Merge pull request #13 from 99linesofcode/add-support-for-kubernetes

Add support for kubernetes (K3s)

Author: 99linesofcode

flake.lock

@@ -37,6 +37,7 @@
     {
       nixpkgs,
       self,
+      disko,
       sops-nix,
       ...
     }@inputs:
@@ -65,13 +66,16 @@
         args:
         nixpkgs.lib.nixosSystem {
           modules = [
+            disko.nixosModules.disko
             sops-nix.nixosModules.sops
             (import ./modules)
             (import ./users)
-          ] ++ args.modules;
+          ]
+          ++ args.modules;
           specialArgs = {
             inherit self inputs outputs;
-          } // (args.specialArgs or { });
+          }
+          // (args.specialArgs or { });
         };
     in
     {

flake.nix

@@ -1,5 +1,6 @@
 {
   inputs,
+  modulesPath,
   pkgs,
   self,
   ...
@@ -10,7 +11,7 @@ let
 in
 {
   imports = [
-    inputs.disko.nixosModules.disko
+    (modulesPath + "/installer/scan/not-detected.nix")
     ./disko.nix
     ./hardware-configuration.nix
     ../shared
@@ -55,10 +56,14 @@ in
     avahi.enable = true;
     bluetooth.enable = true;
     catt.enable = true;
-    docker.enable = true;
+    docker = {
+      enable = true;
+      rootless.enable = false;
+    };
     graphics.enable = true;
     hyprland.enable = true;
     intel.enable = true;
+    k3s.enable = true;
     nvidia.enable = true;
     power-management.enable = true;
     sound.enable = true;

hosts/luna/default.nix

@@ -10,10 +10,6 @@
 }:
 
 {
-  imports = [
-    (modulesPath + "/installer/scan/not-detected.nix")
-  ];
-
   boot.initrd.availableKernelModules = [
     "xhci_pci"
     "nvme"

hosts/luna/hardware-configuration.nix

@@ -1,5 +1,6 @@
-{ ... }:
+{ lib, ... }:
 
+with lib;
 {
   imports = [
     ./home-manager.nix
@@ -10,8 +11,10 @@
 
   services = {
     automatic-timezoned.enable = true;
-    geoclue2.geoProviderUrl = "https://beacondb.net/v1/geolocate";
-    # keyd - low level key remapping daemon
+    geoclue2 = {
+      enableDemoAgent = mkForce true; # FIXME: see https://github.com/NixOS/nixpkgs/issues/68489#issuecomment-1484030107
+      geoProviderUrl = "https://beacondb.net/v1/geolocate";
+    };
     keyd = {
       enable = true;
       keyboards.default.settings = {

hosts/shared/default.nix

@@ -11,6 +11,7 @@
     settings = {
       accept-flake-config = true;
       auto-optimise-store = true;
+      download-buffer-size = 524288000; # 500MB
       experimental-features = [
         "nix-command"
         "flakes"

hosts/shared/nix.nix

@@ -15,32 +15,39 @@ let
 in
 with lib;
 {
-  options = {
-    host.docker.enable = mkEnableOption "docker";
+  options.host.docker = with types; {
+    enable = mkEnableOption "docker";
+    rootless.enable = mkEnableOption "rootless mode";
   };
 
   config = mkIf cfg.enable {
-    environment = {
-      #  TODO: docker should fallback to gnome-keyring by default
-      # systemPackages = with pkgs; [
-      #   docker-credential-helpers
-      # ];
-    };
-
-    hardware.nvidia-container-toolkit.enable = true;
+    hardware.nvidia-container-toolkit.enable = mkIf config.host.nvidia.enable true;
 
     virtualisation.docker = {
       enable = true;
       autoPrune.enable = true;
-      rootless = {
+      daemon.settings = mkIf (!config.host.docker.rootless.enable) {
+        dns = dnsServers;
+        log-driver = "json-file"; # fix kubernetes logging
+      };
+      rootless = mkIf config.host.docker.rootless.enable {
         enable = true;
         setSocketVariable = true;
-        daemon.settings.dns = dnsServers;
+        daemon.settings = {
+          dns = dnsServers;
+          log-driver = "json-file"; # fix kubernetes logging
+        };
       };
       storageDriver = mkIf config.host.btrfs.enable "btrfs";
     };
 
-    security.wrappers = {
+    networking = {
+      firewall.allowedTCPPorts = [
+        9003 # required so PHP XDebug can reach host machine
+      ];
+    };
+
+    security.wrappers = mkIf config.host.docker.rootless.enable {
       docker-rootlesskit = {
         owner = "root";
         group = "root";

modules/docker.nix

@@ -25,7 +25,6 @@ with lib;
       graphics = {
         extraPackages = with pkgs; [
           intel-compute-runtime # OpenCL for gen8 and beyond
-          intel-media-sdk # Quick Sync Video for older processors
           intel-media-driver # Accelerated Video Playback for Broadwell or newer processors. LIBVA_DRIVER_NAME=iHD
           # intel-vaapi-driver # Accelerated Video Playback for older processors. LIBVA_DRIVER_NAME=i965
         ];

modules/intel.nix

@@ -0,0 +1,62 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+
+let
+  cfg = config.host.k3s;
+in
+with lib;
+{
+  options = {
+    host.k3s.enable = mkEnableOption "k3s - lightweight Kubernetes distribution";
+  };
+
+  config = mkIf cfg.enable {
+    environment.systemPackages = with pkgs; [
+      kubernetes-helm
+    ];
+
+    environment.etc."kube/config" = {
+      source = "/var/lib/rancher/k3s/server/cred/admin.kubeconfig";
+      target = "/home/shorty/.kube/config";
+      mode = "0600";
+      user = "shorty";
+      group = "users";
+    };
+
+    services.k3s = {
+      enable = true;
+      extraFlags = [
+        "--disable=traefik"
+        "--disable=servicelb"
+        "--docker"
+        "--write-kubeconfig-mode=0644"
+      ];
+      role = "server";
+      # autoDeployCharts = {
+      #   traefik = {
+      #     name = "traefik";
+      #     repo = "https://traefik.github.io/charts";
+      #     version = "36.1.0";
+      #     hash = "sha256-APQuQjKEpNwIaNi0RujZS1RcVLuPKC2PEXNLeM8/1F0=";
+      #     values = {
+      #       providers = {
+      #         kubernetesIngress.enabled = false;
+      #         kubernetesGateway.enabled = true;
+      #       };
+      #       gateway.namespacePolicy = "All";
+      #     };
+      #   };
+      # };
+    };
+
+    networking = {
+      firewall.allowedTCPPorts = [
+        6443 # required so pods can reach API server
+      ];
+    };
+  };
+}

modules/k3s.nix

@@ -31,7 +31,7 @@ with lib;
       };
 
       nvidia = {
-        modesetting.enable = true;
+        modesetting.enable = true; # default since 535
         nvidiaSettings = true;
         open = false;
         package = config.boot.kernelPackages.nvidiaPackages.beta;