install cert-manager
issue certificates for public domains temporarily disable private domains
This commit is contained in:
parent
2853895822
commit
40fc4013de
20 changed files with 5107 additions and 300 deletions
|
|
@ -1,78 +1,119 @@
|
|||
{ self, flake-utils, kubenix, nixhelm, ... }: flake-utils.lib.eachDefaultSystem
|
||||
(system: {
|
||||
kubenix = kubenix.packages.${system}.default.override {
|
||||
specialArgs.flake = self;
|
||||
kubenix = kubenix.packages.${system}.default.override
|
||||
{
|
||||
specialArgs.flake = self;
|
||||
|
||||
module = { kubenix, ... }: {
|
||||
imports = [
|
||||
kubenix.modules.k8s
|
||||
kubenix.modules.helm
|
||||
./freshrss.nix
|
||||
./cyberchef.nix
|
||||
./kms.nix
|
||||
./inbucket.nix
|
||||
./radicale.nix
|
||||
./syncthing.nix
|
||||
./nextcloud.nix
|
||||
./pihole.nix
|
||||
# ./hedgedoc.nix
|
||||
./paperless-ngx.nix
|
||||
./kitchenowl.nix
|
||||
./forgejo.nix
|
||||
./media.nix
|
||||
];
|
||||
kubernetes.kubeconfig = "~/.kube/config";
|
||||
kubenix.project = "home";
|
||||
module = { kubenix, ... }: {
|
||||
imports = [
|
||||
kubenix.modules.k8s
|
||||
kubenix.modules.helm
|
||||
./freshrss.nix
|
||||
./cyberchef.nix
|
||||
./kms.nix
|
||||
./inbucket.nix
|
||||
./radicale.nix
|
||||
./syncthing.nix
|
||||
./nextcloud.nix
|
||||
./pihole.nix
|
||||
# ./hedgedoc.nix
|
||||
./paperless-ngx.nix
|
||||
./kitchenowl.nix
|
||||
./forgejo.nix
|
||||
./media.nix
|
||||
];
|
||||
kubernetes.kubeconfig = "~/.kube/config";
|
||||
kubenix.project = "home";
|
||||
|
||||
kubernetes = {
|
||||
customTypes = {
|
||||
# HACK: These are dummy custom types.
|
||||
# This is needed, because the CRDs imported as a chart are not available as Nix modules.
|
||||
# There is no nix-based validation on resources defined using these types!
|
||||
# See: https://github.com/hall/kubenix/issues/34
|
||||
ipAddressPool = {
|
||||
attrName = "ipAddressPools";
|
||||
group = "metallb.io";
|
||||
version = "v1beta1";
|
||||
kind = "IPAddressPool";
|
||||
kubernetes = {
|
||||
imports = [
|
||||
./certificaterequest.yaml
|
||||
./certificate.yaml
|
||||
./challenge.yaml
|
||||
./clusterissuer.yaml
|
||||
./issuer.yaml
|
||||
./order.yaml
|
||||
];
|
||||
|
||||
customTypes = {
|
||||
# HACK: These are dummy custom types.
|
||||
# This is needed, because the CRDs imported as a chart are not available as Nix modules.
|
||||
# There is no nix-based validation on resources defined using these types!
|
||||
# See: https://github.com/hall/kubenix/issues/34
|
||||
ipAddressPool = {
|
||||
attrName = "ipAddressPools";
|
||||
group = "metallb.io";
|
||||
version = "v1beta1";
|
||||
kind = "IPAddressPool";
|
||||
};
|
||||
|
||||
l2Advertisement = {
|
||||
attrName = "l2Advertisements";
|
||||
group = "metallb.io";
|
||||
version = "v1beta1";
|
||||
kind = "L2Advertisement";
|
||||
};
|
||||
|
||||
helmChartConfig = {
|
||||
attrName = "helmChartConfigs";
|
||||
group = "helm.cattle.io";
|
||||
version = "v1";
|
||||
kind = "HelmChartConfig";
|
||||
};
|
||||
|
||||
clusterIssuer = {
|
||||
attrName = "clusterIssuers";
|
||||
group = "cert-manager.io";
|
||||
version = "v1";
|
||||
kind = "ClusterIssuer";
|
||||
};
|
||||
};
|
||||
|
||||
l2Advertisement = {
|
||||
attrName = "l2Advertisements";
|
||||
group = "metallb.io";
|
||||
version = "v1beta1";
|
||||
kind = "L2Advertisement";
|
||||
# TODO: These resources should probably exist within the kube-system namespace.
|
||||
resources = {
|
||||
ipAddressPools.main.spec.addresses = [ "192.168.30.128-192.168.30.200" ];
|
||||
l2Advertisements.main.metadata = { };
|
||||
|
||||
# Override Traefik's service with a static load balancer IP.
|
||||
helmChartConfigs.traefik = {
|
||||
metadata.namespace = "kube-system";
|
||||
|
||||
spec.valuesContent = ''
|
||||
service:
|
||||
spec:
|
||||
loadBalancerIP: "192.168.30.128"
|
||||
'';
|
||||
};
|
||||
|
||||
clusterIssuers.letsencrypt = {
|
||||
metadata.namespace = "kube-system";
|
||||
|
||||
spec.acme = {
|
||||
server = "https://acme-v02.api.letsencrypt.org/directory";
|
||||
email = "pim@kunis.nl";
|
||||
privateKeySecretRef.name = "letsencrypt-private-key";
|
||||
solvers = [{
|
||||
selector = { };
|
||||
http01.ingress.class = "traefik";
|
||||
}];
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
helmChartConfig = {
|
||||
attrName = "helmChartConfigs";
|
||||
group = "helm.cattle.io";
|
||||
version = "v1";
|
||||
kind = "HelmChartConfig";
|
||||
|
||||
# TODO: These resources should probably exist within the kube-system namespace.
|
||||
helm.releases = {
|
||||
metallb = {
|
||||
chart = nixhelm.chartsDerivations.${system}.metallb.metallb;
|
||||
includeCRDs = true;
|
||||
};
|
||||
|
||||
cert-manager = {
|
||||
chart = nixhelm.chartsDerivations.${system}.jetstack.cert-manager;
|
||||
includeCRDs = false;
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
resources = {
|
||||
ipAddressPools.main.spec.addresses = [ "192.168.30.128-192.168.30.200" ];
|
||||
l2Advertisements.main.metadata = { };
|
||||
|
||||
# Override Traefik's service with a static load balancer IP.
|
||||
helmChartConfigs.traefik = {
|
||||
metadata.namespace = "kube-system";
|
||||
|
||||
spec.valuesContent = ''
|
||||
service:
|
||||
spec:
|
||||
loadBalancerIP: "192.168.30.128"
|
||||
'';
|
||||
};
|
||||
};
|
||||
|
||||
helm.releases.metallb = {
|
||||
chart = nixhelm.chartsDerivations.${system}.metallb.metallb;
|
||||
includeCRDs = true;
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
})
|
||||
|
|
|
|||
Reference in a new issue