From 1e9a84f6585fbb241006a63d43c47e03c3e2892e Mon Sep 17 00:00:00 2001
From: Pim Kunis <pim@kunis.nl>
Date: Sat, 16 Dec 2023 15:45:17 +0100
Subject: [PATCH] use kubenix to generate bootstrap k8s manifests enable
 experimental features

---
 configuration.nix                           |  7 ++
 flake.lock                                  | 75 +++++++++++++++++++++
 flake.nix                                   |  7 +-
 modules/custom/default.nix                  |  2 +-
 modules/custom/k3s-bootstrap.yaml           | 12 ----
 modules/custom/k3s/bootstrap.nix            | 16 +++++
 modules/custom/{k3s.nix => k3s/default.nix} |  9 +--
 7 files changed, 110 insertions(+), 18 deletions(-)
 delete mode 100644 modules/custom/k3s-bootstrap.yaml
 create mode 100644 modules/custom/k3s/bootstrap.nix
 rename modules/custom/{k3s.nix => k3s/default.nix} (75%)

diff --git a/configuration.nix b/configuration.nix
index e4ddb31..a014617 100644
--- a/configuration.nix
+++ b/configuration.nix
@@ -176,4 +176,11 @@
   age.identityPaths = [ "/root/age_ed25519" ];
 
   virtualisation.libvirtd.enable = true;
+
+  nix = {
+    package = pkgs.nixFlakes;
+    extraOptions = ''
+      experimental-features = nix-command flakes
+    '';
+  };
 }
diff --git a/flake.lock b/flake.lock
index c86dadb..2bbf083 100644
--- a/flake.lock
+++ b/flake.lock
@@ -100,6 +100,22 @@
         "type": "github"
       }
     },
+    "flake-compat_2": {
+      "flake": false,
+      "locked": {
+        "lastModified": 1673956053,
+        "narHash": "sha256-4gtG9iQuiKITOjNQQeQIpoIB6b16fm+504Ch3sNKLd8=",
+        "owner": "edolstra",
+        "repo": "flake-compat",
+        "rev": "35bb57c0c8d8b62bbfd284272c928ceb64ddbde9",
+        "type": "github"
+      },
+      "original": {
+        "owner": "edolstra",
+        "repo": "flake-compat",
+        "type": "github"
+      }
+    },
     "home-manager": {
       "inputs": {
         "nixpkgs": [
@@ -121,6 +137,29 @@
         "type": "github"
       }
     },
+    "kubenix": {
+      "inputs": {
+        "flake-compat": "flake-compat_2",
+        "nixpkgs": [
+          "nixpkgs"
+        ],
+        "systems": "systems",
+        "treefmt": "treefmt"
+      },
+      "locked": {
+        "lastModified": 1700116223,
+        "narHash": "sha256-Pld/UXlBcIDnQMY0JkDzChJkbof/zEcRkaiXtzvArEE=",
+        "owner": "hall",
+        "repo": "kubenix",
+        "rev": "e4d036576436b9983216584a89388af3da995043",
+        "type": "github"
+      },
+      "original": {
+        "owner": "hall",
+        "repo": "kubenix",
+        "type": "github"
+      }
+    },
     "nixpkgs": {
       "locked": {
         "lastModified": 1671417167,
@@ -174,10 +213,46 @@
         "agenix": "agenix",
         "deploy-rs": "deploy-rs",
         "disko": "disko",
+        "kubenix": "kubenix",
         "nixpkgs": "nixpkgs_2",
         "nixpkgs-unstable": "nixpkgs-unstable"
       }
     },
+    "systems": {
+      "locked": {
+        "lastModified": 1681028828,
+        "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
+        "owner": "nix-systems",
+        "repo": "default",
+        "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
+        "type": "github"
+      },
+      "original": {
+        "id": "systems",
+        "type": "indirect"
+      }
+    },
+    "treefmt": {
+      "inputs": {
+        "nixpkgs": [
+          "kubenix",
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1688026376,
+        "narHash": "sha256-qJmkr9BWDpqblk4E9/rCsAEl39y2n4Ycw6KRopvpUcY=",
+        "owner": "numtide",
+        "repo": "treefmt-nix",
+        "rev": "df3f32b0cc253dfc7009b7317e8f0e7ccd70b1cf",
+        "type": "github"
+      },
+      "original": {
+        "owner": "numtide",
+        "repo": "treefmt-nix",
+        "type": "github"
+      }
+    },
     "utils": {
       "locked": {
         "lastModified": 1667395993,
diff --git a/flake.nix b/flake.nix
index 4b99ab2..e6c294b 100644
--- a/flake.nix
+++ b/flake.nix
@@ -5,6 +5,10 @@
     nixpkgs.url = "github:nixos/nixpkgs/nixos-23.05";
     nixpkgs-unstable.url = "github:NixOS/nixpkgs/nixpkgs-unstable";
     deploy-rs.url = "github:serokell/deploy-rs";
+    kubenix = {
+      url = "github:hall/kubenix";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
 
     disko = {
       url = "github:nix-community/disko";
@@ -18,7 +22,7 @@
   };
 
   outputs =
-    { self, nixpkgs, deploy-rs, disko, agenix, nixpkgs-unstable, ... }:
+    { self, nixpkgs, deploy-rs, disko, agenix, nixpkgs-unstable, kubenix, ... }:
     let
       system = "x86_64-linux";
       pkgs = nixpkgs.legacyPackages.${system};
@@ -60,6 +64,7 @@
 
       nixosConfigurations = mkNixosSystems (machine: {
         inherit system;
+        specialArgs = { inherit kubenix; };
         modules = [
           machine.specificConfig
           disko.nixosModules.disko
diff --git a/modules/custom/default.nix b/modules/custom/default.nix
index 6e7528d..29b1813 100644
--- a/modules/custom/default.nix
+++ b/modules/custom/default.nix
@@ -1,3 +1,3 @@
 {
-  imports = [ ./terraform-database.nix ./data-disk.nix ./ssh-certificates.nix ./k3s.nix ];
+  imports = [ ./terraform-database.nix ./data-disk.nix ./ssh-certificates.nix ./k3s ];
 }
diff --git a/modules/custom/k3s-bootstrap.yaml b/modules/custom/k3s-bootstrap.yaml
deleted file mode 100644
index efcc5e2..0000000
--- a/modules/custom/k3s-bootstrap.yaml
+++ /dev/null
@@ -1,12 +0,0 @@
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
-  name: pim-cluster-admin
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
-  name: cluster-admin
-subjects:
-- apiGroup: rbac.authorization.k8s.io
-  kind: User
-  name: pim
diff --git a/modules/custom/k3s/bootstrap.nix b/modules/custom/k3s/bootstrap.nix
new file mode 100644
index 0000000..20515d5
--- /dev/null
+++ b/modules/custom/k3s/bootstrap.nix
@@ -0,0 +1,16 @@
+{ kubenix, ... }: {
+  imports = [ kubenix.modules.k8s ];
+  kubernetes.resources.clusterRoleBindings.pim-cluster-admin = {
+    roleRef = {
+      apiGroup = "rbac.authorization.k8s.io";
+      kind = "ClusterRole";
+      name = "cluster-admin";
+    };
+    subjects = [
+      {
+        kind = "User";
+        name = "pim";
+      }
+    ];
+  };
+}
diff --git a/modules/custom/k3s.nix b/modules/custom/k3s/default.nix
similarity index 75%
rename from modules/custom/k3s.nix
rename to modules/custom/k3s/default.nix
index e37ff0a..6bfc0b1 100644
--- a/modules/custom/k3s.nix
+++ b/modules/custom/k3s/default.nix
@@ -1,4 +1,4 @@
-{ pkgs, lib, config, ... }:
+{ pkgs, lib, config, kubenix, ... }:
 let cfg = config.custom.k3s;
 in {
   options = {
@@ -19,13 +19,14 @@ in {
     services.k3s.role = "server";
     services.k3s.extraFlags = "--tls-san ${config.networking.fqdn} --data-dir ${config.custom.dataDisk.mountPoint}/k3s";
 
-    # TODO: use kubenix for this.
     system.activationScripts.k3s-bootstrap.text =
       let
-        k3sBootstrapFile = pkgs.writeText "k3s-bootstrap" (builtins.readFile ./k3s-bootstrap.yaml);
+        k3sBootstrapFile = (kubenix.evalModules.x86_64-linux {
+          module = import ./bootstrap.nix;
+        }).config.kubernetes.result;
       in
       ''
-        ln -sf ${k3sBootstrapFile} ${config.custom.dataDisk.mountPoint}/k3s/server/manifests/k3s-bootstrap.yaml
+        ln -sf ${k3sBootstrapFile} ${config.custom.dataDisk.mountPoint}/k3s/server/manifests/k3s-bootstrap.json
       '';
   };
 }