{ self, inputs, pkgs, lib, config, ... }: let cfg = config.pim.k3s; in { options.pim.k3s = { enable = lib.mkOption { default = false; type = lib.types.bool; description = '' Whether to run k3s on this server. ''; }; role = lib.mkOption { default = "server"; type = lib.types.str; description = '' Whether to run k3s as a server or an agent. ''; }; clusterInit = lib.mkOption { default = false; type = lib.types.bool; description = '' Whether this node should initialize the K8s cluster. ''; }; serverAddr = lib.mkOption { default = null; type = with lib.types; nullOr str; description = '' Address of the server whose cluster this server should join. Leaving this empty will make the server initialize the cluster. ''; }; }; config = lib.mkIf cfg.enable { environment.systemPackages = with pkgs; [ k3s openiscsi # Required for Longhorn nfs-utils # Required for Longhorn ]; # TODO!!!!! networking = { nftables.enable = lib.mkForce false; firewall.enable = lib.mkForce false; }; virtualisation.containerd = { enable = true; settings = { version = 2; proxy_plugins.nix = { type = "snapshot"; address = "/run/nix-snapshotter/nix-snapshotter.sock"; }; plugins = let k3s-cni-plugins = pkgs.buildEnv { name = "k3s-cni-plugins"; paths = with pkgs; [ cni-plugins cni-plugin-flannel ]; }; in { "io.containerd.grpc.v1.cri" = { stream_server_address = "127.0.0.1"; stream_server_port = "10010"; enable_selinux = false; enable_unprivileged_ports = true; enable_unprivileged_icmp = true; disable_apparmor = true; disable_cgroup = true; restrict_oom_score_adj = true; sandbox_image = "rancher/mirrored-pause:3.6"; containerd.snapshotter = "nix"; cni = { conf_dir = "/var/lib/rancher/k3s/agent/etc/cni/net.d/"; bin_dir = "${k3s-cni-plugins}/bin"; }; }; "io.containerd.transfer.v1.local".unpack_config = [ { platform = "linux/amd64"; snapshotter = "nix"; } ]; }; }; }; services = { nix-snapshotter.enable = true; k3s = let serverFlagList = [ "--image-service-endpoint=unix:///run/nix-snapshotter/nix-snapshotter.sock" "--snapshotter=overlayfs" "--container-runtime-endpoint=unix:///run/containerd/containerd.sock" "--tls-san=${config.networking.fqdn}" "--disable=servicelb" "--cluster-cidr=10.42.0.0/16,2001:cafe:42::/56" "--service-cidr=10.43.0.0/16,2001:cafe:43::/112" ]; serverFlags = builtins.concatStringsSep " " serverFlagList; in { enable = true; role = cfg.role; tokenFile = config.sops.secrets."k3s/serverToken".path; extraFlags = lib.mkIf (cfg.role == "server") (lib.mkForce serverFlags); clusterInit = cfg.clusterInit; serverAddr = lib.mkIf (! (cfg.serverAddr == null)) cfg.serverAddr; }; # Required for Longhorn openiscsi = { enable = true; name = "iqn.2016-04.com.open-iscsi:${config.networking.fqdn}"; }; }; # HACK: Symlink binaries to /usr/local/bin such that Longhorn can find them # when they use nsenter. # https://github.com/longhorn/longhorn/issues/2166#issuecomment-1740179416 systemd.tmpfiles.rules = [ "L+ /usr/local/bin - - - - /run/current-system/sw/bin/" ]; system.activationScripts = { k3s-bootstrap = lib.mkIf (cfg.role == "server") { text = ( let k3sBootstrapFile = (inputs.kubenix.evalModules.x86_64-linux { module = import ./bootstrap.nix; }) .config .kubernetes .result; in '' mkdir -p /var/lib/rancher/k3s/server/manifests ln -sf ${k3sBootstrapFile} /var/lib/rancher/k3s/server/manifests/k3s-bootstrap.json '' ); }; k3s-certs = lib.mkIf (cfg.role == "server") { text = '' mkdir -p /var/lib/rancher/k3s/server/tls/etcd cp -f ${./ca/server-ca.crt} /var/lib/rancher/k3s/server/tls/server-ca.crt cp -f ${./ca/client-ca.crt} /var/lib/rancher/k3s/server/tls/client-ca.crt cp -f ${./ca/request-header-ca.crt} /var/lib/rancher/k3s/server/tls/request-header-ca.crt cp -f ${./ca/etcd/peer-ca.crt} /var/lib/rancher/k3s/server/tls/etcd/peer-ca.crt cp -f ${./ca/etcd/server-ca.crt} /var/lib/rancher/k3s/server/tls/etcd/server-ca.crt ''; }; }; sops.secrets = let keyPathBase = "/var/lib/rancher/k3s/server/tls"; in { "k3s/serverToken" = { sopsFile = "${self}/secrets/kubernetes.yaml"; }; "k3s/keys/clientCAKey" = { sopsFile = "${self}/secrets/kubernetes.yaml"; path = "${keyPathBase}/client-ca.key"; }; "k3s/keys/requestHeaderCAKey" = { sopsFile = "${self}/secrets/kubernetes.yaml"; path = "${keyPathBase}/request-header-ca.key"; }; "k3s/keys/serverCAKey" = { sopsFile = "${self}/secrets/kubernetes.yaml"; path = "${keyPathBase}/server-ca.key"; }; "k3s/keys/serviceKey" = { sopsFile = "${self}/secrets/kubernetes.yaml"; path = "${keyPathBase}/service.key"; }; "k3s/keys/etcd/peerCAKey" = { sopsFile = "${self}/secrets/kubernetes.yaml"; path = "${keyPathBase}/etcd/peer-ca.key"; }; "k3s/keys/etcd/serverCAKey" = { sopsFile = "${self}/secrets/kubernetes.yaml"; path = "${keyPathBase}/etcd/server-ca.key"; }; }; }; }