reorganize

flake-parts/kubenix.nix

@@ -0,0 +1,14 @@
+{ flake-utils, kubenix, nixhelm, ... }: flake-utils.lib.eachDefaultSystem
+  (system: {
+    kubenix = kubenix.packages.${system}.default.override
+      {
+        specialArgs = { inherit kubenix nixhelm system; };
+        module = { imports = [ ../kubenix-modules/all.nix ]; };
+      };
+
+    kubenix-bootstrap = kubenix.packages.${system}.default.override
+      {
+        specialArgs = { inherit kubenix nixhelm system; };
+        module = { imports = [ ../kubenix-modules/base.nix ]; };
+      };
+  })

flake-parts/kubenix/base.nix

@@ -1,34 +0,0 @@
-# We deploy several resources that rely on "custom resource definitions".
-# We must first import these resources definitions, before deploying resources that depend on them.
-{ nixhelm, system, ... }: {
-  kubenix.project = "home";
-
-  kubernetes = {
-    kubeconfig = "~/.kube/config";
-
-    # TODO: These were copied from https://github.com/cert-manager/cert-manager/releases/download/v1.14.4/cert-manager.crds.yaml
-    # See https://cert-manager.io/docs/installation/helm/
-    # Seems kubenix cannot import a list of resources, but only individual resources.
-    # Might be good to create a PR for this.
-    imports = [
-      ./certificaterequest.yaml
-      ./certificate.yaml
-      ./challenge.yaml
-      ./clusterissuer.yaml
-      ./issuer.yaml
-      ./order.yaml
-    ];
-
-    helm.releases = {
-      metallb = {
-        chart = nixhelm.chartsDerivations.${system}.metallb.metallb;
-        includeCRDs = true;
-      };
-
-      cert-manager = {
-        chart = nixhelm.chartsDerivations.${system}.jetstack.cert-manager;
-        includeCRDs = false;
-      };
-    };
-  };
-}

flake-parts/kubenix/default.nix

@@ -1,169 +0,0 @@
-{ self, flake-utils, kubenix, nixhelm, ... }: flake-utils.lib.eachDefaultSystem
-  (system: {
-    kubenix = kubenix.packages.${system}.default.override
-      {
-        specialArgs = {
-          flake = self;
-          inherit nixhelm system;
-        };
-
-        module = { kubenix, ... }: {
-          imports = [
-            kubenix.modules.k8s
-            kubenix.modules.helm
-            ./base.nix
-            ./freshrss.nix
-            ./cyberchef.nix
-            ./kms.nix
-            ./inbucket.nix
-            ./radicale.nix
-            ./syncthing.nix
-            ./nextcloud.nix
-            ./pihole.nix
-            ./hedgedoc.nix
-            ./paperless-ngx.nix
-            ./kitchenowl.nix
-            ./forgejo.nix
-            ./media.nix
-            ./bind9.nix
-            ./dnsmasq.nix
-          ];
-
-          kubernetes = {
-            customTypes = {
-              # HACK: These are dummy custom types.
-              # This is needed, because the CRDs imported as a chart are not available as Nix modules.
-              # There is no nix-based validation on resources defined using these types!
-              # See: https://github.com/hall/kubenix/issues/34
-              ipAddressPool = {
-                attrName = "ipAddressPools";
-                group = "metallb.io";
-                version = "v1beta1";
-                kind = "IPAddressPool";
-              };
-
-              l2Advertisement = {
-                attrName = "l2Advertisements";
-                group = "metallb.io";
-                version = "v1beta1";
-                kind = "L2Advertisement";
-              };
-
-              helmChartConfig = {
-                attrName = "helmChartConfigs";
-                group = "helm.cattle.io";
-                version = "v1";
-                kind = "HelmChartConfig";
-              };
-
-              clusterIssuer = {
-                attrName = "clusterIssuers";
-                group = "cert-manager.io";
-                version = "v1";
-                kind = "ClusterIssuer";
-              };
-            };
-
-            # TODO: These resources should probably exist within the kube-system namespace.
-            resources = {
-              ipAddressPools.main.spec.addresses = [ "192.168.30.128-192.168.30.200" ];
-              l2Advertisements.main.metadata = { };
-
-              # NOTE: The name of each helmChartConfig must match the relevant chart name!
-              # Override Traefik's service with a static load balancer IP.
-              helmChartConfigs = {
-                traefik = {
-                  metadata.namespace = "kube-system";
-
-                  spec.valuesContent = ''
-                    service:
-                      spec:
-                        loadBalancerIP: "192.168.30.128"
-                    ports:
-                      localsecure:
-                        port: 8444
-                        expose: true
-                        exposedPort: 444
-                        protocol: TCP
-                        tls:
-                          enabled: true
-                          options: ""
-                          certResolver: ""
-                          domains: []
-                    providers:
-                      kubernetesIngress:
-                        allowExternalNameServices: true
-                  '';
-                };
-              };
-
-              clusterIssuers.letsencrypt = {
-                metadata.namespace = "kube-system";
-
-                spec.acme = {
-                  server = "https://acme-v02.api.letsencrypt.org/directory";
-                  email = "pim@kunis.nl";
-                  privateKeySecretRef.name = "letsencrypt-private-key";
-                  solvers = [{
-                    selector = { };
-                    http01.ingress.class = "traefik";
-                  }];
-                };
-              };
-
-              services.esrom.spec = {
-                type = "ExternalName";
-                externalName = "esrom.dmz";
-                ports = [{
-                  port = 80;
-                  targetPort = 80;
-                }];
-              };
-
-              ingresses.esrom = {
-                metadata.annotations."cert-manager.io/cluster-issuer" = "letsencrypt";
-
-                spec = {
-                  ingressClassName = "traefik";
-
-                  rules = [{
-                    host = "esrom.kun.is";
-
-                    http.paths = [{
-                      path = "/";
-                      pathType = "Prefix";
-
-                      backend.service = {
-                        name = "esrom";
-                        port.number = 80;
-                      };
-                    }];
-                  }];
-
-                  tls = [{
-                    secretName = "esrom-tls";
-                    hosts = [ "esrom.kun.is" ];
-                  }];
-                };
-              };
-            };
-          };
-        };
-      };
-
-    kubenix-bootstrap = kubenix.packages.${system}.default.override
-      {
-        specialArgs = {
-          flake = self;
-          inherit nixhelm system;
-        };
-
-        module = { kubenix, ... }: {
-          imports = [
-            kubenix.modules.k8s
-            kubenix.modules.helm
-            ./base.nix
-          ];
-        };
-      };
-  })

flake.nix

@@ -46,7 +46,7 @@
       ./flake-parts/checks.nix
       ./flake-parts/deploy.nix
       ./flake-parts/nixos.nix
-      ./flake-parts/kubenix
+      ./flake-parts/kubenix.nix
     ] // (flake-utils.lib.eachDefaultSystem (system: {
       formatter = nixpkgs.legacyPackages.${system}.nixfmt;
     }));

kubenix-modules/all.nix

@@ -0,0 +1,24 @@
+{
+  imports = [
+    ./base.nix
+    ./custom-types.nix
+    ./freshrss.nix
+    ./cyberchef.nix
+    ./kms.nix
+    ./inbucket.nix
+    ./radicale.nix
+    ./syncthing.nix
+    ./nextcloud.nix
+    ./pihole.nix
+    ./hedgedoc.nix
+    ./paperless-ngx.nix
+    ./kitchenowl.nix
+    ./forgejo.nix
+    ./media.nix
+    ./bind9.nix
+    ./dnsmasq.nix
+    ./esrom.nix
+    ./metallb.nix
+    ./cert-manager.nix
+  ];
+}

kubenix-modules/base.nix

@@ -0,0 +1,41 @@
+# We deploy several resources that rely on "custom resource definitions".
+# We must first import these resources definitions, before deploying resources that depend on them.
+{ kubenix, nixhelm, system, ... }: {
+  imports = [
+    kubenix.modules.k8s
+    kubenix.modules.helm
+  ];
+
+  config = {
+    kubenix.project = "home";
+
+    kubernetes = {
+      kubeconfig = "~/.kube/config";
+
+      # TODO: These were copied from https://github.com/cert-manager/cert-manager/releases/download/v1.14.4/cert-manager.crds.yaml
+      # See https://cert-manager.io/docs/installation/helm/
+      # Seems kubenix cannot import a list of resources, but only individual resources.
+      # Might be good to create a PR for this.
+      imports = [
+        ./cert-manager-manifests/certificaterequest.yaml
+        ./cert-manager-manifests/certificate.yaml
+        ./cert-manager-manifests/challenge.yaml
+        ./cert-manager-manifests/clusterissuer.yaml
+        ./cert-manager-manifests/issuer.yaml
+        ./cert-manager-manifests/order.yaml
+      ];
+
+      helm.releases = {
+        metallb = {
+          chart = nixhelm.chartsDerivations.${system}.metallb.metallb;
+          includeCRDs = true;
+        };
+
+        cert-manager = {
+          chart = nixhelm.chartsDerivations.${system}.jetstack.cert-manager;
+          includeCRDs = false;
+        };
+      };
+    };
+  };
+}

kubenix-modules/cert-manager.nix

@@ -0,0 +1,15 @@
+{
+  kubernetes.resources.clusterIssuers.letsencrypt = {
+    metadata.namespace = "kube-system";
+
+    spec.acme = {
+      server = "https://acme-v02.api.letsencrypt.org/directory";
+      email = "pim@kunis.nl";
+      privateKeySecretRef.name = "letsencrypt-private-key";
+      solvers = [{
+        selector = { };
+        http01.ingress.class = "traefik";
+      }];
+    };
+  };
+}

kubenix-modules/custom-types.nix

@@ -0,0 +1,35 @@
+{
+  kubernetes.customTypes = {
+    # HACK: These are dummy custom types.
+    # This is needed, because the CRDs imported as a chart are not available as Nix modules.
+    # There is no nix-based validation on resources defined using these types!
+    # See: https://github.com/hall/kubenix/issues/34
+    ipAddressPool = {
+      attrName = "ipAddressPools";
+      group = "metallb.io";
+      version = "v1beta1";
+      kind = "IPAddressPool";
+    };
+
+    l2Advertisement = {
+      attrName = "l2Advertisements";
+      group = "metallb.io";
+      version = "v1beta1";
+      kind = "L2Advertisement";
+    };
+
+    helmChartConfig = {
+      attrName = "helmChartConfigs";
+      group = "helm.cattle.io";
+      version = "v1";
+      kind = "HelmChartConfig";
+    };
+
+    clusterIssuer = {
+      attrName = "clusterIssuers";
+      group = "cert-manager.io";
+      version = "v1";
+      kind = "ClusterIssuer";
+    };
+  };
+}

kubenix-modules/esrom.nix

@@ -0,0 +1,39 @@
+{
+  kubernetes.resources = {
+    services.esrom.spec = {
+      type = "ExternalName";
+      externalName = "esrom.dmz";
+      ports = [{
+        port = 80;
+        targetPort = 80;
+      }];
+    };
+
+    ingresses.esrom = {
+      metadata.annotations."cert-manager.io/cluster-issuer" = "letsencrypt";
+
+      spec = {
+        ingressClassName = "traefik";
+
+        rules = [{
+          host = "esrom.kun.is";
+
+          http.paths = [{
+            path = "/";
+            pathType = "Prefix";
+
+            backend.service = {
+              name = "esrom";
+              port.number = 80;
+            };
+          }];
+        }];
+
+        tls = [{
+          secretName = "esrom-tls";
+          hosts = [ "esrom.kun.is" ];
+        }];
+      };
+    };
+  };
+}

kubenix-modules/metallb.nix

@@ -0,0 +1,7 @@
+# TODO: These resources should probably exist within the kube-system namespace.
+{
+  kubernetes.resources = {
+    ipAddressPools.main.spec.addresses = [ "192.168.30.128-192.168.30.200" ];
+    l2Advertisements.main.metadata = { };
+  };
+}

kubenix-modules/traefik.nix

@@ -0,0 +1,31 @@
+{
+  kubernetes.resources.helmChartConfigs = {
+    traefik = {
+      metadata.namespace = "kube-system";
+
+      # Override Traefik's service with a static load balancer IP.
+      # Create endpoint for HTTPS on port444.
+      # Allow external name services for esrom.
+      spec.valuesContent = ''
+        service:
+          spec:
+            loadBalancerIP: "192.168.30.128"
+        ports:
+          localsecure:
+            port: 8444
+            expose: true
+            exposedPort: 444
+            protocol: TCP
+            tls:
+              enabled: true
+              options: ""
+              certResolver: ""
+              domains: []
+        providers:
+          kubernetesIngress:
+            allowExternalNameServices: true
+      '';
+    };
+  };
+
+}