home/kubernetes-deployments
2
0
Fork 0
Code Issues 1 Pull requests Projects Releases Packages Wiki Activity Actions

Copy dnsmasq NixNG image creation to here

Browse source 
Create GC roots for k8s manifests
This commit is contained in:
Pim Kunis 2024-09-24 23:00:55 +02:00
parent cf8d278219
commit 1ee319f179
7 changed files with 222 additions and 22 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

15
applyset-deploy.sh
View file

@ -1,7 +1,18 @@
#!/usr/bin/env bash #!/usr/bin/env bash
set -euo pipefail set -euo pipefail
IFS=$'\n\t'
echo Uploading closure...
for server in $SERVERS; do
echo Uploading closure to $server...
nix copy --to "ssh://root@$server.dmz" $MANIFEST
ssh "root@$server.dmz" "mkdir -p $GCROOTDIR && ln -sf $MANIFEST $GCROOTDIR/${NAME}.yml"
done
echo Applying Kubernetes manifest...
export KUBECTL_APPLYSET=true export KUBECTL_APPLYSET=true
vals eval -fail-on-missing-key-in-map <$MANIFEST | kubectl apply -f - --prune --applyset $APPLYSET --namespace $NAMESPACE vals eval -fail-on-missing-key-in-map <$MANIFEST | \
kubectl apply -f - \
--prune \
--applyset applyset-$NAME \
--namespace $NAMESPACE

131
flake.lock
View file

@ -141,6 +141,22 @@
} }
}, },
"flake-compat_3": { "flake-compat_3": {
"flake": false,
"locked": {
"lastModified": 1673956053,
"narHash": "sha256-4gtG9iQuiKITOjNQQeQIpoIB6b16fm+504Ch3sNKLd8=",
"owner": "edolstra",
"repo": "flake-compat",
"rev": "35bb57c0c8d8b62bbfd284272c928ceb64ddbde9",
"type": "github"
},
"original": {
"owner": "edolstra",
"repo": "flake-compat",
"type": "github"
}
},
"flake-compat_4": {
"flake": false, "flake": false,
"locked": { "locked": {
"lastModified": 1696426674, "lastModified": 1696426674,
@ -324,6 +340,30 @@
"type": "github" "type": "github"
} }
}, },
"kubenix_2": {
"inputs": {
"flake-compat": "flake-compat_3",
"nixpkgs": [
"servers",
"nixpkgs-unstable"
],
"systems": "systems_8",
"treefmt": "treefmt_2"
},
"locked": {
"lastModified": 1717788185,
"narHash": "sha256-Uc6QSQqJa2lyv/1W4StwoKrjtq7cFjlKNhdrtanToGo=",
"owner": "pizzapim",
"repo": "kubenix",
"rev": "a9590abe23a2f7577bc3271d90955e9ccc2923fe",
"type": "github"
},
"original": {
"owner": "pizzapim",
"repo": "kubenix",
"type": "github"
}
},
"nginx": { "nginx": {
"flake": false, "flake": false,
"locked": { "locked": {
@ -379,7 +419,7 @@
}, },
"nix-snapshotter": { "nix-snapshotter": {
"inputs": { "inputs": {
"flake-compat": "flake-compat_3", "flake-compat": "flake-compat_4",
"flake-parts": "flake-parts", "flake-parts": "flake-parts",
"nixpkgs": [ "nixpkgs": [
"servers", "servers",
@ -424,6 +464,48 @@
"type": "github" "type": "github"
} }
}, },
"nixng": {
"inputs": {
"nixpkgs": [
"nixpkgs"
]
},
"locked": {
"lastModified": 1727033240,
"narHash": "sha256-LEug48WOL+mmFYtKM57e/oudgjBk2Km5zIP3p27hF8I=",
"owner": "nix-community",
"repo": "NixNG",
"rev": "c7e38ecb6a655d39d9a9d275ec330e3e3f73fda8",
"type": "github"
},
"original": {
"owner": "nix-community",
"repo": "NixNG",
"type": "github"
}
},
"nixng_2": {
"inputs": {
"nixpkgs": [
"servers",
"nixpkgs"
]
},
"locked": {
"lastModified": 1726571270,
"narHash": "sha256-LEug48WOL+mmFYtKM57e/oudgjBk2Km5zIP3p27hF8I=",
"owner": "pizzapim",
"repo": "NixNG",
"rev": "9538892da603608f0176d07d33b1265e038c0adf",
"type": "github"
},
"original": {
"owner": "pizzapim",
"ref": "dnsmasq",
"repo": "NixNG",
"type": "github"
}
},
"nixos-hardware": { "nixos-hardware": {
"locked": { "locked": {
"lastModified": 1722332872, "lastModified": 1722332872,
@ -536,6 +618,7 @@
"flutils": "flutils", "flutils": "flutils",
"kubenix": "kubenix", "kubenix": "kubenix",
"nixhelm": "nixhelm", "nixhelm": "nixhelm",
"nixng": "nixng",
"nixpkgs": "nixpkgs", "nixpkgs": "nixpkgs",
"servers": "servers" "servers": "servers"
} }
@ -546,7 +629,9 @@
"disko": "disko", "disko": "disko",
"dns": "dns_2", "dns": "dns_2",
"flake-utils": "flake-utils_5", "flake-utils": "flake-utils_5",
"kubenix": "kubenix_2",
"nix-snapshotter": "nix-snapshotter", "nix-snapshotter": "nix-snapshotter",
"nixng": "nixng_2",
"nixos-hardware": "nixos-hardware", "nixos-hardware": "nixos-hardware",
"nixpkgs": [ "nixpkgs": [
"nixpkgs" "nixpkgs"
@ -555,11 +640,11 @@
"sops-nix": "sops-nix" "sops-nix": "sops-nix"
}, },
"locked": { "locked": {
"lastModified": 1725739157, "lastModified": 1727038016,
"narHash": "sha256-80fEhMTITIQN8/8cyjlqI/PKBWQG2cl2R/VAhGy3l3o=", "narHash": "sha256-sL2CL8xgubM0hUz7npS+nei0rxWDBgqMZr7q9lpH9so=",
"ref": "refs/heads/master", "ref": "refs/heads/master",
"rev": "ad4d78ed2a8272e6474f4ed04c42ef75bd27da8b", "rev": "3d456b1a4383d2f40cceb691182c4364333fe934",
"revCount": 470, "revCount": 475,
"type": "git", "type": "git",
"url": "https://git.kun.is/home/nixos-servers" "url": "https://git.kun.is/home/nixos-servers"
}, },
@ -693,6 +778,20 @@
"type": "github" "type": "github"
} }
}, },
"systems_8": {
"locked": {
"lastModified": 1681028828,
"narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
"owner": "nix-systems",
"repo": "default",
"rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
"type": "github"
},
"original": {
"id": "systems",
"type": "indirect"
}
},
"treefmt": { "treefmt": {
"inputs": { "inputs": {
"nixpkgs": [ "nixpkgs": [
@ -736,6 +835,28 @@
"type": "github" "type": "github"
} }
}, },
"treefmt_2": {
"inputs": {
"nixpkgs": [
"servers",
"kubenix",
"nixpkgs"
]
},
"locked": {
"lastModified": 1688026376,
"narHash": "sha256-qJmkr9BWDpqblk4E9/rCsAEl39y2n4Ycw6KRopvpUcY=",
"owner": "numtide",
"repo": "treefmt-nix",
"rev": "df3f32b0cc253dfc7009b7317e8f0e7ccd70b1cf",
"type": "github"
},
"original": {
"owner": "numtide",
"repo": "treefmt-nix",
"type": "github"
}
},
"utils": { "utils": {
"inputs": { "inputs": {
"systems": "systems_6" "systems": "systems_6"

9
flake.nix
View file

@ -31,9 +31,12 @@
servers = { servers = {
url = "git+https://git.kun.is/home/nixos-servers"; url = "git+https://git.kun.is/home/nixos-servers";
inputs = { inputs.nixpkgs.follows = "nixpkgs";
nixpkgs.follows = "nixpkgs"; };
};
nixng = {
url = "github:nix-community/NixNG";
inputs.nixpkgs.follows = "nixpkgs";
}; };
}; };

1
globals.nix
View file

@ -30,7 +30,6 @@ let
cyberchef = "mpepping/cyberchef:latest"; cyberchef = "mpepping/cyberchef:latest";
freshrss = "freshrss/freshrss:1.24.3"; freshrss = "freshrss/freshrss:1.24.3";
bind9 = "ubuntu/bind9:9.18-22.04_beta"; bind9 = "ubuntu/bind9:9.18-22.04_beta";
dnsmasq = "dockurr/dnsmasq:2.90";
attic = "git.kun.is/home/atticd:fd910d91c2143295e959d2c903e9ea25cf94ba27"; attic = "git.kun.is/home/atticd:fd910d91c2143295e959d2c903e9ea25cf94ba27";
hedgedoc = "quay.io/hedgedoc/hedgedoc:1.9.9"; hedgedoc = "quay.io/hedgedoc/hedgedoc:1.9.9";
minecraft = "itzg/minecraft-server:latest"; minecraft = "itzg/minecraft-server:latest";

27
kubenix.nix
View file

@ -2,6 +2,7 @@ inputs@{ self, servers, flutils, nixpkgs, kubenix, ... }: flutils.lib.eachDefaul
(system: (system:
let let
pkgs = nixpkgs.legacyPackages.${system}; pkgs = nixpkgs.legacyPackages.${system};
lib = pkgs.lib;
deployScript = (pkgs.writeScriptBin "applyset-deploy.sh" (builtins.readFile ./applyset-deploy.sh)).overrideAttrs (old: { deployScript = (pkgs.writeScriptBin "applyset-deploy.sh" (builtins.readFile ./applyset-deploy.sh)).overrideAttrs (old: {
buildCommand = "${old.buildCommand}\npatchShebangs $out"; buildCommand = "${old.buildCommand}\npatchShebangs $out";
}); });
@ -11,7 +12,7 @@ inputs@{ self, servers, flutils, nixpkgs, kubenix, ... }: flutils.lib.eachDefaul
mkKubernetes = name: module: namespace: (kubenix.evalModules.${system} { mkKubernetes = name: module: namespace: (kubenix.evalModules.${system} {
specialArgs = { specialArgs = {
inherit namespace system machines; inherit namespace system machines;
inherit (inputs) nixhelm blog-pim dns; inherit (inputs) nixhelm blog-pim dns nixpkgs nixng;
inherit (self) globals; inherit (self) globals;
}; };
@ -50,14 +51,22 @@ inputs@{ self, servers, flutils, nixpkgs, kubenix, ... }: flutils.lib.eachDefaul
passthru.manifest = result; passthru.manifest = result;
meta.mainProgram = "applyset-deploy.sh"; meta.mainProgram = "applyset-deploy.sh";
postBuild = '' postBuild =
wrapProgram $out/bin/applyset-deploy.sh \ let
--suffix PATH : "$out/bin" \ # HACK: create normal way of checking if server runs k8s
--run 'export KUBECONFIG=''${KUBECONFIG:-${toString kubeconfig}}' \ k8sMachines = lib.filterAttrs (n: m: m.kubernetesNodeLabels != null) machines;
--set MANIFEST '${result}' \ k8sServerNames = builtins.concatStringsSep " " (builtins.attrNames k8sMachines);
--set APPLYSET 'applyset-${name}' \ in
--set NAMESPACE '${namespace}' ''
''; wrapProgram $out/bin/applyset-deploy.sh \
--suffix PATH : "$out/bin" \
--run 'export KUBECONFIG=''${KUBECONFIG:-${toString kubeconfig}}' \
--set MANIFEST '${result}' \
--set NAME '${name}' \
--set NAMESPACE '${namespace}' \
--set SERVERS '${k8sServerNames}' \
--set GCROOTDIR '/nix/var/nix/gcroots/kubernetes-manifests'
'';
}; };
in in
{ {

41
modules/dnsmasq-image.nix Normal file
View file

@ -0,0 +1,41 @@
{ globals, nixpkgs, nglib, ... }:
nglib.makeSystem {
inherit nixpkgs;
system = "x86_64-linux";
name = "nixng-dnsmasq";
config = { ... }: {
dumb-init = {
enable = true;
type.services = { };
};
init.services.dnsmasq = {
shutdownOnExit = true;
};
services.dnsmasq = {
enable = true;
settings = {
address = [
"/kms.kun.is/${globals.kmsIPv4}"
"/ssh.git.kun.is/${globals.gitIPv4}"
];
alias = "${globals.routerPublicIPv4},${globals.traefikIPv4}";
expand-hosts = true;
local = "/dmz/";
log-queries = true;
no-hosts = true;
no-resolv = true;
port = 53;
server = [
"192.168.30.1"
"/kun.is/${globals.bind9IPv4}"
];
};
};
};
}

20
modules/dnsmasq.nix
View file

@ -1,4 +1,20 @@
{ globals, config, lib, ... }: { { nixpkgs, pkgs, nixng, globals, config, lib, ... }:
let
dnsmasqStream = (import ./dnsmasq-image.nix {
inherit nixpkgs nixng globals;
inherit (nixng) nglib;
}).config.system.build.ociImage.stream;
dnsmasqImage = pkgs.stdenv.mkDerivation {
name = "dnsmasq.tar";
src = dnsmasqStream;
dontUnpack = true;
buildPhase = ''
$src > $out
'';
};
in
{
options.dnsmasq.enable = lib.mkEnableOption "dnsmasq"; options.dnsmasq.enable = lib.mkEnableOption "dnsmasq";
config = lib.mkIf config.dnsmasq.enable { config = lib.mkIf config.dnsmasq.enable {
@ -10,7 +26,7 @@
metadata.labels.app = "dnsmasq"; metadata.labels.app = "dnsmasq";
spec.containers.dnsmasq = { spec.containers.dnsmasq = {
image = "nix:0/var/container_images/dnsmasq.tar"; image = "nix:0${dnsmasqImage}";
imagePullPolicy = "Always"; imagePullPolicy = "Always";
ports.dns = { ports.dns = {