forked from hacc/haccfiles
125 lines
3.9 KiB
Nix
125 lines
3.9 KiB
Nix
{ config, pkgs, ... }:
|
|
{
|
|
services.etcd = {
|
|
advertiseClientUrls = [
|
|
"https://[2a0d:eb04:8:10::1]:2379"
|
|
];
|
|
listenClientUrls = [
|
|
"https://[2a0d:eb04:8:10::1]:2379"
|
|
];
|
|
listenPeerUrls = [
|
|
"https://[::1]:2380"
|
|
];
|
|
};
|
|
services.kubernetes = {
|
|
roles = [ "master" "node" ];
|
|
flannel.enable = false;
|
|
addons.dns = {
|
|
enable = true;
|
|
clusterIp = "2a0d:eb04:8:11::53";
|
|
reconcileMode = "EnsureExists";
|
|
};
|
|
pki.cfsslAPIExtraSANs = [ "hainich.hacc.space" ];
|
|
apiserver = {
|
|
advertiseAddress = "2a0d:eb04:8:10::1";
|
|
extraSANs = [
|
|
"2a0d:eb04:8:10::1" "2a0d:eb04:8:11::1" "hainich.hacc.space"
|
|
];
|
|
bindAddress = "::";
|
|
insecureBindAddress = "::1";
|
|
etcd = {
|
|
servers = [ "https://[2a0d:eb04:8:10::1]:2379" ];
|
|
};
|
|
serviceClusterIpRange = "2a0d:eb04:8:11::/120";
|
|
extraOpts = "--allow-privileged=true";
|
|
};
|
|
controllerManager = {
|
|
bindAddress = "::";
|
|
clusterCidr = "2a0d:eb04:8:12::/64";
|
|
};
|
|
kubelet = {
|
|
address = "::";
|
|
clusterDns = "2a0d:eb04:8:11::53";
|
|
};
|
|
proxy = {
|
|
bindAddress = "::";
|
|
};
|
|
scheduler = {
|
|
address = "::1" ;
|
|
};
|
|
apiserverAddress = "https://[2a0d:eb04:8:10::1]:6443";
|
|
clusterCidr = "2a0d:eb04:8:12::/64";
|
|
easyCerts = true;
|
|
masterAddress = "hainich.hacc.space";
|
|
};
|
|
|
|
networking.firewall = {
|
|
allowedTCPPorts = [ 80 443 6443 ];
|
|
trustedInterfaces = [
|
|
"cbr0" "tunnat64"
|
|
];
|
|
extraCommands = ''
|
|
iptables -t nat -A POSTROUTING -o enp6s0 -j SNAT --to 46.4.63.158
|
|
iptables -A FORWARD -i tunnat64 -j ACCEPT
|
|
|
|
iptables -t nat -A PREROUTING -p tcp -d 46.4.63.158 --dport 80 -j DNAT --to-destination 10.255.255.2:80
|
|
iptables -t nat -A PREROUTING -p tcp -d 46.4.63.158 --dport 443 -j DNAT --to-destination 10.255.255.2:443
|
|
iptables -t nat -A PREROUTING -p tcp -d 46.4.63.158 --dport 6443 -j DNAT --to-destination 10.255.255.1:443
|
|
|
|
ip6tables -A FORWARD -i tunnat64 -j ACCEPT
|
|
ip6tables -A INPUT -i tunnat64 -j ACCEPT
|
|
'';
|
|
extraStopCommands = ''
|
|
iptables -t nat -D POSTROUTING -o enp6s0 -j SNAT --to 46.4.63.158
|
|
iptables -D FORWARD -i tunnat64 -j ACCEPT
|
|
|
|
iptables -t nat -D PREROUTING -p tcp -d 46.4.63.158 --dport 80 -j DNAT --to-destination 10.255.255.2:80
|
|
iptables -t nat -D PREROUTING -p tcp -d 46.4.63.158 --dport 443 -j DNAT --to-destination 10.255.255.2:443
|
|
iptables -t nat -D PREROUTING -p tcp -d 46.4.63.158 --dport 6443 -j DNAT --to-destination 10.255.255.1:443
|
|
|
|
ip6tables -A FORWARD -i tunnat64 -j ACCEPT
|
|
ip6tables -A INPUT -i tunnat64 -j ACCEPT
|
|
'';
|
|
};
|
|
|
|
systemd.services.tayga = (let
|
|
config = pkgs.writeText "tayga.conf" ''
|
|
tun-device tunnat64
|
|
ipv4-addr 10.255.255.254
|
|
prefix 2a0d:eb04:8:10:64::/96
|
|
dynamic-pool 10.255.255.0/24
|
|
map 10.255.255.1 2a0d:eb04:8:10::1
|
|
map 10.255.255.2 2a0d:eb04:8:11::2
|
|
strict-frag-hdr 1
|
|
'';
|
|
startScript = pkgs.writeScriptBin "tayga-start" ''
|
|
#! ${pkgs.runtimeShell} -e
|
|
${pkgs.iproute}/bin/ip link set up tunnat64 || true
|
|
${pkgs.iproute}/bin/ip route add 10.255.255.0/24 dev tunnat64 || true
|
|
${pkgs.iproute}/bin/ip -6 route add 2a0d:eb04:8:10:64::/96 dev tunnat64 || true
|
|
${pkgs.tayga}/bin/tayga -d --config ${config}
|
|
'';
|
|
in {
|
|
wantedBy = [ "multi-user.target" ];
|
|
after = [ "network.target" ];
|
|
serviceConfig = {
|
|
ExecStart = ''${startScript}/bin/tayga-start'';
|
|
};
|
|
});
|
|
|
|
networking.interfaces.cbr0.ipv6.routes = [{
|
|
address = "2a0d:eb04:8:10::";
|
|
prefixLength = 60;
|
|
}];
|
|
|
|
networking.interfaces.tunnat64 = {
|
|
virtual = true;
|
|
};
|
|
|
|
# openebs expects some stuff to be there.
|
|
system.activationScripts.openebs = ''
|
|
mkdir -p /usr/lib /usr/sbin
|
|
ln -sf ${pkgs.zfs.lib}/lib/* /usr/lib/
|
|
ln -sf ${pkgs.zfs}/bin/zfs /usr/sbin/
|
|
'';
|
|
}
|