diff --git a/configurations/nixos/kube-main-tofu/default.nix b/configurations/nixos/kube-main-tofu/default.nix new file mode 100644 index 0000000..4d54a5b --- /dev/null +++ b/configurations/nixos/kube-main-tofu/default.nix @@ -0,0 +1,28 @@ +{ + flake, + config, + ... +}: + +let + inherit (flake) inputs; + inherit (inputs) self; +in +{ + imports = [ + self.nixosModules.default + ]; + deploy = { + enable = false; + }; + kub = { + enable = true; + role = "server"; + }; + networking = { + hostName = "kube-main-tofu"; + }; + environment.systemPackages = [ + ]; + system.stateVersion = "25.05"; +} diff --git a/modules/nixos/common/k3s.nix b/modules/nixos/common/k3s.nix new file mode 100644 index 0000000..f8950e3 --- /dev/null +++ b/modules/nixos/common/k3s.nix @@ -0,0 +1,45 @@ +{ + lib, + config, + pkgs, + ... +}: +let + inherit (lib) + types + mkIf + mkOption + mkEnableOption + ; + cfg = config.kub; +in +{ + options.kub = { + enable = mkEnableOption "enable k3s"; + role = mkOption { + type = types.enum [ + "server" + "agent" + ]; + default = "agent"; + }; + leaderAddress = mkOption { + type = types.nullOr types.str; + default = null; + }; + tokenFile = lib.mkOption { + type = lib.types.nullOr lib.types.path; + description = "File path containing k3s token to use when connecting to the server."; + default = config.sops.secrets.k3s-token.path or null; + }; + }; + config = mkIf cfg.enable { + sops.secrets.k3s-token = { }; + services = { + k3s = { + enable = true; + clusterInit = mkIf (cfg.role == "server") true; + }; + }; + }; +} diff --git a/secrets.yaml b/secrets.yaml index d1c315f..937e90b 100644 --- a/secrets.yaml +++ b/secrets.yaml @@ -3,6 +3,7 @@ forgejo-runners-token: ENC[AES256_GCM,data:y6m9JciySpqJ8QOtHGoUG5McPXyZSODqRHCLV forgejo-nix-key: ENC[AES256_GCM,data:LKC8t2KSrILh0nc5xlSgQ9OuhQcc3m84fE9UJeVi1lXsv0mn+MddQw083WaDxMdlZKjbH0QclDfIkJCbHpJ/wEWVXzkVGErCJmdWeH1YEgElj5FuaFrDmbKNn8rhV7t3FYn04ni8iypLV/wPBqvVI/Yt,iv:r/SHHXjA2raRIKs/fZxJodVgMunp+RmL1SjVZOGli+E=,tag:MmBhUHCZRgSW2uhBd4o72A==,type:str] graylog: ENC[AES256_GCM,data:KmQ4yisUXCrexpK9v7irhSsF1pAm0pMZ/mh91iEuf7jR14u6d2prPF7Uv6Z48Otx7WyPJ+ec+hIRmuLTNHbGxTDIOQnXui32No5H/Hnj06pMqW2Jsir/Bfr8eCRZxJKMTKhl4f0KVSKGKAbbV1saJPHtcybqfX65i8NQCeDFB+m/ViyLslMJKrYga8laoxTBYa4Kdi/0LiEuvi6uGQ8JwhDWzK/6EQkc/z0VNXdSYcz0kd8z26iuDhe/B3sesk8wgKDNkfjmTH2jgN8I+o700l9s/2Ob9QbIoA==,iv:P4AMWPnYNUUuy1CRip6yKbjRRkcLdCLWW9oiuxskhbY=,tag:L+TJmmSbImk2MnDeun2zNQ==,type:str] linode-caddy-key: ENC[AES256_GCM,data:509GFunslzwOpHyzniMVPoa1xRgEqYV+lTxziPuqovQMvzksXSeBMy2eHm9UzNulgotwtjuQdwt3L8myMWQddg==,iv:vP+iSLsTfeq3pBzqSE0uz1YL7iT8xrn/tdY49SqYfX0=,tag:ld15wy+D7rj9topFEfswyg==,type:str] +k3s-token: ENC[AES256_GCM,data:jvXZqiCnPxgYitDVApfLfz+7BDY0Dy7y5+WEIDZrMMkjlmzGRttNDnSQP71yNlw=,iv:77g6kcGmpPXVGQy5GbswrDVBKVYOYM8ggZEr6ELMkvY=,tag:+3mmYY5Sh69Gfzo+Ahu5bQ==,type:str] sops: age: - recipient: age1ja6zky2xlptgmu04ghp30z9gcyw240p4p8jpqeznt9msmmrwjdjshl6rx3 @@ -50,7 +51,7 @@ sops: NGV1T1NlaE43dTF4M1VlVWtIbEIvYUkKZ0JmNRKvbrF6qziZI1WUIuAkz4Xad0xP l39Dg3IRC8+UtwjKbhCGZSJbBDsO1srpk4LOYiYD4R1hsvn/OagNUw== -----END AGE ENCRYPTED FILE----- - lastmodified: "2025-06-29T01:23:00Z" - mac: ENC[AES256_GCM,data:XqyWXYlcZoDnHMTIISa2hUQgbtwUopZeEzTizoTM6Nnu7Yfh8hKgVSG2LVhXasjNw6/u/SPevr/pq/pBzVyQwvud/ILmvg8aLm7/mMxcrblKXCdr69lpqQ1bJ1ZDtTU6DMjXcRaEgzU+7vlLD9BiyRmk/Ncy5MWiQ1EkosM5/EI=,iv:qbUc4I4J4xpPZ/tS4kxXdquLnZ6Pp15A6Z19pgn8YS4=,tag:H6K/Sqh4rCn9SmVtbRqVJQ==,type:str] + lastmodified: "2025-07-07T21:18:10Z" + mac: ENC[AES256_GCM,data:T6h96IyW1tB0BYgeIj2HEG9hJcoeEQgvCSPMdJJ3w++/bk7RT2368iO5A5CfvjOw8mphojIh0iMbvLylQBHJCR63kVWEASbGQBWi1FLnB8K9rXtTKgXmIiIPJsoorm9JpjFcIhjEzuaT7XjYgXhbkI1BYMyqcoTi1oBWv4uvucM=,iv:y8RR0Kdr4qm+V2Ez1rfgfDh3qhZXcgqmloQzPYfvD9s=,tag:P+vZNjIX4d7DM4CKRfrEpA==,type:str] unencrypted_suffix: _unencrypted version: 3.10.2