home/nixos-servers
home/nixos-servers
2
0
Fork 0
Code Issues 8 Pull requests Projects Releases Packages Wiki Activity Actions

change k3s data dir to external disk

Browse source 
add additional SAN to k3s certificates
update README with k8s certificate instructions
open port for kubectl
This commit is contained in:
Pim Kunis 2023-12-14 21:42:58 +01:00
parent 4f41fd746a
commit 1c0e4794a8
4 changed files with 52 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

44
README.md
View file

@ -25,3 +25,47 @@ Additionally, it deploys an age identity, which is later used for decrypting sec
## Deployment ## Deployment
Deployment can simply be done as follows: `deploy` Deployment can simply be done as follows: `deploy`
## Creating an admin certificate for k3s
Create the admin's private key:
```
openssl genpkey -algorithm ed25519 -out <username>-key.pem
```
Create a CSR for the admin:
```
openssl req -new -key <username>-key.pem -out <username>.csr -subj "/CN=<username>"
```
Create a Kubernetes CSR object on the cluster:
```
k3s kubectl create -f - <<EOF
apiVersion: certificates.k8s.io/v1
kind: CertificateSigningRequest
metadata:
name: <username>-csr
spec:
request: $(cat <username>.csr | base64 | tr -d '\n')
expirationSeconds: 307584000 # 10 years
signerName: kubernetes.io/kube-apiserver-client
usages:
- digital signature
- key encipherment
- client auth
EOF
```
Approve and sign the admin's CSR:
```
k3s kubectl certificate approve <username>-csr
```
Extract the resulting signed certificate from the CSR object:
```
k3s kubectl get csr <username>-csr -o jsonpath='{.status.certificate}' | base64 --decode > <username>.crt
```
## TODO
1. Manage the bootstrap k3s clusterrolebinding with kubenix: `k3s kubectl create clusterrolebinding pim-cluster-admin --user=pim --clusterrole=cluster-admin`.

5
configuration.nix
View file

@ -177,4 +177,9 @@
services.k3s.enable = true; services.k3s.enable = true;
services.k3s.role = "server"; services.k3s.role = "server";
# Temporary fix: by default the full hostname of the server (jefke.hyp) is not included into the Subject Alternative Name of certificates of the server.
# We can hardcode this as a CLI flag to k3s.
services.k3s.extraFlags = "--tls-san jefke.hyp --data-dir /mnt/data/k3s";
virtualisation.libvirtd.enable = true;
} }

2
flake.nix
View file

@ -24,6 +24,7 @@
pkgs = nixpkgs.legacyPackages.${system}; pkgs = nixpkgs.legacyPackages.${system};
pkgs-unstable = nixpkgs-unstable.legacyPackages.${system}; pkgs-unstable = nixpkgs-unstable.legacyPackages.${system};
machines = import ./machines; machines = import ./machines;
# TODO: Maybe use mergeAttrLists
mkNixosSystems = systemDef: mkNixosSystems = systemDef:
nixpkgs.lib.foldlAttrs (acc: name: machine: nixpkgs.lib.foldlAttrs (acc: name: machine:
acc // { acc // {
@ -44,6 +45,7 @@
pkgs-unstable.deploy-rs pkgs-unstable.deploy-rs
pkgs.openssl pkgs.openssl
pkgs.postgresql_15 pkgs.postgresql_15
pkgs.kubectl
]; ];
}; };

1
nftables.conf
View file

@ -15,6 +15,7 @@ table inet nixos-fw {
chain input-allow { chain input-allow {
tcp dport 22 accept tcp dport 22 accept
tcp dport 5432 accept comment "PostgreSQL server" tcp dport 5432 accept comment "PostgreSQL server"
tcp dport 6443 accept comment "k3s"
icmp type echo-request accept comment "allow ping" icmp type echo-request accept comment "allow ping"
icmpv6 type != { nd-redirect, 139 } accept comment "Accept all ICMPv6 messages except redirects and node information queries (type 139). See RFC 4890, section 4.4." icmpv6 type != { nd-redirect, 139 } accept comment "Accept all ICMPv6 messages except redirects and node information queries (type 139). See RFC 4890, section 4.4."
ip6 daddr fe80::/64 udp dport 546 accept comment "DHCPv6 client" ip6 daddr fe80::/64 udp dport 546 accept comment "DHCPv6 client"