Enable IPv6 support for K8s

Enable DNS over IPv6 and TCP to comply with isnic Provision k3s CA Make Atlas a k8s agent instead of server
2024-05-09 17:03:13 +02:00 · 2024-05-09 17:03:13 +02:00 · 998e01ae8c
commit 998e01ae8c
parent 0c0882fe20
20 changed files with 633 additions and 62 deletions
--- a/kubenix-modules/all.nix
+++ b/kubenix-modules/all.nix
@ -1,7 +1,5 @@
-{
-  imports = [
-    ./base.nix
-    ./custom-types.nix
+let
+  applications = [
    ./freshrss.nix
    ./cyberchef.nix
    ./kms.nix
@ -17,15 +15,21 @@
    ./media.nix
    ./bind9
    ./dnsmasq.nix
-    ./esrom.nix
-    ./metallb.nix
-    ./cert-manager.nix
    ./minecraft.nix
-    ./custom/ingress.nix
-    ./custom/nfs-volume.nix
-    ./traefik.nix
    ./blog.nix
    ./atticd.nix
    ./argo.nix
  ];
+in
+{
+  imports = [
+    ./base.nix
+    ./custom-types.nix
+    ./esrom.nix
+    ./metallb.nix
+    ./cert-manager.nix
+    ./custom/ingress.nix
+    ./custom/nfs-volume.nix
+    ./traefik.nix
+  ] ++ applications;
 }
--- a/kubenix-modules/bind9/default.nix
+++ b/kubenix-modules/bind9/default.nix
@ -51,27 +51,52 @@ in
          metadata.labels.app = "bind9";

          spec = {
-            containers.bind9 = {
-              image = "ubuntu/bind9:9.18-22.04_beta";
-              envFrom = [{ configMapRef.name = "bind9-env"; }];
+            containers = {
+              bind9-udp = {
+                image = "ubuntu/bind9:9.18-22.04_beta";
+                envFrom = [{ configMapRef.name = "bind9-env"; }];

-              ports.dns = {
-                containerPort = 53;
-                protocol = "UDP";
+                ports.dns-udp = {
+                  containerPort = 53;
+                  protocol = "UDP";
+                };
+
+                volumeMounts = [
+                  {
+                    name = "config";
+                    mountPath = "/etc/bind/named.conf";
+                    subPath = "config";
+                  }
+                  {
+                    name = "config";
+                    mountPath = "/etc/bind/kun.is.zone";
+                    subPath = "kunis-zone";
+                  }
+                ];
              };

-              volumeMounts = [
-                {
-                  name = "config";
-                  mountPath = "/etc/bind/named.conf";
-                  subPath = "config";
-                }
-                {
-                  name = "config";
-                  mountPath = "/etc/bind/kun.is.zone";
-                  subPath = "kunis-zone";
-                }
-              ];
+              bind9-tcp = {
+                image = "ubuntu/bind9:9.18-22.04_beta";
+                envFrom = [{ configMapRef.name = "bind9-env"; }];
+
+                ports.dns-tcp = {
+                  containerPort = 53;
+                  protocol = "TCP";
+                };
+
+                volumeMounts = [
+                  {
+                    name = "config";
+                    mountPath = "/etc/bind/named.conf";
+                    subPath = "config";
+                  }
+                  {
+                    name = "config";
+                    mountPath = "/etc/bind/kun.is.zone";
+                    subPath = "kunis-zone";
+                  }
+                ];
+              };
            };

            volumes = [{
@ -83,15 +108,45 @@ in
      };
    };

-    services.bind9.spec = {
-      type = "LoadBalancer";
-      loadBalancerIP = myLib.globals.bind9IPv4;
-      selector.app = "bind9";
+    services = {
+      bind9-udp = {
+        metadata.annotations = {
+          "metallb.universe.tf/loadBalancerIPs" = "${myLib.globals.bind9IPv4},${myLib.globals.bind9Ipv6}";
+          "metallb.universe.tf/allow-shared-ip" = "dns";
+        };

-      ports.dns = {
-        port = 53;
-        targetPort = "dns";
-        protocol = "UDP";
+        spec = {
+          type = "LoadBalancer";
+          selector.app = "bind9";
+          ipFamilies = [ "IPv4" "IPv6" ];
+          ipFamilyPolicy = "RequireDualStack";
+
+          ports.dns = {
+            port = 53;
+            targetPort = "dns-udp";
+            protocol = "UDP";
+          };
+        };
+      };
+
+      bind9-tcp = {
+        metadata.annotations = {
+          "metallb.universe.tf/loadBalancerIPs" = "${myLib.globals.bind9IPv4},${myLib.globals.bind9Ipv6}";
+          "metallb.universe.tf/allow-shared-ip" = "dns";
+        };
+
+        spec = {
+          type = "LoadBalancer";
+          selector.app = "bind9";
+          ipFamilies = [ "IPv4" "IPv6" ];
+          ipFamilyPolicy = "RequireDualStack";
+
+          ports.dns = {
+            port = 53;
+            targetPort = "dns-tcp";
+            protocol = "TCP";
+          };
+        };
      };
    };
  };
--- a/kubenix-modules/bind9/kun.is.zone.nix
+++ b/kubenix-modules/bind9/kun.is.zone.nix
@ -3,8 +3,8 @@ myLib: dns: with dns.lib.combinators; {

  SOA = {
    nameServer = "ns1";
-    adminEmail = "webmaster@kun.is";
-    serial = 2024041300;
+    adminEmail = "webmaster.kun.is";
+    serial = 2024041301;
  };

  NS = [
@ -23,7 +23,7 @@ myLib: dns: with dns.lib.combinators; {
  subdomains = rec {
    "*".A = [ myLib.globals.routerPublicIPv4 ];

-    ns.A = [ myLib.globals.routerPublicIPv4 ];
+    ns = host myLib.globals.routerPublicIPv4 myLib.globals.bind9Ipv6;
    ns1 = ns;
    ns2 = ns;

--- a/kubenix-modules/metallb.nix
+++ b/kubenix-modules/metallb.nix
@ -1,7 +1,7 @@
 # TODO: These resources should probably exist within the kube-system namespace.
 {
  kubernetes.resources = {
-    ipAddressPools.main.spec.addresses = [ "192.168.30.128-192.168.30.200" ];
+    ipAddressPools.main.spec.addresses = [ "192.168.30.128-192.168.30.200" "2a0d:6e00:1a77:30::2-2a0d:6e00:1a77:30:ffff:ffff:ffff:fffe" ];
    l2Advertisements.main.metadata = { };
  };
 }