Copy dnsmasq NixNG image creation to here
Create GC roots for k8s manifests
This commit is contained in:
parent
cf8d278219
commit
1ee319f179
7 changed files with 222 additions and 22 deletions
|
@ -1,7 +1,18 @@
|
||||||
#!/usr/bin/env bash
|
#!/usr/bin/env bash
|
||||||
|
|
||||||
set -euo pipefail
|
set -euo pipefail
|
||||||
IFS=$'\n\t'
|
|
||||||
|
|
||||||
|
echo Uploading closure...
|
||||||
|
for server in $SERVERS; do
|
||||||
|
echo Uploading closure to $server...
|
||||||
|
nix copy --to "ssh://root@$server.dmz" $MANIFEST
|
||||||
|
ssh "root@$server.dmz" "mkdir -p $GCROOTDIR && ln -sf $MANIFEST $GCROOTDIR/${NAME}.yml"
|
||||||
|
done
|
||||||
|
|
||||||
|
echo Applying Kubernetes manifest...
|
||||||
export KUBECTL_APPLYSET=true
|
export KUBECTL_APPLYSET=true
|
||||||
vals eval -fail-on-missing-key-in-map <$MANIFEST | kubectl apply -f - --prune --applyset $APPLYSET --namespace $NAMESPACE
|
vals eval -fail-on-missing-key-in-map <$MANIFEST | \
|
||||||
|
kubectl apply -f - \
|
||||||
|
--prune \
|
||||||
|
--applyset applyset-$NAME \
|
||||||
|
--namespace $NAMESPACE
|
||||||
|
|
131
flake.lock
131
flake.lock
|
@ -141,6 +141,22 @@
|
||||||
}
|
}
|
||||||
},
|
},
|
||||||
"flake-compat_3": {
|
"flake-compat_3": {
|
||||||
|
"flake": false,
|
||||||
|
"locked": {
|
||||||
|
"lastModified": 1673956053,
|
||||||
|
"narHash": "sha256-4gtG9iQuiKITOjNQQeQIpoIB6b16fm+504Ch3sNKLd8=",
|
||||||
|
"owner": "edolstra",
|
||||||
|
"repo": "flake-compat",
|
||||||
|
"rev": "35bb57c0c8d8b62bbfd284272c928ceb64ddbde9",
|
||||||
|
"type": "github"
|
||||||
|
},
|
||||||
|
"original": {
|
||||||
|
"owner": "edolstra",
|
||||||
|
"repo": "flake-compat",
|
||||||
|
"type": "github"
|
||||||
|
}
|
||||||
|
},
|
||||||
|
"flake-compat_4": {
|
||||||
"flake": false,
|
"flake": false,
|
||||||
"locked": {
|
"locked": {
|
||||||
"lastModified": 1696426674,
|
"lastModified": 1696426674,
|
||||||
|
@ -324,6 +340,30 @@
|
||||||
"type": "github"
|
"type": "github"
|
||||||
}
|
}
|
||||||
},
|
},
|
||||||
|
"kubenix_2": {
|
||||||
|
"inputs": {
|
||||||
|
"flake-compat": "flake-compat_3",
|
||||||
|
"nixpkgs": [
|
||||||
|
"servers",
|
||||||
|
"nixpkgs-unstable"
|
||||||
|
],
|
||||||
|
"systems": "systems_8",
|
||||||
|
"treefmt": "treefmt_2"
|
||||||
|
},
|
||||||
|
"locked": {
|
||||||
|
"lastModified": 1717788185,
|
||||||
|
"narHash": "sha256-Uc6QSQqJa2lyv/1W4StwoKrjtq7cFjlKNhdrtanToGo=",
|
||||||
|
"owner": "pizzapim",
|
||||||
|
"repo": "kubenix",
|
||||||
|
"rev": "a9590abe23a2f7577bc3271d90955e9ccc2923fe",
|
||||||
|
"type": "github"
|
||||||
|
},
|
||||||
|
"original": {
|
||||||
|
"owner": "pizzapim",
|
||||||
|
"repo": "kubenix",
|
||||||
|
"type": "github"
|
||||||
|
}
|
||||||
|
},
|
||||||
"nginx": {
|
"nginx": {
|
||||||
"flake": false,
|
"flake": false,
|
||||||
"locked": {
|
"locked": {
|
||||||
|
@ -379,7 +419,7 @@
|
||||||
},
|
},
|
||||||
"nix-snapshotter": {
|
"nix-snapshotter": {
|
||||||
"inputs": {
|
"inputs": {
|
||||||
"flake-compat": "flake-compat_3",
|
"flake-compat": "flake-compat_4",
|
||||||
"flake-parts": "flake-parts",
|
"flake-parts": "flake-parts",
|
||||||
"nixpkgs": [
|
"nixpkgs": [
|
||||||
"servers",
|
"servers",
|
||||||
|
@ -424,6 +464,48 @@
|
||||||
"type": "github"
|
"type": "github"
|
||||||
}
|
}
|
||||||
},
|
},
|
||||||
|
"nixng": {
|
||||||
|
"inputs": {
|
||||||
|
"nixpkgs": [
|
||||||
|
"nixpkgs"
|
||||||
|
]
|
||||||
|
},
|
||||||
|
"locked": {
|
||||||
|
"lastModified": 1727033240,
|
||||||
|
"narHash": "sha256-LEug48WOL+mmFYtKM57e/oudgjBk2Km5zIP3p27hF8I=",
|
||||||
|
"owner": "nix-community",
|
||||||
|
"repo": "NixNG",
|
||||||
|
"rev": "c7e38ecb6a655d39d9a9d275ec330e3e3f73fda8",
|
||||||
|
"type": "github"
|
||||||
|
},
|
||||||
|
"original": {
|
||||||
|
"owner": "nix-community",
|
||||||
|
"repo": "NixNG",
|
||||||
|
"type": "github"
|
||||||
|
}
|
||||||
|
},
|
||||||
|
"nixng_2": {
|
||||||
|
"inputs": {
|
||||||
|
"nixpkgs": [
|
||||||
|
"servers",
|
||||||
|
"nixpkgs"
|
||||||
|
]
|
||||||
|
},
|
||||||
|
"locked": {
|
||||||
|
"lastModified": 1726571270,
|
||||||
|
"narHash": "sha256-LEug48WOL+mmFYtKM57e/oudgjBk2Km5zIP3p27hF8I=",
|
||||||
|
"owner": "pizzapim",
|
||||||
|
"repo": "NixNG",
|
||||||
|
"rev": "9538892da603608f0176d07d33b1265e038c0adf",
|
||||||
|
"type": "github"
|
||||||
|
},
|
||||||
|
"original": {
|
||||||
|
"owner": "pizzapim",
|
||||||
|
"ref": "dnsmasq",
|
||||||
|
"repo": "NixNG",
|
||||||
|
"type": "github"
|
||||||
|
}
|
||||||
|
},
|
||||||
"nixos-hardware": {
|
"nixos-hardware": {
|
||||||
"locked": {
|
"locked": {
|
||||||
"lastModified": 1722332872,
|
"lastModified": 1722332872,
|
||||||
|
@ -536,6 +618,7 @@
|
||||||
"flutils": "flutils",
|
"flutils": "flutils",
|
||||||
"kubenix": "kubenix",
|
"kubenix": "kubenix",
|
||||||
"nixhelm": "nixhelm",
|
"nixhelm": "nixhelm",
|
||||||
|
"nixng": "nixng",
|
||||||
"nixpkgs": "nixpkgs",
|
"nixpkgs": "nixpkgs",
|
||||||
"servers": "servers"
|
"servers": "servers"
|
||||||
}
|
}
|
||||||
|
@ -546,7 +629,9 @@
|
||||||
"disko": "disko",
|
"disko": "disko",
|
||||||
"dns": "dns_2",
|
"dns": "dns_2",
|
||||||
"flake-utils": "flake-utils_5",
|
"flake-utils": "flake-utils_5",
|
||||||
|
"kubenix": "kubenix_2",
|
||||||
"nix-snapshotter": "nix-snapshotter",
|
"nix-snapshotter": "nix-snapshotter",
|
||||||
|
"nixng": "nixng_2",
|
||||||
"nixos-hardware": "nixos-hardware",
|
"nixos-hardware": "nixos-hardware",
|
||||||
"nixpkgs": [
|
"nixpkgs": [
|
||||||
"nixpkgs"
|
"nixpkgs"
|
||||||
|
@ -555,11 +640,11 @@
|
||||||
"sops-nix": "sops-nix"
|
"sops-nix": "sops-nix"
|
||||||
},
|
},
|
||||||
"locked": {
|
"locked": {
|
||||||
"lastModified": 1725739157,
|
"lastModified": 1727038016,
|
||||||
"narHash": "sha256-80fEhMTITIQN8/8cyjlqI/PKBWQG2cl2R/VAhGy3l3o=",
|
"narHash": "sha256-sL2CL8xgubM0hUz7npS+nei0rxWDBgqMZr7q9lpH9so=",
|
||||||
"ref": "refs/heads/master",
|
"ref": "refs/heads/master",
|
||||||
"rev": "ad4d78ed2a8272e6474f4ed04c42ef75bd27da8b",
|
"rev": "3d456b1a4383d2f40cceb691182c4364333fe934",
|
||||||
"revCount": 470,
|
"revCount": 475,
|
||||||
"type": "git",
|
"type": "git",
|
||||||
"url": "https://git.kun.is/home/nixos-servers"
|
"url": "https://git.kun.is/home/nixos-servers"
|
||||||
},
|
},
|
||||||
|
@ -693,6 +778,20 @@
|
||||||
"type": "github"
|
"type": "github"
|
||||||
}
|
}
|
||||||
},
|
},
|
||||||
|
"systems_8": {
|
||||||
|
"locked": {
|
||||||
|
"lastModified": 1681028828,
|
||||||
|
"narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
|
||||||
|
"owner": "nix-systems",
|
||||||
|
"repo": "default",
|
||||||
|
"rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
|
||||||
|
"type": "github"
|
||||||
|
},
|
||||||
|
"original": {
|
||||||
|
"id": "systems",
|
||||||
|
"type": "indirect"
|
||||||
|
}
|
||||||
|
},
|
||||||
"treefmt": {
|
"treefmt": {
|
||||||
"inputs": {
|
"inputs": {
|
||||||
"nixpkgs": [
|
"nixpkgs": [
|
||||||
|
@ -736,6 +835,28 @@
|
||||||
"type": "github"
|
"type": "github"
|
||||||
}
|
}
|
||||||
},
|
},
|
||||||
|
"treefmt_2": {
|
||||||
|
"inputs": {
|
||||||
|
"nixpkgs": [
|
||||||
|
"servers",
|
||||||
|
"kubenix",
|
||||||
|
"nixpkgs"
|
||||||
|
]
|
||||||
|
},
|
||||||
|
"locked": {
|
||||||
|
"lastModified": 1688026376,
|
||||||
|
"narHash": "sha256-qJmkr9BWDpqblk4E9/rCsAEl39y2n4Ycw6KRopvpUcY=",
|
||||||
|
"owner": "numtide",
|
||||||
|
"repo": "treefmt-nix",
|
||||||
|
"rev": "df3f32b0cc253dfc7009b7317e8f0e7ccd70b1cf",
|
||||||
|
"type": "github"
|
||||||
|
},
|
||||||
|
"original": {
|
||||||
|
"owner": "numtide",
|
||||||
|
"repo": "treefmt-nix",
|
||||||
|
"type": "github"
|
||||||
|
}
|
||||||
|
},
|
||||||
"utils": {
|
"utils": {
|
||||||
"inputs": {
|
"inputs": {
|
||||||
"systems": "systems_6"
|
"systems": "systems_6"
|
||||||
|
|
|
@ -31,9 +31,12 @@
|
||||||
|
|
||||||
servers = {
|
servers = {
|
||||||
url = "git+https://git.kun.is/home/nixos-servers";
|
url = "git+https://git.kun.is/home/nixos-servers";
|
||||||
inputs = {
|
inputs.nixpkgs.follows = "nixpkgs";
|
||||||
nixpkgs.follows = "nixpkgs";
|
|
||||||
};
|
};
|
||||||
|
|
||||||
|
nixng = {
|
||||||
|
url = "github:nix-community/NixNG";
|
||||||
|
inputs.nixpkgs.follows = "nixpkgs";
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
|
|
|
@ -30,7 +30,6 @@ let
|
||||||
cyberchef = "mpepping/cyberchef:latest";
|
cyberchef = "mpepping/cyberchef:latest";
|
||||||
freshrss = "freshrss/freshrss:1.24.3";
|
freshrss = "freshrss/freshrss:1.24.3";
|
||||||
bind9 = "ubuntu/bind9:9.18-22.04_beta";
|
bind9 = "ubuntu/bind9:9.18-22.04_beta";
|
||||||
dnsmasq = "dockurr/dnsmasq:2.90";
|
|
||||||
attic = "git.kun.is/home/atticd:fd910d91c2143295e959d2c903e9ea25cf94ba27";
|
attic = "git.kun.is/home/atticd:fd910d91c2143295e959d2c903e9ea25cf94ba27";
|
||||||
hedgedoc = "quay.io/hedgedoc/hedgedoc:1.9.9";
|
hedgedoc = "quay.io/hedgedoc/hedgedoc:1.9.9";
|
||||||
minecraft = "itzg/minecraft-server:latest";
|
minecraft = "itzg/minecraft-server:latest";
|
||||||
|
|
17
kubenix.nix
17
kubenix.nix
|
@ -2,6 +2,7 @@ inputs@{ self, servers, flutils, nixpkgs, kubenix, ... }: flutils.lib.eachDefaul
|
||||||
(system:
|
(system:
|
||||||
let
|
let
|
||||||
pkgs = nixpkgs.legacyPackages.${system};
|
pkgs = nixpkgs.legacyPackages.${system};
|
||||||
|
lib = pkgs.lib;
|
||||||
deployScript = (pkgs.writeScriptBin "applyset-deploy.sh" (builtins.readFile ./applyset-deploy.sh)).overrideAttrs (old: {
|
deployScript = (pkgs.writeScriptBin "applyset-deploy.sh" (builtins.readFile ./applyset-deploy.sh)).overrideAttrs (old: {
|
||||||
buildCommand = "${old.buildCommand}\npatchShebangs $out";
|
buildCommand = "${old.buildCommand}\npatchShebangs $out";
|
||||||
});
|
});
|
||||||
|
@ -11,7 +12,7 @@ inputs@{ self, servers, flutils, nixpkgs, kubenix, ... }: flutils.lib.eachDefaul
|
||||||
mkKubernetes = name: module: namespace: (kubenix.evalModules.${system} {
|
mkKubernetes = name: module: namespace: (kubenix.evalModules.${system} {
|
||||||
specialArgs = {
|
specialArgs = {
|
||||||
inherit namespace system machines;
|
inherit namespace system machines;
|
||||||
inherit (inputs) nixhelm blog-pim dns;
|
inherit (inputs) nixhelm blog-pim dns nixpkgs nixng;
|
||||||
inherit (self) globals;
|
inherit (self) globals;
|
||||||
};
|
};
|
||||||
|
|
||||||
|
@ -50,13 +51,21 @@ inputs@{ self, servers, flutils, nixpkgs, kubenix, ... }: flutils.lib.eachDefaul
|
||||||
passthru.manifest = result;
|
passthru.manifest = result;
|
||||||
meta.mainProgram = "applyset-deploy.sh";
|
meta.mainProgram = "applyset-deploy.sh";
|
||||||
|
|
||||||
postBuild = ''
|
postBuild =
|
||||||
|
let
|
||||||
|
# HACK: create normal way of checking if server runs k8s
|
||||||
|
k8sMachines = lib.filterAttrs (n: m: m.kubernetesNodeLabels != null) machines;
|
||||||
|
k8sServerNames = builtins.concatStringsSep " " (builtins.attrNames k8sMachines);
|
||||||
|
in
|
||||||
|
''
|
||||||
wrapProgram $out/bin/applyset-deploy.sh \
|
wrapProgram $out/bin/applyset-deploy.sh \
|
||||||
--suffix PATH : "$out/bin" \
|
--suffix PATH : "$out/bin" \
|
||||||
--run 'export KUBECONFIG=''${KUBECONFIG:-${toString kubeconfig}}' \
|
--run 'export KUBECONFIG=''${KUBECONFIG:-${toString kubeconfig}}' \
|
||||||
--set MANIFEST '${result}' \
|
--set MANIFEST '${result}' \
|
||||||
--set APPLYSET 'applyset-${name}' \
|
--set NAME '${name}' \
|
||||||
--set NAMESPACE '${namespace}'
|
--set NAMESPACE '${namespace}' \
|
||||||
|
--set SERVERS '${k8sServerNames}' \
|
||||||
|
--set GCROOTDIR '/nix/var/nix/gcroots/kubernetes-manifests'
|
||||||
'';
|
'';
|
||||||
};
|
};
|
||||||
in
|
in
|
||||||
|
|
41
modules/dnsmasq-image.nix
Normal file
41
modules/dnsmasq-image.nix
Normal file
|
@ -0,0 +1,41 @@
|
||||||
|
{ globals, nixpkgs, nglib, ... }:
|
||||||
|
nglib.makeSystem {
|
||||||
|
inherit nixpkgs;
|
||||||
|
system = "x86_64-linux";
|
||||||
|
name = "nixng-dnsmasq";
|
||||||
|
|
||||||
|
config = { ... }: {
|
||||||
|
dumb-init = {
|
||||||
|
enable = true;
|
||||||
|
type.services = { };
|
||||||
|
};
|
||||||
|
|
||||||
|
init.services.dnsmasq = {
|
||||||
|
shutdownOnExit = true;
|
||||||
|
};
|
||||||
|
|
||||||
|
services.dnsmasq = {
|
||||||
|
enable = true;
|
||||||
|
|
||||||
|
settings = {
|
||||||
|
address = [
|
||||||
|
"/kms.kun.is/${globals.kmsIPv4}"
|
||||||
|
"/ssh.git.kun.is/${globals.gitIPv4}"
|
||||||
|
];
|
||||||
|
|
||||||
|
alias = "${globals.routerPublicIPv4},${globals.traefikIPv4}";
|
||||||
|
expand-hosts = true;
|
||||||
|
local = "/dmz/";
|
||||||
|
log-queries = true;
|
||||||
|
no-hosts = true;
|
||||||
|
no-resolv = true;
|
||||||
|
port = 53;
|
||||||
|
|
||||||
|
server = [
|
||||||
|
"192.168.30.1"
|
||||||
|
"/kun.is/${globals.bind9IPv4}"
|
||||||
|
];
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
}
|
|
@ -1,4 +1,20 @@
|
||||||
{ globals, config, lib, ... }: {
|
{ nixpkgs, pkgs, nixng, globals, config, lib, ... }:
|
||||||
|
let
|
||||||
|
dnsmasqStream = (import ./dnsmasq-image.nix {
|
||||||
|
inherit nixpkgs nixng globals;
|
||||||
|
inherit (nixng) nglib;
|
||||||
|
}).config.system.build.ociImage.stream;
|
||||||
|
|
||||||
|
dnsmasqImage = pkgs.stdenv.mkDerivation {
|
||||||
|
name = "dnsmasq.tar";
|
||||||
|
src = dnsmasqStream;
|
||||||
|
dontUnpack = true;
|
||||||
|
buildPhase = ''
|
||||||
|
$src > $out
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
in
|
||||||
|
{
|
||||||
options.dnsmasq.enable = lib.mkEnableOption "dnsmasq";
|
options.dnsmasq.enable = lib.mkEnableOption "dnsmasq";
|
||||||
|
|
||||||
config = lib.mkIf config.dnsmasq.enable {
|
config = lib.mkIf config.dnsmasq.enable {
|
||||||
|
@ -10,7 +26,7 @@
|
||||||
metadata.labels.app = "dnsmasq";
|
metadata.labels.app = "dnsmasq";
|
||||||
|
|
||||||
spec.containers.dnsmasq = {
|
spec.containers.dnsmasq = {
|
||||||
image = "nix:0/var/container_images/dnsmasq.tar";
|
image = "nix:0${dnsmasqImage}";
|
||||||
imagePullPolicy = "Always";
|
imagePullPolicy = "Always";
|
||||||
|
|
||||||
ports.dns = {
|
ports.dns = {
|
||||||
|
|
Loading…
Reference in a new issue