imterah/kittehcluster
Archived
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

feature: Rename serverinfra folder.

Browse source
This commit is contained in:
greysoh 2024-07-27 12:57:02 -04:00
parent 3941e10c2f
commit eb1dc99389
Signed by: imterah
GPG key ID: 8FA7DD57BA6CEA37
11 changed files with 0 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

84
serverinfra/commons.agent.nix Normal file
View file

@ -0,0 +1,84 @@
let
pkgs = import <nixpkgs> {};
k3s_token = (import ./secrets.nix).services.k3s.token;
in {
imports = [
./commons.nix
];
systemd.services.k3s = {
enable = true;
description = "KittehCluster's modified k3s service";
# From L324: https://github.com/NixOS/nixpkgs/blob/master/pkgs/applications/networking/cluster/k3s/builder.nix
path = with pkgs; [
kmod
socat
iptables
iproute2
ipset
bridge-utils
ethtool
util-linux
conntrack-tools
runc
bash
];
serviceConfig = {
Type = "simple";
ExecStart = pkgs.writeShellScript "k3s-hack" ''
rm -rf /tmp/k3shack
# Manually recreate the symlinks. Don't @ me.
mkdir /tmp/k3shack
ln -s ${pkgs.k3s}/bin/.k3s-wrapped /tmp/k3shack/containerd
ln -s ${pkgs.k3s}/bin/.k3s-wrapped /tmp/k3shack/crictl
ln -s ${pkgs.k3s}/bin/.k3s-wrapped /tmp/k3shack/ctr
ln -s ${pkgs.k3s}/bin/.k3s-wrapped /tmp/k3shack/k3s-agent
ln -s ${pkgs.k3s}/bin/.k3s-wrapped /tmp/k3shack/k3s-certificate
ln -s ${pkgs.k3s}/bin/.k3s-wrapped /tmp/k3shack/k3s-completion
ln -s ${pkgs.k3s}/bin/.k3s-wrapped /tmp/k3shack/k3s-etcd-snapshot
ln -s ${pkgs.k3s}/bin/.k3s-wrapped /tmp/k3shack/k3s-secrets-encrypt
ln -s ${pkgs.k3s}/bin/.k3s-wrapped /tmp/k3shack/k3s-server
ln -s ${pkgs.k3s}/bin/.k3s-wrapped /tmp/k3shack/k3s-token
ln -s ${pkgs.k3s}/bin/.k3s-wrapped /tmp/k3shack/kubectl
ln -s ${pkgs.k3s}/bin/.k3s-wrapped /tmp/k3shack/k3s
export PATH=/tmp/k3shack:$PATH
k3s agent --token ${k3s_token} --server https://kitteh-node-1-k3s-server:6443
'';
};
};
virtualisation.docker.enable = true;
networking.firewall = {
enable = true;
allowedTCPPorts = [
# HTTP(s)
80
443
# Docker swarm
2377
7946
4789
# K3s
6443
2379
2380
];
allowedUDPPorts = [
# Docker swarm
7946
# K3s
8472
];
};
}

84
serverinfra/commons.nix Normal file
View file

@ -0,0 +1,84 @@
let
pkgs = import <nixpkgs> {};
update_script = builtins.readFile ./update.sh;
in {
imports = [
./secrets.nix
./hardware-configuration.nix
];
swapDevices = [
{
device = "/var/lib/swapfile";
size = 4 * 1024;
}
];
boot.loader.grub.enable = true;
boot.loader.grub.device = "/dev/vda";
systemd.services.kittehclean = {
enable = true;
description = "Cleans up this Kitteh node & runs init tasks";
serviceConfig = {
Type = "simple";
ExecStart = pkgs.writeShellScript "kittehclean" ''
echo "KittehCluster: Running cleanup tasks..."
chmod -R 644 /etc/rancher 2> /dev/null > /dev/null
chmod -R 644 /var/lib/rancher 2> /dev/null > /dev/null
# Because I'm lazy (and this works), we use this method to write the file
rm -rf /home/clusteradm/update
ln -s ${pkgs.writeShellScript "update" update_script} /home/clusteradm/update
echo "Done."
'';
};
wantedBy = ["network-online.target"];
};
networking.networkmanager.enable = true;
services.openssh = {
enable = true;
settings = {
PasswordAuthentication = false;
};
};
services.avahi.enable = true;
services.avahi.openFirewall = true;
system.nssModules = pkgs.lib.optional true pkgs.nssmdns;
system.nssDatabases.hosts = pkgs.lib.optionals true (pkgs.lib.mkMerge [
(pkgs.lib.mkBefore ["mdns4_minimal [NOTFOUND=return]"]) # before resolution
(pkgs.lib.mkAfter ["mdns4"]) # after dns
]);
users.users.clusteradm = {
initialPassword = "1234";
isNormalUser = true;
extraGroups = ["sudoer" "wheel" "docker"];
};
environment.systemPackages = with pkgs; [
nano
vim
bash
htop
bottom
# Updating
git
# K3s command line tools
k3s
];
system.stateVersion = "24.05";
}

69
serverinfra/commons.server.nix Normal file
View file

@ -0,0 +1,69 @@
let
pkgs = import <nixpkgs> {};
k3s_token = (import ./secrets.nix).services.k3s.token;
in {
imports = [
./commons.nix
];
systemd.services.k3s = {
enable = true;
description = "KittehCluster's modified k3s service";
# From L324: https://github.com/NixOS/nixpkgs/blob/master/pkgs/applications/networking/cluster/k3s/builder.nix
path = with pkgs; [
kmod
socat
iptables
iproute2
ipset
bridge-utils
ethtool
util-linux
conntrack-tools
runc
bash
];
serviceConfig = {
Type = "simple";
ExecStart = pkgs.writeShellScript "k3s-hack" ''
rm -rf /tmp/k3shack
# Manually recreate the symlinks. Don't @ me.
mkdir /tmp/k3shack
ln -s ${pkgs.k3s}/bin/.k3s-wrapped /tmp/k3shack/containerd
ln -s ${pkgs.k3s}/bin/.k3s-wrapped /tmp/k3shack/crictl
ln -s ${pkgs.k3s}/bin/.k3s-wrapped /tmp/k3shack/ctr
ln -s ${pkgs.k3s}/bin/.k3s-wrapped /tmp/k3shack/k3s-agent
ln -s ${pkgs.k3s}/bin/.k3s-wrapped /tmp/k3shack/k3s-certificate
ln -s ${pkgs.k3s}/bin/.k3s-wrapped /tmp/k3shack/k3s-completion
ln -s ${pkgs.k3s}/bin/.k3s-wrapped /tmp/k3shack/k3s-etcd-snapshot
ln -s ${pkgs.k3s}/bin/.k3s-wrapped /tmp/k3shack/k3s-secrets-encrypt
ln -s ${pkgs.k3s}/bin/.k3s-wrapped /tmp/k3shack/k3s-server
ln -s ${pkgs.k3s}/bin/.k3s-wrapped /tmp/k3shack/k3s-token
ln -s ${pkgs.k3s}/bin/.k3s-wrapped /tmp/k3shack/kubectl
ln -s ${pkgs.k3s}/bin/.k3s-wrapped /tmp/k3shack/k3s
export PATH=/tmp/k3shack:$PATH
k3s server --token ${k3s_token} --server https://kitteh-node-1-k3s-server:6443 --disable servicelb
'';
};
};
# K3s settings
networking.firewall = {
enable = true;
allowedTCPPorts = [
6443
2379
2380
];
allowedUDPPorts = [
8472
];
};
}

73
serverinfra/install-script.sh Normal file
View file

@ -0,0 +1,73 @@
#!/usr/bin/env bash
export TERM="xterm-256color"
clear
echo "KittehCluster installer"
echo "Codename 'tundra'"
echo
sed -e 's/\s*\([\+0-9a-zA-Z]*\).*/\1/' << EOF | sudo fdisk /dev/vda
o # dos disk label
n # new partition
p # primary partition
1 # setup boot partition
2048 # align first sector (performance reasons?)
+500M # boot partition size
n # new partition
p # primary partition
2 # partion number 2
# default, start immediately after preceding partition
# default, extend partition to end of disk
a # make a partition bootable
1 # bootable partition is partition 1 -- /dev/vda1
w # write the partition table
q # and we're done
EOF
sudo mkfs.fat -F 32 /dev/vda1
sudo fatlabel /dev/vda1 BOOT
sudo mkfs.ext4 /dev/vda2 -L ROOT
sudo mount /dev/vda2 /mnt
sudo mkdir -p /mnt/boot
sudo mount /dev/vda1 /mnt/boot
sudo nixos-generate-config --root /mnt
sudo mv /mnt/etc/nixos/hardware-configuration.nix /tmp/hardware-configuration.nix
sudo rm -rf /mnt/etc/nixos/* /mnt/etc/nixos/.*
sudo nix-shell -p git --command "git clone $GIT_REPO /mnt/etc/nixos"
if [ ! -f "/mnt/etc/nixos/install-script.sh" ]; then
echo "DEBUG: checking out 'tundra' branch..."
sudo nix-shell -p git --command "cd /mnt/etc/nixos; git checkout tundra"
fi
sudo mv /tmp/hardware-configuration.nix /mnt/etc/nixos/nixinfra/
sudo mv $SECRETS_PATH /mnt/etc/nixos/nixinfra/secrets.nix
sudo bash -c "NIXOS_CONFIG=/mnt/etc/nixos/nixinfra/$NIX_INSTALL_PATH nixos-install"
RET=$?
if [ $RET -ne 0 ]; then
echo "Failed to install! Attempting to spawn bash for debugging..."
echo "NOTE: You will not see a bash prompt (for some reason)"
bash
echo "Bash exited."
else
echo "Successfully installed! Finishing install..."
mkdir /mnt/home/clusteradm/.bin
echo "NIX_INSTALL_PATH=/etc/nixos/nixinfra/$NIX_INSTALL_PATH" > /mnt/home/clusteradm/.bin/.env
echo 'export PATH="$PATH:/home/clusteradm/.bin"' >> /mnt/home/clusteradm/.bashrc
echo 'export PATH="$PATH:/home/clusteradm/.bin"' >> /mnt/home/clusteradm/.zshrc
sleep 60
echo "Rebooting"
sudo reboot
exit
fi
echo "Unmounting filesystems..."
sudo umount -f /mnt/boot
sudo umount -f /mnt
echo "Done."

35
serverinfra/install.sh Executable file
View file

@ -0,0 +1,35 @@
#!/usr/bin/env bash
SSH_SERVER="$1"
ssh-to-srv() {
ssh -o "UserKnownHostsFile=/dev/null" -o "StrictHostKeyChecking=no" nixos@$SSH_SERVER $@
}
if [ "$GIT_REPO" == "" ]; then
export GIT_REPO="https://git.hofers.cloud/greysoh/kittehcluster"
fi
if [ "$NIX_INSTALL_PATH" == "" ]; then
echo "ERROR: the environment variable 'NIX_INSTALL_PATH' is not set!"
echo "This can be fixed by setting it to the path of the nix file, i.e:"
echo "$ NIX_INSTALL_PATH=kitteh-node-1/server.nix ./install.sh"
exit 1
fi
if [ ! -f "secrets.nix" ]; then
echo "ERROR: secrets.nix doesn't exit! Copy that file, and setup your secrets, please."
exit 1
fi
echo "Initializing..."
# Ugh, gotta reimplement ssh-copy-id real quick...
# TODO: see if there's a way to specify custom arguments to ssh-copy-id's SSH process
for i in ~/.ssh/id_*.pub; do
echo "Copying public key '$i'..."
ssh-to-srv bash -c "'mkdir -p ~/.ssh; touch ~/.ssh/authorized_keys; echo -n $(cat $i | base64) | base64 -d > ~/.ssh/authorized_keys'"
done
ssh-to-srv bash -c "'echo -n $(cat secrets.nix | base64) | base64 -d > /tmp/secrets.nix'"
ssh-to-srv bash -c "'echo -n $(cat install-script.sh | base64) | base64 -d > /tmp/install.sh'"
ssh-to-srv bash -c "'GIT_REPO=$GIT_REPO NIX_INSTALL_PATH=$NIX_INSTALL_PATH SECRETS_PATH=/tmp/secrets.nix bash /tmp/install.sh'"

10
serverinfra/kitteh-node-1/agent.nix Normal file
View file

@ -0,0 +1,10 @@
let
pkgs = import <nixpkgs> {};
in {
imports = [
../commons.agent.nix
];
networking.hostName = "kitteh-node-1-k3s-agent";
environment.variables.NIX_BUILD_ID = "kitteh-node-1/agent";
}

75
serverinfra/kitteh-node-1/server.nix Normal file
View file

@ -0,0 +1,75 @@
# Because this behaves as cluster init, all the "commons.server.nix" seperation
# isn't in here. However, normal commons is. Just fyi.
let
pkgs = import <nixpkgs> {};
k3s_token = (import ../secrets.nix).services.k3s.token;
in {
imports = [
../commons.nix
];
networking.hostName = "kitteh-node-1-k3s-server";
environment.variables.NIX_BUILD_ID = "kitteh-node-1/server";
systemd.services.k3s = {
enable = true;
description = "KittehCluster's modified k3s service";
# From L324: https://github.com/NixOS/nixpkgs/blob/master/pkgs/applications/networking/cluster/k3s/builder.nix
path = with pkgs; [
kmod
socat
iptables
iproute2
ipset
bridge-utils
ethtool
util-linux
conntrack-tools
runc
bash
];
serviceConfig = {
Type = "simple";
ExecStart = pkgs.writeShellScript "k3s-hack" ''
rm -rf /tmp/k3shack
# Manually recreate the symlinks. Don't @ me.
mkdir /tmp/k3shack
ln -s ${pkgs.k3s}/bin/.k3s-wrapped /tmp/k3shack/containerd
ln -s ${pkgs.k3s}/bin/.k3s-wrapped /tmp/k3shack/crictl
ln -s ${pkgs.k3s}/bin/.k3s-wrapped /tmp/k3shack/ctr
ln -s ${pkgs.k3s}/bin/.k3s-wrapped /tmp/k3shack/k3s-agent
ln -s ${pkgs.k3s}/bin/.k3s-wrapped /tmp/k3shack/k3s-certificate
ln -s ${pkgs.k3s}/bin/.k3s-wrapped /tmp/k3shack/k3s-completion
ln -s ${pkgs.k3s}/bin/.k3s-wrapped /tmp/k3shack/k3s-etcd-snapshot
ln -s ${pkgs.k3s}/bin/.k3s-wrapped /tmp/k3shack/k3s-secrets-encrypt
ln -s ${pkgs.k3s}/bin/.k3s-wrapped /tmp/k3shack/k3s-server
ln -s ${pkgs.k3s}/bin/.k3s-wrapped /tmp/k3shack/k3s-token
ln -s ${pkgs.k3s}/bin/.k3s-wrapped /tmp/k3shack/kubectl
ln -s ${pkgs.k3s}/bin/.k3s-wrapped /tmp/k3shack/k3s
export PATH=/tmp/k3shack:$PATH
k3s server --cluster-init --token ${k3s_token} --disable servicelb
'';
};
};
# K3s settings
networking.firewall = {
enable = true;
allowedTCPPorts = [
6443
2379
2380
];
allowedUDPPorts = [
8472
];
};
}

10
serverinfra/kitteh-node-2/agent.nix Normal file
View file

@ -0,0 +1,10 @@
let
pkgs = import <nixpkgs> {};
in {
imports = [
../commons.agent.nix
];
networking.hostName = "kitteh-node-2-k3s-agent";
environment.variables.NIX_BUILD_ID = "kitteh-node-2/agent";
}

10
serverinfra/kitteh-node-2/server.nix Normal file
View file

@ -0,0 +1,10 @@
let
pkgs = import <nixpkgs> {};
in {
imports = [
../commons.server.nix
];
networking.hostName = "kitteh-node-2-k3s-server";
environment.variables.NIX_BUILD_ID = "kitteh-node-2/server";
}

18
serverinfra/secrets.example.nix Normal file
View file

@ -0,0 +1,18 @@
# Example secrets configuration
# There is a better way to do this, but this works.
# To get started:
# 1. Copy this file to 'secrets.nix'
# 2. Run uuidgen (or some other algorithm) to generate a shared secret, and replace services.k3s.token's value with that
# 3. Copy your SSH key(s) into the authorized_keys section.
# 4. Profit!
let
pkgs = import <nixpkgs> {};
in {
services.k3s.token = "shared.secret.here";
users.users.clusteradm.openssh.authorizedKeys.keys = [
];
}

44
serverinfra/update.sh Normal file
View file

@ -0,0 +1,44 @@
nix_bld_unset_err() {
echo "ERROR: NIX_BUILD_ID is not set (should be set by default!)"
echo " Please set NIX_BUILD_ID manually. i.e:"
echo " NIX_BUILD_ID=kitteh-node-1/agent updater"
exit 1
}
if [[ "$NIX_BUILD_ID" == "" ]]; then
if [[ ! -f "/tmp/nixbuildid" ]]; then
nix_bld_unset_err
fi
source /tmp/nixbuildid
if [[ "$NIX_BUILD_ID" == "" ]]; then
nix_bld_unset_err
fi
fi
if [[ "$UID" != "0" ]]; then
# Hacky workaround for failing to read NIX_BUILD_ID when called like:
# - $: ./update
# but this works:
# - $: sudo su
# - #: ./update
# NOTE: Calling `$: sudo ./update` still doesn't work with this hack. Just use `./update`, man.
echo "NIX_BUILD_ID=$NIX_BUILD_ID" > /tmp/nixbuildid
chmod +x /tmp/nixbuildid
sudo $0 $@
STATUS_CODE=$?
rm -rf /tmp/nixbuildid
exit $STATUS_CODE
fi
pushd /etc/nixos 2> /dev/null > /dev/null
git pull
popd 2> /dev/null > /dev/null
export NIX_PATH="$(printf $NIX_PATH | sed --expression="s#/etc/nixos/configuration.nix#/etc/nixos/nixinfra/$NIX_BUILD_ID.nix#g")"
nixos-rebuild switch --upgrade