From ace5df1b43025ef9a923b40db35d7ab7c6f3d394 Mon Sep 17 00:00:00 2001
From: Pim Kunis <pim@kunis.nl>
Date: Fri, 29 Dec 2023 12:51:42 +0100
Subject: [PATCH] restructure documentation

---
 README.md          | 47 ++++++----------------------------------------
 docs/kubernetes.md | 41 ++++++++++++++++++++++++++++++++++++++++
 2 files changed, 47 insertions(+), 41 deletions(-)
 create mode 100644 docs/kubernetes.md

diff --git a/README.md b/README.md
index b93db68..aee6bbb 100644
--- a/README.md
+++ b/README.md
@@ -3,6 +3,10 @@
 Nix definitions to configure our physical servers.
 Currently, only one physical server (named jefke) is implemented but more are planned!
 
+## Additional documentation
+
+- [Kubernetes](docs/kubernetes.md)
+
 ## Prerequisites
 
 1. Install the Nix package manager or NixOS ([link](https://nixos.org/download))
@@ -24,44 +28,5 @@ Additionally, it deploys an age identity, which is later used for decrypting sec
 
 ## Deployment
 
-Deployment can simply be done as follows: `deploy`
-
-## Creating an admin certificate for k3s
-
-Create the admin's private key:
-```
-openssl genpkey -algorithm ed25519 -out <username>-key.pem
-```
-
-Create a CSR for the admin:
-```
-openssl req -new -key <username>-key.pem -out <username>.csr -subj "/CN=<username>"
-```
-
-Create a Kubernetes CSR object on the cluster:
-```
-k3s kubectl create -f - <<EOF
-apiVersion: certificates.k8s.io/v1
-kind: CertificateSigningRequest
-metadata:
-  name: <username>-csr
-spec:
-  request: $(cat <username>.csr | base64 | tr -d '\n')
-  expirationSeconds: 307584000 # 10 years
-  signerName: kubernetes.io/kube-apiserver-client
-  usages:
-    - digital signature
-    - key encipherment
-    - client auth
-EOF
-```
-
-Approve and sign the admin's CSR:
-```
-k3s kubectl certificate approve <username>-csr
-```
-
-Extract the resulting signed certificate from the CSR object:
-```
-k3s kubectl get csr <username>-csr -o jsonpath='{.status.certificate}' | base64 --decode > <username>.crt
-```
+To deploy all servers at once: `deploy`
+To deploy only one server: `deploy --targets .#<host>`
diff --git a/docs/kubernetes.md b/docs/kubernetes.md
new file mode 100644
index 0000000..76d97a1
--- /dev/null
+++ b/docs/kubernetes.md
@@ -0,0 +1,41 @@
+# Kubernetes
+
+## Creating an admin certificate for k3s
+
+Create the admin's private key:
+```
+openssl genpkey -algorithm ed25519 -out <username>-key.pem
+```
+
+Create a CSR for the admin:
+```
+openssl req -new -key <username>-key.pem -out <username>.csr -subj "/CN=<username>"
+```
+
+Create a Kubernetes CSR object on the cluster:
+```
+k3s kubectl create -f - <<EOF
+apiVersion: certificates.k8s.io/v1
+kind: CertificateSigningRequest
+metadata:
+  name: <username>-csr
+spec:
+  request: $(cat <username>.csr | base64 | tr -d '\n')
+  expirationSeconds: 307584000 # 10 years
+  signerName: kubernetes.io/kube-apiserver-client
+  usages:
+    - digital signature
+    - key encipherment
+    - client auth
+EOF
+```
+
+Approve and sign the admin's CSR:
+```
+k3s kubectl certificate approve <username>-csr
+```
+
+Extract the resulting signed certificate from the CSR object:
+```
+k3s kubectl get csr <username>-csr -o jsonpath='{.status.certificate}' | base64 --decode > <username>.crt
+```