diff --git a/Makefile b/Makefile index cd6cd80..73726d1 100644 --- a/Makefile +++ b/Makefile @@ -2,7 +2,7 @@ SHELL:=/usr/bin/env bash MAKEFLAGS += --no-builtin-rules --no-builtin-variables TF_CMD:=apply -auto-approve VARIANT=builder -TESTING_X86_URL=https://github.com/loic-roux-404/k3s-paas/releases/download/nixos-testing/nixos.qcow2 +TESTING_X86_URL=https://github.com/loic-roux-404/kube-paas/releases/download/nixos-testing/nixos.qcow2 TARGET?=initial #### Nix diff --git a/README.md b/README.md index ed16e16..f4919af 100644 --- a/README.md +++ b/README.md @@ -1,6 +1,6 @@ # K3s PaaS -- [Documentation](https://loic-roux-404.github.io/k3s-paas/) +- [Documentation](https://loic-roux-404.github.io/kube-paas/) - [Original tutorial (FR)](https://github.com/esgi-lyon/paas-tutorial/blob/main/docs/index.md) Compatibility Matrix : @@ -184,7 +184,7 @@ nix-store --verify --check-contents --repair Undefine pool : ```bash -virsh -c qemu:///system pool-undefine libvirt-pool-k3s-paas +virsh -c qemu:///system pool-undefine libvirt-pool-kube-paas ``` Undefine vm to avoid conflicts : @@ -216,7 +216,7 @@ openssl passwd -salt zizou -6 zizou420! Set context : ```bash -kubectl config set-cluster default --server=http://k3s-paas-master-0:6443 +kubectl config set-cluster default --server=http://localhost-0:6443 kubectl config default test-cluster ``` diff --git a/docs/1-install.md b/docs/1-install.md index 244bab7..050b5e5 100644 --- a/docs/1-install.md +++ b/docs/1-install.md @@ -47,7 +47,7 @@ sudo security add-trusted-cert -d -r trustAsRoot -k /Library/Keychains/System.ke Setup waypoint inside cluster before getting token : ```bash -Run KUBECONFIG=/etc/rancher/k3s/k3s.yaml waypoint login -from-kubernetes +Run KUBECONFIG=/etc/rancher/rke2/rke2.yaml waypoint login -from-kubernetes ``` Setup waypoint login context outside cluster : diff --git a/docs/2-help.md b/docs/2-help.md index 55bb67a..40326ac 100644 --- a/docs/2-help.md +++ b/docs/2-help.md @@ -23,7 +23,7 @@ We will fetch the kubeconfig in our container that embeds K3s and the cluster. Copy the kube config k3s with : ```sh -docker cp node-0:/etc/rancher/k3s/k3s.yaml ~/.kube/config +docker cp node-0:/etc/rancher/rke2/rke2.yaml ~/.kube/config ``` If you don't have kubectl locally: diff --git a/docs/index.md b/docs/index.md index d294771..a4568cc 100644 --- a/docs/index.md +++ b/docs/index.md @@ -15,7 +15,7 @@ ## Applying -Follow the steps in [README.md](https://github.com/loic-roux-404/k3s-paas/blob/main/README.md) to apply the infrastructure. +Follow the steps in [README.md](https://github.com/loic-roux-404/kube-paas/blob/main/README.md) to apply the infrastructure. ## Index diff --git a/flake.lock b/flake.lock index 15a16f1..fe869b0 100644 --- a/flake.lock +++ b/flake.lock @@ -7,11 +7,11 @@ ] }, "locked": { - "lastModified": 1725975477, - "narHash": "sha256-sBnXxmYBb0S85Vkny97z2TFLd5SJW5o0k6KQNwpSLb0=", + "lastModified": 1727003835, + "narHash": "sha256-Cfllbt/ADfO8oxbT984MhPHR6FJBaglsr1SxtDGbpec=", "owner": "LnL7", "repo": "nix-darwin", - "rev": "5b2d8e9a47c3e17514650d1ce7d5e907114db82b", + "rev": "bd7d1e3912d40f799c5c0f7e5820ec950f1e0b3d", "type": "github" }, "original": { @@ -41,11 +41,11 @@ "systems": "systems" }, "locked": { - "lastModified": 1710146030, - "narHash": "sha256-SZ5L6eA7HJ/nmkzGG7/ISclqe6oZdOZTNoesiInkXPQ=", + "lastModified": 1726560853, + "narHash": "sha256-X6rJYSESBVr3hBoH0WbKE5KvhPU5bloyZ2L4K60/fPQ=", "owner": "numtide", "repo": "flake-utils", - "rev": "b1d9ab70662946ef0850d488da1c9019f3a9752a", + "rev": "c1dfcf08411b08f6b8615f7d8971a2bfa81d5e8a", "type": "github" }, "original": { @@ -62,11 +62,11 @@ ] }, "locked": { - "lastModified": 1725948275, - "narHash": "sha256-4QOPemDQ9VRLQaAdWuvdDBhh+lEUOAnSMHhdr4nS1mk=", + "lastModified": 1727111745, + "narHash": "sha256-EYLvFRoTPWtD+3uDg2wwQvlz88OrIr3zld+jFE5gDcY=", "owner": "nix-community", "repo": "home-manager", - "rev": "e5fa72bad0c6f533e8d558182529ee2acc9454fe", + "rev": "21c021862fa696c8199934e2153214ab57150cb6", "type": "github" }, "original": { @@ -78,11 +78,11 @@ }, "nixlib": { "locked": { - "lastModified": 1725757153, - "narHash": "sha256-c1a6iLmCVPFI9EUVMrBN8xdmFxFXEjcVwiTSVmqajOs=", + "lastModified": 1726966855, + "narHash": "sha256-25ByioeOBFcnitO5lM/Mufnv/u7YtHEHEM8QFuiS40k=", "owner": "nix-community", "repo": "nixpkgs.lib", - "rev": "68584f89dd0eb16fea5d80ae127f3f681f6a5df7", + "rev": "575704ff85d3a41dc5bfef7b55380cbc7b87f3c2", "type": "github" }, "original": { @@ -100,11 +100,11 @@ ] }, "locked": { - "lastModified": 1725843519, - "narHash": "sha256-Z6DglUwgFDz6fIvQ89wx/uBVWrGvEGECq0Ypyk/eigE=", + "lastModified": 1727053438, + "narHash": "sha256-t/+z1Tf7hSaStU1pBYkY7i0/GkG+YIPSmfeRrK8eYUw=", "owner": "nix-community", "repo": "nixos-generators", - "rev": "214efbd73241d72a8f48b8b9a73bb54895cd51a7", + "rev": "e8c1cd886cc17e31e424f915efd32e84d8af0ce9", "type": "github" }, "original": { @@ -145,6 +145,21 @@ "type": "github" } }, + "nixpkgs-rke-patched": { + "locked": { + "lastModified": 1727123370, + "narHash": "sha256-BUs32+77IyvShymNzjRqIkRqEwfSJRyC1CbAaeACiAo=", + "owner": "loic-roux-404", + "repo": "nixpkgs", + "rev": "669604bc362057f01fc7aeb6ca89d3b11b466fa1", + "type": "github" + }, + "original": { + "owner": "loic-roux-404", + "repo": "nixpkgs", + "type": "github" + } + }, "nixpkgs-stable": { "locked": { "lastModified": 1725762081, @@ -163,11 +178,11 @@ }, "nixpkgs-stable-darwin": { "locked": { - "lastModified": 1725907616, - "narHash": "sha256-yd/OA4gqu8Z9bwrXYi4l4GMZlGm8TVDhgdMZ18xoDmg=", + "lastModified": 1727076372, + "narHash": "sha256-gXIWudYhY/4LjQPvrGn9lN4fbHjw/mf1mb9KKJK//4I=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "bb41063b61dbfbabd499bb516ac06ab61a1f9012", + "rev": "7ca0f93c530406c1610defff0b9bf643333cf992", "type": "github" }, "original": { @@ -195,11 +210,11 @@ }, "nixpkgs_3": { "locked": { - "lastModified": 1725814378, - "narHash": "sha256-cwnCIninNWySL3ruFH5iVFnx/Fr0xL44NOLzvf1s2tc=", + "lastModified": 1727016414, + "narHash": "sha256-bj9ch2QIF8jqBlPOVRnJygy1K7yWtvh8Lf7I/rsqG3A=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "61ddb09cfaa7424d7fc8e3040ccd5c8c6f875b15", + "rev": "179b6bce21525a3a9e725c08e6ed58d56da74825", "type": "github" }, "original": { @@ -218,6 +233,7 @@ "nixos-generators": "nixos-generators", "nixpkgs": "nixpkgs", "nixpkgs-legacy": "nixpkgs-legacy", + "nixpkgs-rke-patched": "nixpkgs-rke-patched", "nixpkgs-srvos": [ "srvos", "nixpkgs" @@ -233,11 +249,11 @@ "nixpkgs-stable": "nixpkgs-stable" }, "locked": { - "lastModified": 1725922448, - "narHash": "sha256-ruvh8tlEflRPifs5tlpa0gkttzq4UtgXkJQS7FusgFE=", + "lastModified": 1726524647, + "narHash": "sha256-qis6BtOOBBEAfUl7FMHqqTwRLB61OL5OFzIsOmRz2J4=", "owner": "Mic92", "repo": "sops-nix", - "rev": "cede1a08039178ac12957733e97ab1006c6b6892", + "rev": "e2d404a7ea599a013189aa42947f66cede0645c8", "type": "github" }, "original": { @@ -251,11 +267,11 @@ "nixpkgs": "nixpkgs_3" }, "locked": { - "lastModified": 1725909399, - "narHash": "sha256-4+SWOnHF0ccWW83bRwNdCoRT1guUP0NFb9MjmUAtL/0=", + "lastModified": 1727078420, + "narHash": "sha256-zAj2AdZ24bcRyDc5B4LqlepodHFLzAboPPm1tiiWyts=", "owner": "numtide", "repo": "srvos", - "rev": "e7022e399408e7d1be6abdd16fa4c041755df14b", + "rev": "63ea710b10c88f2158251d49eec7cc286cefbd68", "type": "github" }, "original": { diff --git a/flake.nix b/flake.nix index 462f7fb..f570c18 100644 --- a/flake.nix +++ b/flake.nix @@ -13,6 +13,8 @@ darwin.url = "github:LnL7/nix-darwin"; darwin.inputs.nixpkgs.follows = "nixpkgs-stable-darwin"; + nixpkgs-rke-patched.url = "github:loic-roux-404/nixpkgs"; + home-manager = { url = "github:nix-community/home-manager/master"; inputs.nixpkgs.follows = "srvos/nixpkgs"; @@ -122,7 +124,7 @@ }; # Config with small modifications needed/desired for CI with GitHub workflow - githubCI = self.darwinConfigurations.k3s-paas-host.override { + githubCI = self.darwinConfigurations.default.override { system = "x86_64-darwin"; username = "runner"; nixConfigDirectory = "/Users/runner/work/nixpkgs/nixpkgs"; @@ -141,6 +143,7 @@ oldLegacyPackages = import inputs.nixpkgs-legacy (nixpkgsDefaults // { inherit system; }); specialArgs = { inherit oldLegacyPackages; + nixpkgsRkePatched = import inputs.nixpkgs-rke-patched { inherit system; }; }; in { diff --git a/mkdocs.yml b/mkdocs.yml index e404ac4..af66024 100644 --- a/mkdocs.yml +++ b/mkdocs.yml @@ -10,7 +10,7 @@ plugins: enumerate_headings: false add_to_navigation: true -repo_url: https://github.com/loic-roux-404/k3s-paas +repo_url: https://github.com/loic-roux-404/kube-paas markdown_extensions: - markdown.extensions.extra - toc: diff --git a/nixos-darwin/configuration.nix b/nixos-darwin/configuration.nix index 494dfb2..4bba19d 100644 --- a/nixos-darwin/configuration.nix +++ b/nixos-darwin/configuration.nix @@ -5,7 +5,7 @@ ... }: -with config.k3s-paas; +with config.paas; { programs.fish.enable = true; diff --git a/nixos-options/default.nix b/nixos-options/default.nix index 3c37a89..4c9745f 100644 --- a/nixos-options/default.nix +++ b/nixos-options/default.nix @@ -1,7 +1,7 @@ { lib, pkgs, config, ... }: { - options.k3s-paas = { + options.paas = { certs = lib.mkOption { default = [ @@ -14,7 +14,7 @@ dns.name = lib.mkOption { default = "k3s.test"; type = lib.types.str; - description = "hostname for k3s-paas"; + description = "hostname for paas"; }; dns.dest-ips = lib.mkOption { @@ -41,17 +41,17 @@ user.key = lib.mkOption { default = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC94/4uRn429xMGLFWZMyJWlhb5D0L3EoO8HxzN4q1ps loic@Windows-8-Phone.local"; type = lib.types.str; - description = "SSH public key for k3s-paas."; + description = "SSH public key for paas."; }; k3s.disableServices = lib.mkOption { - default = ["traefik" "metrics-server" "servicelb" ]; + default = [ "traefik" "rke2-ingress-nginx" ]; type = lib.types.listOf lib.types.str; description = "Disable k8s services eg: traefik,servicelb"; }; k3s.serverExtraArgs = lib.mkOption { - default = ["--disable-kube-proxy" "--egress-selector-mode=disabled"]; + default = []; type = lib.types.listOf lib.types.str; description = "Extra arguments for k8s server"; }; @@ -101,7 +101,7 @@ dex.dexClientId = lib.mkOption { type = lib.types.str; description = "Client ID for Dex"; - default = "dex-k3s-paas"; + default = "dex-paas-org-404"; }; cert-manager.version = lib.mkOption { @@ -114,15 +114,10 @@ type = lib.types.path; description = "Default config yaml"; }; - - defaultCiliumConfig = lib.mkOption { - type = lib.types.str; - description = "Default cilium config"; - }; }; - config = with config.k3s-paas; { - k3s-paas.defaultK3sConfigPath = pkgs.writeText "server-config.yaml" '' + config = with config.paas; { + paas.defaultK3sConfigPath = pkgs.writeText "server-config.yaml" '' cluster-cidr: ${k3s.podCIDR} service-cidr: ${k3s.serviceCIDR} cluster-dns: ${k3s.clusterDns} @@ -137,66 +132,5 @@ kube-apiserver-arg=oidc-username-claim: email kube-apiserver-arg=oidc-groups-claim: groups ''; - - k3s-paas.defaultCiliumConfig = '' - apiVersion: helm.cattle.io/v1 - kind: HelmChart - metadata: - name: cilium - namespace: kube-system - spec: - name: cilium - targetNamespace: cilium - createNamespace: true - repo: https://helm.cilium.io - chart: cilium - backOffLimit: 200 - timeout: "180s" - version: ${cilium.version} - valuesContent: |- - l2announcements: - enabled: true - kubeProxyReplacement: true - bpf: - masquerade: true - lbExternalClusterIP: false - gatewayAPI: - enabled: false - routingMode: tunnel - tunnelProtocol: vxlan - ingressController: - enabled: true - default: true - loadbalancerMode: dedicated - service: - name: cilium-ingress-external - labels: - k3s-paas/internal: "true" - prometheus: - enabled: true - serviceMonitor: - enabled: true - operator: - replicas: 1 - prometheus: - enabled: true - hubble: - relay: - enabled: true - metrics: - enabled: - - dns - - drop - - tcp - - flow - - port-distribution - - icmp - - httpV2:exemplars=true;labelsContext=source_ip,source_namespace,source_workload,destination_ip,destination_namespace,destination_workload,traffic_direction - enableOpenMetrics: true - ipam: - operator: - clusterPoolIPv4PodCIDRList: - - "${k3s.podCIDR}" - ''; }; } diff --git a/nixos/configuration.nix b/nixos/configuration.nix index 2867357..408d387 100644 --- a/nixos/configuration.nix +++ b/nixos/configuration.nix @@ -3,10 +3,11 @@ lib, pkgs, oldLegacyPackages, + nixpkgsRkePatched, ... }: -with config.k3s-paas; +with config.paas; let userSshConfig = { @@ -54,12 +55,15 @@ in { nftables.enable = true; nftables.flushRuleset = true; firewall = { + enable = lib.mkForce false; trustedInterfaces = [ "tailscale0" ]; - allowedTCPPorts = lib.mkDefault [ 80 443 22 ]; + allowedTCPPorts = lib.mkDefault [ 80 443 22 4240 8472 2379 ]; allowedUDPPorts = [ config.services.tailscale.port ]; }; }; + services.fail2ban.enable = true; + programs.ssh.package = pkgs.openssh_hpn; services.openssh = { enable = true; @@ -102,60 +106,64 @@ in { ''; }; - systemd.services.k3s.serviceConfig.Environment = "PATH=${pkgs.tailscale}/bin:${pkgs.coreutils}/bin"; - systemd.services.k3s.serviceConfig.ExecStartPre = "${pkgs.coreutils}/bin/sleep 60"; - services.k3s = { + services.rke2 = { enable = lib.mkDefault true; + package = nixpkgsRkePatched.rke2; role = "server"; - extraFlags = lib.strings.concatStringsSep " " ( - map (service: "--disable=${service}") k3s.disableServices - ++ k3s.serverExtraArgs - ++ [ - "--flannel-backend=none" - "--disable-kube-proxy" - "--disable-network-policy" - "--egress-selector-mode=disabled" - ] - ); + cni = "cilium"; + extraFlags = map (service: "--disable=${service}") k3s.disableServices + ++ k3s.serverExtraArgs; configPath = lib.mkDefault defaultK3sConfigPath; - manifests.cert-manager.content = { - apiVersion = "helm.cattle.io/v1"; - kind = "HelmChart"; - metadata = { - name = "cert-manager"; - namespace = "kube-system"; - }; - spec = { - name = "cert-manager"; - targetNamespace = "cert-manager"; - createNamespace = true; - repo = "https://charts.jetstack.io"; - chart = "cert-manager"; - version = cert-manager.version; - backOffLimit = 200; - timeout = "180s"; - - set."crds.enabled" = "true"; - }; - }; - manifests.cilium.source = lib.mkDefault (pkgs.writeText "cilium.yaml" '' - ${defaultCiliumConfig} - k8sServiceHost: "127.0.0.1" - k8sServicePort: "${k3s.servicePort}" - ''); }; - services.fail2ban.enable = true; + environment.etc."rke2/cert-manager.yaml".source = lib.mkDefault (pkgs.writeText "cert-manager.yaml" '' + apiVersion: helm.cattle.io/v1 + kind: HelmChart + metadata: + name: cert-manager + namespace: kube-system + spec: + name: cert-manager + targetNamespace: cert-manager + createNamespace: true + repo: https://charts.jetstack.io + chart: cert-manager + version: ${cert-manager.version} + backOffLimit: 200 + timeout: 180s + set: + crds.enabled: "true" + ''); - security.pki.certificateFiles = certs; + environment.etc."rke2/cilium-config.yaml".source = lib.mkDefault (pkgs.writeText "cilium.yaml" '' + apiVersion: helm.cattle.io/v1 + kind: HelmChartConfig + metadata: + name: rke2-cilium + namespace: kube-system + spec: + valuesContent: |- + ingressController: + enabled: true + default: true + hubble: + relay: + enabled: true + ''); + + system.userActivationScripts.installKubeManifests = '' + cd /var/lib/rancher/rke2/server/manifests/ + cp -rpf ${config.environment.etc."rke2/cilium-config.yaml".target} . + cp -rpf ${config.environment.etc."rke2/cert-manager.yaml".target} . + ''; home-manager.useGlobalPkgs = true; home-manager.useUserPackages = true; - home-manager.users.${config.k3s-paas.user.name} = { + home-manager.users.${config.paas.user.name} = { xdg.enable = true; home.stateVersion = "24.05"; home.sessionVariables = { - KUBECONFIG = "/etc/rancher/k3s/k3s.yaml"; + KUBECONFIG = "/etc/rancher/rke2/rke2.yaml"; }; home.shellAliases = { kubectl = "sudo -E kubectl"; @@ -189,7 +197,7 @@ in { dnsutils jq wget - k3s + rke2 kubectl kubernetes-helm oldLegacyPackages.waypoint @@ -202,6 +210,7 @@ in { security.sudo.configFile = '' Defaults env_keep += "SYSTEMD_EDITOR" ''; + security.pki.certificateFiles = certs; security.sudo.wheelNeedsPassword = false; security.sudo = { enable = true; @@ -230,7 +239,7 @@ in { "${pkgs.iproute2}/bin/ip" "${pkgs.iptables}/bin/iptables" ]; - groups = [ "reader" ]; + groups = [ "wheel" ]; }]; }; diff --git a/nixos/contabo.nix b/nixos/contabo.nix index 8dd551c..2b334ab 100644 --- a/nixos/contabo.nix +++ b/nixos/contabo.nix @@ -8,5 +8,5 @@ swapDevices = [ ]; - k3s-paas.certs = []; + paas.certs = []; } diff --git a/nixos/deploy.nix b/nixos/deploy.nix index 2b23288..7b8ddf9 100644 --- a/nixos/deploy.nix +++ b/nixos/deploy.nix @@ -1,6 +1,6 @@ { config, ... } : -with config.k3s-paas; +with config.paas; { networking.hostName = "localhost-0"; sops.validateSopsFiles = false; @@ -8,7 +8,19 @@ with config.k3s-paas; sops.defaultSopsFile = "/home/${user.name}/secrets.yaml"; sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" "${config.sops.secrets.nodePrivateKey.path}" ]; - networking.firewall.allowedTCPPorts = [ 80 443 ]; + sops.secrets = { + nodeIp = {}; + internalNodeIp = {}; + nodePrivateKey = { + neededForUsers = true; + }; + tailscaleNodeKey = {}; + paasDomain = {}; + tailscaleDomain = {}; + password = { neededForUsers = true; }; + }; + + #networking.firewall.allowedTCPPorts = [ 80 443 ]; services.tailscale.authKeyFile = config.sops.secrets.tailscaleNodeKey.path; services.tailscale.extraUpFlags = [ @@ -26,26 +38,67 @@ with config.k3s-paas; } ]; - sops.secrets.nodeIp = {}; - sops.secrets.internalNodeIp = {}; - sops.secrets.nodePrivateKey = { - neededForUsers = true; - }; - sops.secrets.tailscaleNodeKey = {}; - sops.secrets.paasDomain = {}; - sops.secrets.tailscaleDomain = {}; - sops.secrets.password = { neededForUsers = true; }; + kube-paas.k3s.serverExtraArgs = [ "--disable-kube-proxy" ]; - services.k3s.configPath = config.sops.templates."config.yaml".path; - services.k3s.manifests.cilium.source = config.sops.templates."cilium.yaml".path; - - sops.templates."cilium.yaml".content = '' - ${defaultCiliumConfig} + environment.etc."rke2/cilium-config.yaml".source = config.sops.templates."cilium-config.yaml".path; + sops.templates."cilium-config.yaml".content = '' + apiVersion: helm.cattle.io/v1 + kind: HelmChartConfig + metadata: + name: rke2-cilium + namespace: kube-system + spec: + valuesContent: |- + l2announcements: + enabled: true + kubeProxyReplacement: true + bpf: + masquerade: true + lbExternalClusterIP: false + gatewayAPI: + enabled: false + routingMode: tunnel + tunnelProtocol: vxlan + ingressController: + enabled: true + default: true + loadbalancerMode: dedicated + service: + name: cilium-ingress-external + labels: + kube-paas/internal: "true" + prometheus: + enabled: true + serviceMonitor: + enabled: true + operator: + replicas: 1 + prometheus: + enabled: true + hubble: + relay: + enabled: true + metrics: + enabled: + - dns + - drop + - tcp + - flow + - port-distribution + - icmp + - httpV2:exemplars=true;labelsContext=source_ip,source_namespace,source_workload,destination_ip,destination_namespace,destination_workload,traffic_direction + enableOpenMetrics: true + ipam: + operator: + clusterPoolIPv4PodCIDRList: + - "${k3s.podCIDR}" k8sServiceHost: "${config.sops.placeholder.internalNodeIp}" k8sServicePort: "${k3s.servicePort}" ''; + services.rke2.configPath = config.sops.templates."config.yaml".path; sops.templates."config.yaml".content = '' + with-node-id: true advertise-address: ${config.sops.placeholder.internalNodeIp} cluster-domain: ${config.sops.placeholder.paasDomain} node-external-ip: "${config.sops.placeholder.nodeIp}" @@ -53,6 +106,8 @@ with config.k3s-paas; service-cidr: ${k3s.serviceCIDR} cluster-dns: ${k3s.clusterDns} vpn-auth: "name=tailscale,joinKey=${config.sops.placeholder.tailscaleNodeKey}" + node-taint: + - "CriticalAddonsOnly=true:NoExecute" tls-san: - "${k3s.serviceIp}" - "${config.networking.hostName}" @@ -66,7 +121,6 @@ with config.k3s-paas; kube-apiserver-arg=oidc-groups-claim: groups ''; - users.users.reader.hashedPasswordFile = config.sops.secrets.password.path; users.users.${user.name}.hashedPasswordFile = config.sops.secrets.password.path; users.users.root.hashedPasswordFile = config.sops.secrets.password.path; } diff --git a/tf-modules-cloud/contabo/main.tf b/tf-modules-cloud/contabo/main.tf index 5956576..14fefdb 100644 --- a/tf-modules-cloud/contabo/main.tf +++ b/tf-modules-cloud/contabo/main.tf @@ -5,7 +5,7 @@ resource "contabo_secret" "k3s_paas_master_trusted_key" { } resource "contabo_image" "k3s_paas_master_image" { - name = "nixos-k3s-paas-${var.image_version}" + name = "nixos-kube-paas-${var.image_version}" image_url = format(var.image_url_format, var.image_version) os_type = "Linux" version = var.image_version diff --git a/tf-modules-cloud/contabo/variables.tf b/tf-modules-cloud/contabo/variables.tf index 762cec8..434ac74 100644 --- a/tf-modules-cloud/contabo/variables.tf +++ b/tf-modules-cloud/contabo/variables.tf @@ -18,7 +18,7 @@ variable "image_version" { } variable "image_url_format" { - default = "https://github.com/loic-roux-404/k3s-paas/releases/download/nixos-%s/nixos.qcow2" + default = "https://github.com/loic-roux-404/kube-paas/releases/download/nixos-%s/nixos.qcow2" } variable "ssh_connection" { diff --git a/tf-modules-cloud/k3s-get-config/variables.tf b/tf-modules-cloud/k3s-get-config/variables.tf index c359ff2..f09cd15 100644 --- a/tf-modules-cloud/k3s-get-config/variables.tf +++ b/tf-modules-cloud/k3s-get-config/variables.tf @@ -17,7 +17,7 @@ variable "ssh_connection" { } variable "remote_k3s_config_location" { - default = "/etc/rancher/k3s/k3s.yaml" + default = "/etc/rancher/rke2/rke2.yaml" } variable "context_cluster_name" { diff --git a/tf-modules-cloud/libvirt/main.tf b/tf-modules-cloud/libvirt/main.tf index 2bce460..1973137 100644 --- a/tf-modules-cloud/libvirt/main.tf +++ b/tf-modules-cloud/libvirt/main.tf @@ -7,7 +7,7 @@ locals { } resource "libvirt_pool" "volumetmp" { - name = "libvirt-k3s-paas-nixos-pool" + name = "libvirt-paas-nixos-pool" type = "dir" path = var.libvirt_pool_path } diff --git a/tf-modules-cloud/libvirt/variables.tf b/tf-modules-cloud/libvirt/variables.tf index b3bd086..728c614 100644 --- a/tf-modules-cloud/libvirt/variables.tf +++ b/tf-modules-cloud/libvirt/variables.tf @@ -26,7 +26,7 @@ variable "ssh_connection" { } variable "libvirt_pool_path" { - default = "/var/lib/libvirt-pools/k3s-paas-pool" + default = "/var/lib/libvirt-pools/kube-paas-pool" } variable "node_hostname" { diff --git a/tf-modules-k8s/cilium-install/main.tf b/tf-modules-k8s/cilium-install/main.tf index 9b9fe76..eba0be2 100644 --- a/tf-modules-k8s/cilium-install/main.tf +++ b/tf-modules-k8s/cilium-install/main.tf @@ -45,7 +45,7 @@ resource "helm_release" "cilium" { loadbalancerMode = "dedicated" service = { name = "cilium-ingress-external" - labels = { "k3s-paas/internal" : "true" } + labels = { "kube-paas/internal" : "true" } } } prometheus = { diff --git a/tf-modules-k8s/cilium/main.tf b/tf-modules-k8s/cilium/main.tf index 4d6daa5..2e4ebdc 100644 --- a/tf-modules-k8s/cilium/main.tf +++ b/tf-modules-k8s/cilium/main.tf @@ -35,7 +35,7 @@ resource "kubernetes_manifest" "cilium_lb_ipam_external" { ] serviceSelector = { matchLabels = { - "k3s-paas/external" = "true" + "kube-paas/external" = "true" "wait-for-it" = helm_release.cilium.metadata[0].name } } @@ -61,7 +61,7 @@ resource "kubernetes_manifest" "cilium_lb_ipam_internal" { ] serviceSelector = { matchLabels = { - "k3s-paas/internal" = "true" + "kube-paas/internal" = "true" } } } @@ -75,7 +75,7 @@ resource "kubernetes_service" "cilium_ingress_external" { namespace = helm_release.cilium.metadata[0].namespace labels = { "cilium.io/ingress" = "true" - "k3s-paas/external" = "true" + "kube-paas/external" = "true" } } diff --git a/tf-modules-k8s/dex/variables.tf b/tf-modules-k8s/dex/variables.tf index 5c74ce3..fc116ef 100644 --- a/tf-modules-k8s/dex/variables.tf +++ b/tf-modules-k8s/dex/variables.tf @@ -20,7 +20,7 @@ variable "github_client_secret" { variable "dex_client_id" { description = "Client ID for Dex OIDC Connector" type = string - default = "dex-k3s-paas" + default = "dex-paas-org-404" } variable "dex_github_orgs" { diff --git a/tf-modules-k8s/waypoint-config/variables.tf b/tf-modules-k8s/waypoint-config/variables.tf index 06664f5..b6a10ca 100644 --- a/tf-modules-k8s/waypoint-config/variables.tf +++ b/tf-modules-k8s/waypoint-config/variables.tf @@ -16,7 +16,7 @@ variable "dex_hostname" { variable "dex_client_id" { description = "Client ID for DEX" type = string - default = "dex-k3s-paas" + default = "dex-paas-org-404" } variable "dex_client_secret" { diff --git a/tf-modules-nix/deploy/variables.tf b/tf-modules-nix/deploy/variables.tf index ae9f898..699ad38 100644 --- a/tf-modules-nix/deploy/variables.tf +++ b/tf-modules-nix/deploy/variables.tf @@ -1,7 +1,7 @@ variable "dex_client_id" { type = string sensitive = true - default = "dex-k3s-paas" + default = "dex-paas-org-404" } variable "node_address" { diff --git a/tf-root-network/main.tf b/tf-root-network/main.tf index 790e5c7..8c2fd32 100644 --- a/tf-root-network/main.tf +++ b/tf-root-network/main.tf @@ -66,7 +66,7 @@ module "k3s_get_config" { source = "../tf-modules-cloud/k3s-get-config" ssh_connection = var.ssh_connection node_hostname = module.deploy.config.node_address - remote_k3s_config_location = "/etc/rancher/k3s/k3s.yaml" + remote_k3s_config_location = "/etc/rancher/rke2/rke2.yaml" } output "password" { diff --git a/tf-root-network/variables.tf b/tf-root-network/variables.tf index 0c7c6bc..a24b1d3 100644 --- a/tf-root-network/variables.tf +++ b/tf-root-network/variables.tf @@ -72,5 +72,5 @@ variable "nix_flake_reset" { } variable "remote_k3s_config_location" { - default = "/etc/rancher/k3s/k3s.yaml" + default = "/etc/rancher/rke2/rke2.yaml" }