*: add dcr01s{22,24}
Change-Id: I072e825e2e1d199d9da50b9d38a9ffba68e61182
diff --git a/cluster/nix/cluster-configuration.nix b/cluster/nix/cluster-configuration.nix
index d8a73aa..d24fcf0 100644
--- a/cluster/nix/cluster-configuration.nix
+++ b/cluster/nix/cluster-configuration.nix
@@ -13,6 +13,13 @@
rev = "1fc591f9a5bd1b016b5d66dfab29560073955a14";
}) {};
+ infraContainer = pkgs.dockerTools.buildImage {
+ name = "pause";
+ tag = "latest";
+ contents = k8spkgs.kubernetes.pause;
+ config.Cmd = "/bin/pause";
+ };
+
in rec {
imports =
@@ -25,11 +32,16 @@
boot.loader.grub.version = 2;
boot.loader.grub.device = node.diskBoot;
- boot.kernelPackages = pkgs.linuxPackages_5_1;
+ boot.kernelPackages = pkgs.linuxPackages_latest;
boot.kernelParams = [ "boot.shell_on_fail" ];
+ boot.kernel.sysctl."net.ipv4.conf.all.rp_filter" = "0";
+ boot.kernel.sysctl."net.ipv4.conf.default.rp_filter" = "0";
time.timeZone = "Europe/Warsaw";
+ networking.useDHCP = false;
+ networking.interfaces."${node.mgmtIf}".useDHCP = true;
+
# List packages installed in system profile. To search, run:
# $ nix search wget
environment.systemPackages = with pkgs; [
@@ -94,7 +106,7 @@
};
};
- services.etcd = {
+ services.etcd = rec {
enable = true;
name = fqdn;
listenClientUrls = ["https://0.0.0.0:2379"];
@@ -102,6 +114,7 @@
listenPeerUrls = ["https://0.0.0.0:2380"];
initialAdvertisePeerUrls = ["https://${fqdn}:2380"];
initialCluster = (map (n: "${n.fqdn}=https://${n.fqdn}:2380") nodes);
+ initialClusterState = "existing";
clientCertAuth = true;
trustedCaFile = pki.etcd.server.ca;
@@ -163,7 +176,7 @@
authorizationMode = ["Node" "RBAC"];
enableAdmissionPlugins = ["Initializers" "NamespaceLifecycle" "NodeRestriction" "LimitRanger" "ServiceAccount" "DefaultStorageClass" "ResourceQuota" "PodSecurityPolicy"];
extraOpts = ''
- --apiserver-count=3 \
+ --apiserver-count=5 \
--proxy-client-cert-file=${pki.kubeFront.apiserver.cert} \
--proxy-client-key-file=${pki.kubeFront.apiserver.key} \
--requestheader-allowed-names= \
@@ -210,7 +223,6 @@
kubelet = {
enable = true;
unschedulable = false;
- allowPrivileged = true;
hostname = fqdn;
tlsCertFile = pki.kube.kubelet.cert;
tlsKeyFile = pki.kube.kubelet.key;
@@ -242,6 +254,11 @@
# them to be removed on kubelet restart.
# TODO(https://github.com/NixOS/nixpkgs/issues/53601): fix when resolved
systemd.services.kubelet = {
- preStart = pkgs.lib.mkForce "sleep 1";
+ preStart = pkgs.lib.mkForce ''
+ ${lib.concatMapStrings (img: ''
+ echo "Seeding docker image: ${img}"
+ docker load <${img}
+ '') [infraContainer]}
+ '';
};
}