lastModified": 1696426674, @@ -324,6 +340,30 @@ "type": "github" } }, + "kubenix_2": { + "inputs": { + "flake-compat": "flake-compat_3", + "nixpkgs": [ + "servers", + "nixpkgs-unstable" + ], + "systems": "systems_8", + "treefmt": "treefmt_2" + }, + "locked": { + "lastModified": 1717788185, + "narHash": "sha256-Uc6QSQqJa2lyv/1W4StwoKrjtq7cFjlKNhdrtanToGo=", + "owner": "pizzapim", + "repo": "kubenix", + "rev": "a9590abe23a2f7577bc3271d90955e9ccc2923fe", + "type": "github" + }, + "original": { + "owner": "pizzapim", + "repo": "kubenix", + "type": "github" + } + }, "nginx": { "flake": false, "locked": { @@ -379,7 +419,7 @@ }, "nix-snapshotter": { "inputs": { - "flake-compat": "flake-compat_3", + "flake-compat": "flake-compat_4", "flake-parts": "flake-parts", "nixpkgs": [ "servers", @@ -424,6 +464,48 @@ "type": "github" } }, + "nixng": { + "inputs": { + "nixpkgs": [ + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1727033240, + "narHash": "sha256-LEug48WOL+mmFYtKM57e/oudgjBk2Km5zIP3p27hF8I=", + "owner": "nix-community", + "repo": "NixNG", + "rev": "c7e38ecb6a655d39d9a9d275ec330e3e3f73fda8", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "NixNG", + "type": "github" + } + }, + "nixng_2": { + "inputs": { + "nixpkgs": [ + "servers", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1726571270, + "narHash": "sha256-LEug48WOL+mmFYtKM57e/oudgjBk2Km5zIP3p27hF8I=", + "owner": "pizzapim", + "repo": "NixNG", + "rev": "9538892da603608f0176d07d33b1265e038c0adf", + "type": "github" + }, + "original": { + "owner": "pizzapim", + "ref": "dnsmasq", + "repo": "NixNG", + "type": "github" + } + }, "nixos-hardware": { "locked": { "lastModified": 1722332872, @@ -536,6 +618,7 @@ "flutils": "flutils", "kubenix": "kubenix", "nixhelm": "nixhelm", + "nixng": "nixng", "nixpkgs": "nixpkgs", "servers": "servers" } @@ -546,7 +629,9 @@ "disko": "disko", "dns": "dns_2", "flake-utils": "flake-utils_5", + "kubenix": "kubenix_2", "nix-snapshotter": "nix-snapshotter", + "nixng": "nixng_2", "nixos-hardware": "nixos-hardware", "nixpkgs": [ "nixpkgs" @@ -555,11 +640,11 @@ "sops-nix": "sops-nix" }, "locked": { - "lastModified": 1725739157, - "narHash": "sha256-80fEhMTITIQN8/8cyjlqI/PKBWQG2cl2R/VAhGy3l3o=", + "lastModified": 1727038016, + "narHash": "sha256-sL2CL8xgubM0hUz7npS+nei0rxWDBgqMZr7q9lpH9so=", "ref": "refs/heads/master", - "rev": "ad4d78ed2a8272e6474f4ed04c42ef75bd27da8b", - "revCount": 470, + "rev": "3d456b1a4383d2f40cceb691182c4364333fe934", + "revCount": 475, "type": "git", "url": "https://git.kun.is/home/nixos-servers" }, @@ -693,6 +778,20 @@ "type": "github" } }, + "systems_8": { + "locked": { + "lastModified": 1681028828, + "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", + "owner": "nix-systems", + "repo": "default", + "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", + "type": "github" + }, + "original": { + "id": "systems", + "type": "indirect" + } + }, "treefmt": { "inputs": { "nixpkgs": [ @@ -736,6 +835,28 @@ "type": "github" } }, + "treefmt_2": { + "inputs": { + "nixpkgs": [ + "servers", + "kubenix", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1688026376, + "narHash": "sha256-qJmkr9BWDpqblk4E9/rCsAEl39y2n4Ycw6KRopvpUcY=", + "owner": "numtide", + "repo": "treefmt-nix", + "rev": "df3f32b0cc253dfc7009b7317e8f0e7ccd70b1cf", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "treefmt-nix", + "type": "github" + } + }, "utils": { "inputs": { "systems": "systems_6" diff --git a/flake.nix b/flake.nix index 014d880..334c94d 100644 --- a/flake.nix +++ b/flake.nix @@ -31,9 +31,12 @@ servers = { url = "git+https://git.kun.is/home/nixos-servers"; - inputs = { - nixpkgs.follows = "nixpkgs"; - }; + inputs.nixpkgs.follows = "nixpkgs"; + }; + + nixng = { + url = "github:nix-community/NixNG"; + inputs.nixpkgs.follows = "nixpkgs"; }; }; diff --git a/globals.nix b/globals.nix index f00dcd1..16f92ab 100644 --- a/globals.nix +++ b/globals.nix @@ -30,7 +30,6 @@ let cyberchef = "mpepping/cyberchef:latest"; freshrss = "freshrss/freshrss:1.24.3"; bind9 = "ubuntu/bind9:9.18-22.04_beta"; - dnsmasq = "dockurr/dnsmasq:2.90"; attic = "git.kun.is/home/atticd:fd910d91c2143295e959d2c903e9ea25cf94ba27"; hedgedoc = "quay.io/hedgedoc/hedgedoc:1.9.9"; minecraft = "itzg/minecraft-server:latest"; diff --git a/kubenix.nix b/kubenix.nix index b2fe93f..99021ef 100644 --- a/kubenix.nix +++ b/kubenix.nix @@ -2,6 +2,7 @@ inputs@{ self, servers, flutils, nixpkgs, kubenix, ... }: flutils.lib.eachDefaul (system: let pkgs = nixpkgs.legacyPackages.${system}; + lib = pkgs.lib; deployScript = (pkgs.writeScriptBin "applyset-deploy.sh" (builtins.readFile ./applyset-deploy.sh)).overrideAttrs (old: { buildCommand = "${old.buildCommand}\npatchShebangs $out"; }); @@ -11,7 +12,7 @@ inputs@{ self, servers, flutils, nixpkgs, kubenix, ... }: flutils.lib.eachDefaul mkKubernetes = name: module: namespace: (kubenix.evalModules.${system} { specialArgs = { inherit namespace system machines; - inherit (inputs) nixhelm blog-pim dns; + inherit (inputs) nixhelm blog-pim dns nixpkgs nixng; inherit (self) globals; }; @@ -50,14 +51,22 @@ inputs@{ self, servers, flutils, nixpkgs, kubenix, ... }: flutils.lib.eachDefaul passthru.manifest = result; meta.mainProgram = "applyset-deploy.sh"; - postBuild = '' - wrapProgram $out/bin/applyset-deploy.sh \ - --suffix PATH : "$out/bin" \ - --run 'export KUBECONFIG=''${KUBECONFIG:-${toString kubeconfig}}' \ - --set MANIFEST '${result}' \ - --set APPLYSET 'applyset-${name}' \ - --set NAMESPACE '${namespace}' - ''; + postBuild = + let + # HACK: create normal way of checking if server runs k8s + k8sMachines = lib.filterAttrs (n: m: m.kubernetesNodeLabels != null) machines; + k8sServerNames = builtins.concatStringsSep " " (builtins.attrNames k8sMachines); + in + '' + wrapProgram $out/bin/applyset-deploy.sh \ + --suffix PATH : "$out/bin" \ + --run 'export KUBECONFIG=''${KUBECONFIG:-${toString kubeconfig}}' \ + --set MANIFEST '${result}' \ + --set NAME '${name}' \ + --set NAMESPACE '${namespace}' \ + --set SERVERS '${k8sServerNames}' \ + --set GCROOTDIR '/nix/var/nix/gcroots/kubernetes-manifests' + ''; }; in { diff --git a/modules/dnsmasq-image.nix b/modules/dnsmasq-image.nix new file mode 100644 index 0000000..6fc8c4f --- /dev/null +++ b/modules/dnsmasq-image.nix @@ -0,0 +1,41 @@ +{ globals, nixpkgs, nglib, ... }: +nglib.makeSystem { + inherit nixpkgs; + system = "x86_64-linux"; + name = "nixng-dnsmasq"; + + config = { ... }: { + dumb-init = { + enable = true; + type.services = { }; + }; + + init.services.dnsmasq = { + shutdownOnExit = true; + }; + + services.dnsmasq = { + enable = true; + + settings = { + address = [ + "/kms.kun.is/${globals.kmsIPv4}" + "/ssh.git.kun.is/${globals.gitIPv4}" + ]; + + alias = "${globals.routerPublicIPv4},${globals.traefikIPv4}"; + expand-hosts = true; + local = "/dmz/"; + log-queries = true; + no-hosts = true; + no-resolv = true; + port = 53; + + server = [ + "192.168.30.1" + "/kun.is/${globals.bind9IPv4}" + ]; + }; + }; + }; +} diff --git a/modules/dnsmasq.nix b/modules/dnsmasq.nix index b62e59a..6e8f8a8 100644 --- a/modules/dnsmasq.nix +++ b/modules/dnsmasq.nix @@ -1,4 +1,20 @@ -{ globals, config, lib, ... }: { +{ nixpkgs, pkgs, nixng, globals, config, lib, ... }: +let + dnsmasqStream = (import ./dnsmasq-image.nix { + inherit nixpkgs nixng globals; + inherit (nixng) nglib; + }).config.system.build.ociImage.stream; + + dnsmasqImage = pkgs.stdenv.mkDerivation { + name = "dnsmasq.tar"; + src = dnsmasqStream; + dontUnpack = true; + buildPhase = '' + $src > $out + ''; + }; +in +{ options.dnsmasq.enable = lib.mkEnableOption "dnsmasq"; config = lib.mkIf config.dnsmasq.enable { @@ -10,7 +26,7 @@ metadata.labels.app = "dnsmasq"; spec.containers.dnsmasq = { - image = "nix:0/var/container_images/dnsmasq.tar"; + image = "nix:0${dnsmasqImage}"; imagePullPolicy = "Always"; ports.dns = {