| machineName: |
| |
| let |
| machines = (import ./defs-machines.nix); |
| in rec { |
| domain = ".hswaw.net"; |
| k8sapi = "k0.hswaw.net"; |
| acmeEmail = "q3k@hackerspace.pl"; |
| |
| fqdn = machineName + domain; |
| machine = (builtins.head (builtins.filter (n: n.fqdn == fqdn) machines)); |
| otherMachines = (builtins.filter (n: n.fqdn != fqdn) machines); |
| inherit machines; |
| |
| pki = rec { |
| make = (radix: name: rec { |
| ca = ./../certs + "/ca-${radix}.crt"; |
| cert = ./../certs + "/${radix}-${name}.cert"; |
| key = ./../secrets/plain + "/${radix}-${name}.key"; |
| |
| json = (builtins.toJSON { |
| ca = (builtins.toString ca); |
| cert = (builtins.toString cert); |
| key = (builtins.toString key); |
| }); |
| }); |
| |
| etcdPeer = (make "etcdpeer" fqdn); |
| |
| etcd = { |
| server = (make "etcd" fqdn); |
| kube = (make "etcd" "kube"); |
| }; |
| |
| makeKube = (name: (make "kube" name) // { |
| config = { |
| server = "https://${k8sapi}:${toString ports.k8sAPIServerSecure}"; |
| certFile = (make "kube" name).cert; |
| keyFile = (make "kube" name).key; |
| }; |
| }); |
| |
| kube = rec { |
| ca = apiserver.ca; |
| |
| # Used to identify apiserver. |
| apiserver = (makeKube "apiserver"); |
| |
| # Used to identify controller-manager. |
| controllermanager = (makeKube "controllermanager"); |
| |
| # Used to identify scheduler. |
| scheduler = (makeKube "scheduler"); |
| |
| # Used to identify kube-proxy. |
| proxy = (makeKube "proxy"); |
| |
| # Used to identify kubelet. |
| kubelet = (makeKube "kubelet-${fqdn}"); |
| |
| # Used to encrypt service accounts. |
| serviceaccounts = (makeKube "serviceaccounts"); |
| }; |
| |
| kubeFront = { |
| apiserver = (make "kubefront" "apiserver"); |
| }; |
| }; |
| |
| ports = { |
| k8sAPIServerPlain = 4000; |
| k8sAPIServerSecure = 4001; |
| k8sControllerManagerPlain = 0; # 4002; do not serve plain http |
| k8sControllerManagerSecure = 4003; |
| }; |
| } |