moar

2025-08-27 20:36:53 -04:00
parent adb0a25816
commit 8fe20838c7
6 changed files with 77 additions and 0 deletions
--- a/extras/k3s.nix
+++ b/extras/k3s.nix
@@ -0,0 +1,21 @@
+{
+  config,
+  pkgs,
+  ...
+}: {
+  networking.firewall.allowedTCPPorts = [
+    6443 # k3s: required so that pods can reach the API server (running on port 6443 by default)
+    # 2379 # k3s, etcd clients: required if using a "High Availability Embedded etcd" configuration
+    # 2380 # k3s, etcd peers: required if using a "High Availability Embedded etcd" configuration
+  ];
+  networking.firewall.allowedUDPPorts = [
+    # 8472 # k3s, flannel: required if using multi-node for inter-node networking
+  ];
+  services.k3s = {
+    enable = true;
+    role = "server";
+    # token = "jakeginesin12345678910";
+    tokenFile = config.age.secrets.kube.path;
+    clusterInit = true;
+  };
+}
--- a/hosts/meta.nix
+++ b/hosts/meta.nix
@@ -30,6 +30,11 @@
          owner = "synchronous";
          mode = "0400";
        };
+        kube = {
+          file = ../secrets/kube.age;
+          owner = "synchronous";
+          mode = "0400";
+        };
      };
      secretsDir = "/home/synchronous/.agenix/agenix";
      secretsMountPoint = "/home/synchronous/.agenix/agenix.d";
--- a/hosts/server1/configuration.nix
+++ b/hosts/server1/configuration.nix
@@ -9,6 +9,7 @@
    ../../system/system.nix
    ../meta.nix
    ../../extras/ssh.nix
+    ../../extras/k3s.nix
  ];

  config = {
--- a/hosts/server1/hardware-configuration.nix
+++ b/hosts/server1/hardware-configuration.nix
@@ -0,0 +1,44 @@
+# Do not modify this file!  It was generated by ‘nixos-generate-config’
+# and may be overwritten by future invocations.  Please make changes
+# to /etc/nixos/configuration.nix instead.
+{
+  config,
+  lib,
+  pkgs,
+  modulesPath,
+  ...
+}: {
+  imports = [
+    (modulesPath + "/installer/scan/not-detected.nix")
+  ];
+
+  boot.initrd.availableKernelModules = ["xhci_pci" "ahci" "nvme" "usbhid" "usb_storage" "sd_mod"];
+  boot.initrd.kernelModules = [];
+  boot.kernelModules = ["kvm-intel"];
+  boot.extraModulePackages = [];
+
+  fileSystems."/" = {
+    device = "/dev/disk/by-uuid/1436d90d-9fcd-4eb6-bb08-44dcd9c269dd";
+    fsType = "ext4";
+  };
+
+  fileSystems."/boot" = {
+    device = "/dev/disk/by-uuid/D9F0-20D1";
+    fsType = "vfat";
+    options = ["fmask=0077" "dmask=0077"];
+  };
+
+  swapDevices = [
+    {device = "/dev/disk/by-uuid/9041b708-1f67-4be6-ad52-f515ce609ff3";}
+  ];
+
+  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
+  # (the default) this is the recommended approach. When using systemd-networkd it's
+  # still possible to use this option, but it's recommended to use it in conjunction
+  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
+  networking.useDHCP = lib.mkDefault true;
+  # networking.interfaces.eno1.useDHCP = lib.mkDefault true;
+
+  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
+  hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
+}
--- a/secrets/kube.age
+++ b/secrets/kube.age
@@ -0,0 +1,5 @@
+age-encryption.org/v1
+-> ssh-ed25519 1qNjsw Ek3rQ6H1rhWuYYzP9GZZ4yXCi5t/HkZYNm72OZuK7zI
+I962RYlYiBDu7nwR20cRXBw5wJvVoXK3TdbK0qi2LS0
+--- oJMC6ba36n6DYU8wQtXOsySMdmcDJ3Psmx9hKh9Gty8
+j#<23><>ߛ<EFBFBD><DF9B><EFBFBD>_<EFBFBD>g<EFBFBD>A<EFBFBD><41>Um<55>axO	<09>Jޖ<4A>#<23>X<EFBFBD><58>|˄<>$<24>8q<38>S<EFBFBD>L^<5E>HwE
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@@ -5,4 +5,5 @@ in {
  "zsh_remote.age".publicKeys = [key];
  "tailscale-rq.age".publicKeys = [key];
  "ssh-pub.age".publicKeys = [key];
+  "kube.age".publicKeys = [key];
 }