From 052e3d7b632436f1c405c4bb3e213dbcedadf87a Mon Sep 17 00:00:00 2001
From: Pim Kunis <pim@kunis.nl>
Date: Fri, 15 Dec 2023 14:55:48 +0100
Subject: [PATCH] create custom module for k3s configuration

---
 configuration.nix                     | 31 -------------------------
 machines/default.nix                  |  2 ++
 modules/custom/default.nix            |  2 +-
 modules/custom/k3s-bootstrap.yaml     | 12 ++++++++++
 modules/custom/k3s.nix                | 33 +++++++++++++++++++++++++++
 modules/custom/terraform-database.nix | 20 ++++++++--------
 6 files changed, 59 insertions(+), 41 deletions(-)
 create mode 100644 modules/custom/k3s-bootstrap.yaml
 create mode 100644 modules/custom/k3s.nix

diff --git a/configuration.nix b/configuration.nix
index 2738b75..0148767 100644
--- a/configuration.nix
+++ b/configuration.nix
@@ -109,7 +109,6 @@
     dig
     tree
     file
-    k3s
   ];
 
   networking = {
@@ -175,35 +174,5 @@
 
   age.identityPaths = [ "/root/age_ed25519" ];
 
-  services.k3s.enable = true;
-  services.k3s.role = "server";
-  # Temporary fix: by default the full hostname of the server (jefke.hyp) is not included into the Subject Alternative Name of certificates of the server.
-  # We can hardcode this as a CLI flag to k3s.
-  services.k3s.extraFlags = "--tls-san jefke.hyp --data-dir /mnt/data/k3s";
-
   virtualisation.libvirtd.enable = true;
-
-  system.activationScripts.k3s-bootstrap.text =
-    let
-      k3sBootstrapFile = pkgs.writeTextFile {
-        name = "k3s-bootstrap";
-        text = ''
-          apiVersion: rbac.authorization.k8s.io/v1
-          kind: ClusterRoleBinding
-          metadata:
-            name: pim-cluster-admin
-          roleRef:
-            apiGroup: rbac.authorization.k8s.io
-            kind: ClusterRole
-            name: cluster-admin
-          subjects:
-          - apiGroup: rbac.authorization.k8s.io
-            kind: User
-            name: pim
-        '';
-      };
-    in
-    ''
-      ln -sf ${k3sBootstrapFile} /mnt/data/k3s/server/manifests/k3s-bootstrap.yaml
-    '';
 }
diff --git a/machines/default.nix b/machines/default.nix
index fad2e3d..a942b42 100644
--- a/machines/default.nix
+++ b/machines/default.nix
@@ -13,6 +13,8 @@
         };
 
         terraformDatabase.enable = true;
+
+        k3s.enable = true;
       };
     };
   };
diff --git a/modules/custom/default.nix b/modules/custom/default.nix
index ceeaefa..6e7528d 100644
--- a/modules/custom/default.nix
+++ b/modules/custom/default.nix
@@ -1,3 +1,3 @@
 {
-  imports = [ ./terraform-database.nix ./data-disk.nix ./ssh-certificates.nix ];
+  imports = [ ./terraform-database.nix ./data-disk.nix ./ssh-certificates.nix ./k3s.nix ];
 }
diff --git a/modules/custom/k3s-bootstrap.yaml b/modules/custom/k3s-bootstrap.yaml
new file mode 100644
index 0000000..efcc5e2
--- /dev/null
+++ b/modules/custom/k3s-bootstrap.yaml
@@ -0,0 +1,12 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: pim-cluster-admin
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: cluster-admin
+subjects:
+- apiGroup: rbac.authorization.k8s.io
+  kind: User
+  name: pim
diff --git a/modules/custom/k3s.nix b/modules/custom/k3s.nix
new file mode 100644
index 0000000..0d5ae49
--- /dev/null
+++ b/modules/custom/k3s.nix
@@ -0,0 +1,33 @@
+{ pkgs, lib, config, ... }:
+let cfg = config.custom.k3s;
+in {
+  options = {
+    custom = {
+      k3s.enable = lib.mkOption {
+        default = false;
+        type = lib.types.bool;
+        description = ''
+          Whether to start k3s with custom configuration.
+        '';
+      };
+    };
+  };
+
+  config = lib.mkIf cfg.enable {
+    environment.systemPackages = [ pkgs.k3s ];
+    services.k3s.enable = true;
+    services.k3s.role = "server";
+    # Temporary fix: by default the full hostname of the server (jefke.hyp) is not included into the Subject Alternative Name of certificates of the server.
+    # We can hardcode this as a CLI flag to k3s.
+    services.k3s.extraFlags = "--tls-san jefke.hyp --data-dir /mnt/data/k3s";
+
+    # TODO: use kubenix for this.
+    system.activationScripts.k3s-bootstrap.text =
+      let
+        k3sBootstrapFile = pkgs.writeText "k3s-bootstrap" (builtins.readFile ./k3s-bootstrap.yaml);
+      in
+      ''
+        ln -sf ${k3sBootstrapFile} /mnt/data/k3s/server/manifests/k3s-bootstrap.yaml
+      '';
+  };
+}
diff --git a/modules/custom/terraform-database.nix b/modules/custom/terraform-database.nix
index bdad8a7..0625311 100644
--- a/modules/custom/terraform-database.nix
+++ b/modules/custom/terraform-database.nix
@@ -24,15 +24,17 @@ in {
       authentication = ''
         hostssl terraformstates terraform all cert
       '';
-      settings = let
-        serverCert = builtins.toFile "postgresql_server.crt"
-          (builtins.readFile ../../postgresql_server.crt);
-      in {
-        ssl = true;
-        ssl_cert_file = serverCert;
-        ssl_key_file = config.age.secrets."postgresql_server.key".path;
-        ssl_ca_file = serverCert;
-      };
+      settings =
+        let
+          serverCert = builtins.toFile "postgresql_server.crt"
+            (builtins.readFile ../../postgresql_server.crt);
+        in
+        {
+          ssl = true;
+          ssl_cert_file = serverCert;
+          ssl_key_file = config.age.secrets."postgresql_server.key".path;
+          ssl_ca_file = serverCert;
+        };
       ensureUsers = [{
         name = "terraform";
         ensurePermissions = { "DATABASE terraformstates" = "ALL PRIVILEGES"; };