create custom module for k3s configuration

configuration.nix

@@ -109,7 +109,6 @@
     dig
     tree
     file
-    k3s
   ];
 
   networking = {
@@ -175,35 +174,5 @@
 
   age.identityPaths = [ "/root/age_ed25519" ];
 
-  services.k3s.enable = true;
-  services.k3s.role = "server";
-  # Temporary fix: by default the full hostname of the server (jefke.hyp) is not included into the Subject Alternative Name of certificates of the server.
-  # We can hardcode this as a CLI flag to k3s.
-  services.k3s.extraFlags = "--tls-san jefke.hyp --data-dir /mnt/data/k3s";
-
   virtualisation.libvirtd.enable = true;
-
-  system.activationScripts.k3s-bootstrap.text =
-    let
-      k3sBootstrapFile = pkgs.writeTextFile {
-        name = "k3s-bootstrap";
-        text = ''
-          apiVersion: rbac.authorization.k8s.io/v1
-          kind: ClusterRoleBinding
-          metadata:
-            name: pim-cluster-admin
-          roleRef:
-            apiGroup: rbac.authorization.k8s.io
-            kind: ClusterRole
-            name: cluster-admin
-          subjects:
-          - apiGroup: rbac.authorization.k8s.io
-            kind: User
-            name: pim
-        '';
-      };
-    in
-    ''
-      ln -sf ${k3sBootstrapFile} /mnt/data/k3s/server/manifests/k3s-bootstrap.yaml
-    '';
 }

machines/default.nix

@@ -13,6 +13,8 @@
         };
 
         terraformDatabase.enable = true;
+
+        k3s.enable = true;
       };
     };
   };

modules/custom/default.nix

@@ -1,3 +1,3 @@
 {
-  imports = [ ./terraform-database.nix ./data-disk.nix ./ssh-certificates.nix ];
+  imports = [ ./terraform-database.nix ./data-disk.nix ./ssh-certificates.nix ./k3s.nix ];
 }

modules/custom/k3s-bootstrap.yaml

@@ -0,0 +1,12 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: pim-cluster-admin
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: cluster-admin
+subjects:
+- apiGroup: rbac.authorization.k8s.io
+  kind: User
+  name: pim

modules/custom/k3s.nix

@@ -0,0 +1,33 @@
+{ pkgs, lib, config, ... }:
+let cfg = config.custom.k3s;
+in {
+  options = {
+    custom = {
+      k3s.enable = lib.mkOption {
+        default = false;
+        type = lib.types.bool;
+        description = ''
+          Whether to start k3s with custom configuration.
+        '';
+      };
+    };
+  };
+
+  config = lib.mkIf cfg.enable {
+    environment.systemPackages = [ pkgs.k3s ];
+    services.k3s.enable = true;
+    services.k3s.role = "server";
+    # Temporary fix: by default the full hostname of the server (jefke.hyp) is not included into the Subject Alternative Name of certificates of the server.
+    # We can hardcode this as a CLI flag to k3s.
+    services.k3s.extraFlags = "--tls-san jefke.hyp --data-dir /mnt/data/k3s";
+
+    # TODO: use kubenix for this.
+    system.activationScripts.k3s-bootstrap.text =
+      let
+        k3sBootstrapFile = pkgs.writeText "k3s-bootstrap" (builtins.readFile ./k3s-bootstrap.yaml);
+      in
+      ''
+        ln -sf ${k3sBootstrapFile} /mnt/data/k3s/server/manifests/k3s-bootstrap.yaml
+      '';
+  };
+}

modules/custom/terraform-database.nix

@@ -24,15 +24,17 @@ in {
       authentication = ''
         hostssl terraformstates terraform all cert
       '';
-      settings = let
+      settings =
-        serverCert = builtins.toFile "postgresql_server.crt"
+        let
-          (builtins.readFile ../../postgresql_server.crt);
+          serverCert = builtins.toFile "postgresql_server.crt"
-      in {
+            (builtins.readFile ../../postgresql_server.crt);
-        ssl = true;
+        in
-        ssl_cert_file = serverCert;
+        {
-        ssl_key_file = config.age.secrets."postgresql_server.key".path;
+          ssl = true;
-        ssl_ca_file = serverCert;
+          ssl_cert_file = serverCert;
-      };
+          ssl_key_file = config.age.secrets."postgresql_server.key".path;
+          ssl_ca_file = serverCert;
+        };
       ensureUsers = [{
         name = "terraform";
         ensurePermissions = { "DATABASE terraformstates" = "ALL PRIVILEGES"; };