re-add kubernetes

nix/default.nix

@@ -95,6 +95,7 @@
       socat
       pciutils
       dmidecode
+      openssl
     ];
 
     nixpkgs.overlays = [

nix/flake/nixos.nix

@@ -1,4 +1,4 @@
-{ nixpkgs, nixpkgs-unstable, machines, physicalMachines, dns, microvm, disko, agenix, nixos-hardware, ... }:
+{ nixpkgs, nixpkgs-unstable, machines, physicalMachines, dns, microvm, disko, agenix, nixos-hardware, kubenix, ... }:
 let
   mkNixosSystems = systemDef:
     builtins.mapAttrs
@@ -11,7 +11,7 @@ in
   nixosConfigurations = mkNixosSystems (name: machine: {
     system = machine.arch;
 
-    specialArgs = { inherit nixpkgs-unstable machines machine dns microvm disko agenix nixos-hardware; };
+    specialArgs = { inherit nixpkgs-unstable machines machine dns microvm disko agenix nixos-hardware kubenix; };
     modules = [
       ../.
       { networking.hostName = name; }

nix/machines/jefke.nix

@@ -15,6 +15,8 @@
         hostCert = builtins.readFile ./certificates/jefke/host_ed25519.crt;
         userCert = builtins.readFile ./certificates/jefke/user_ed25519.crt;
       };
+
+      k3s.enable = true;
     };
   };
 }

nix/modules/default.nix

@@ -7,5 +7,6 @@
     ./data-sharing.nix
     ./globals.nix
     ./monitoring
+    ./k3s
   ];
 }

nix/modules/k3s/bootstrap.nix

@@ -0,0 +1,16 @@
+{ kubenix, ... }: {
+  imports = [ kubenix.modules.k8s ];
+  kubernetes.resources.clusterRoleBindings.pim-cluster-admin = {
+    roleRef = {
+      apiGroup = "rbac.authorization.k8s.io";
+      kind = "ClusterRole";
+      name = "cluster-admin";
+    };
+    subjects = [
+      {
+        kind = "User";
+        name = "pim";
+      }
+    ];
+  };
+}

nix/modules/k3s/default.nix

@@ -0,0 +1,36 @@
+{ pkgs, lib, config, kubenix, ... }:
+let cfg = config.lab.k3s;
+in {
+  options.lab.k3s.enable = lib.mkOption {
+    default = false;
+    type = lib.types.bool;
+    description = ''
+      Whether to start k3s with custom configuration.
+    '';
+  };
+
+  config = lib.mkIf cfg.enable {
+    environment.systemPackages = with pkgs; [ k3s ];
+
+    networking = {
+      nftables.enable = lib.mkForce false;
+      firewall.enable = lib.mkForce false;
+    };
+
+    services.k3s = {
+      enable = true;
+      role = "server";
+      extraFlags = "--tls-san ${config.networking.fqdn} --data-dir ${config.lab.storage.dataMountPoint}/k3s";
+    };
+
+    system.activationScripts.k3s-bootstrap.text =
+      let
+        k3sBootstrapFile = (kubenix.evalModules.x86_64-linux {
+          module = import ./bootstrap.nix;
+        }).config.kubernetes.result;
+      in
+      ''
+        ln -sf ${k3sBootstrapFile} ${config.lab.storage.dataMountPoint}/k3s/server/manifests/k3s-bootstrap.json
+      '';
+  };
+}

nix/modules/monitoring/default.nix

@@ -80,6 +80,15 @@ in
       };
     };
 
+    users = {
+      users.gatus = {
+        isSystemUser = true;
+        group = "gatus";
+      };
+
+      groups.gatus = { };
+    };
+
     system.activationScripts = lib.mkIf cfg.server.enable {
       gatus = ''
         mkdir -p /srv/gatus

nix/physical.nix

@@ -1,4 +1,4 @@
-{ pkgs, nixpkgs-unstable, config, lib, microvm, disko, agenix, machine, machines, dns, nixos-hardware, ... }: {
+{ pkgs, nixpkgs-unstable, config, lib, microvm, disko, agenix, machine, machines, dns, nixos-hardware, kubenix, ... }: {
   imports = [
     microvm.nixosModules.host
   ]
@@ -69,7 +69,7 @@
             restartIfChanged = false;
 
             specialArgs = {
-              inherit agenix disko pkgs lib microvm dns nixpkgs-unstable;
+              inherit agenix disko pkgs lib microvm dns nixpkgs-unstable kubenix;
               machine = vm;
               hypervisorConfig = config;
             };