| { config, pkgs, lib, machines, ... }: |
| |
| with lib; |
| |
| let |
| cfg = config.hscloud.kube; |
| fqdn = config.hscloud.base.fqdn; |
| |
| in { |
| options.hscloud.kube = { |
| package = mkOption { |
| description = "Kubernetes package to use for everything but kubelet."; |
| type = types.package; |
| default = (import (fetchGit { |
| # Now at 1.16.5 |
| name = "nixos-unstable-2020-01-22"; |
| url = https://github.com/nixos/nixpkgs-channels/; |
| rev = "a96ed5d70427bdc2fbb9e805784e1b9621157a98"; |
| }) {}).kubernetes; |
| defaultText = "pkgs.kubernetes"; |
| }; |
| packageKubelet = mkOption { |
| description = "Kubernetes package to use for kubelet."; |
| type = types.package; |
| default = cfg.package; |
| defaultText = "pkgs.kubernetes"; |
| }; |
| portAPIServerSecure = mkOption { |
| type = types.int; |
| description = "Port at which k8s apiserver will listen."; |
| default = 4001; |
| }; |
| pki = let |
| mk = (radix: name: rec { |
| ca = ./../../certs + "/ca-${radix}.crt"; |
| cert = ./../../certs + "/${radix}-${name}.cert"; |
| key = ./../../secrets/plain + "/${radix}-${name}.key"; |
| }); |
| mkKube = (name: (mk "kube" name) // { |
| config = { |
| server = "https://k0.hswaw.net:${toString cfg.portAPIServerSecure}"; |
| certFile = (mk "kube" name).cert; |
| keyFile = (mk "kube" name).key; |
| }; |
| }); |
| in mkOption { |
| type = types.attrs; |
| default = { |
| kube = rec { |
| ca = apiserver.ca; |
| |
| # Used to identify apiserver. |
| apiserver = mkKube "apiserver"; |
| |
| # Used to identify controller-manager. |
| controllermanager = mkKube "controllermanager"; |
| |
| # Used to identify scheduler. |
| scheduler = mkKube "scheduler"; |
| |
| # Used to encrypt service accounts. |
| serviceaccounts = mkKube "serviceaccounts"; |
| |
| # Used to identify kube-proxy. |
| proxy = mkKube "proxy"; |
| |
| # Used to identify kubelet. |
| kubelet = mkKube "kubelet-${fqdn}"; |
| }; |
| |
| kubeFront = { |
| apiserver = mk "kubefront" "apiserver"; |
| }; |
| |
| etcd = { |
| peer = mk "etcdpeer" fqdn; |
| server = mk "etcd" fqdn; |
| kube = mk "etcd" "kube"; |
| }; |
| }; |
| }; |
| }; |
| |
| config = { |
| services.kubernetes = { |
| # We do not use any nixpkgs predefined roles for k8s. Instead, we enable |
| # k8s components manually. |
| roles = []; |
| caFile = cfg.pki.kube.apiserver.ca; |
| clusterCidr = "10.10.16.0/20"; |
| addons.dns.enable = false; |
| }; |
| }; |
| } |