From 1b3da6082792003748e83db1ec25e88331debd0e Mon Sep 17 00:00:00 2001
From: BOTAlex <zhentao2004@gmail.com>
Date: Tue, 7 Apr 2026 04:49:06 +0200
Subject: [PATCH] sync

---
 aliases.nix                   |  1 +
 configuration.nix             | 12 ++++++------
 programs.nix                  |  1 +
 vms/kube-daddy/kubernetes.nix | 34 +++++++++++++++++++++++++++-------
 4 files changed, 35 insertions(+), 13 deletions(-)

diff --git a/aliases.nix b/aliases.nix
index 2323226..7140ad6 100644
--- a/aliases.nix
+++ b/aliases.nix
@@ -28,6 +28,7 @@
       wipe = "sudo rm -fr /var/lib/microvms/kube-* || sudo rm -fr /var/lib/microvms/shared/kube";
       wg-keys = "wg genkey > privatekey && wg pubkey < privatekey > publickey";
       k = "kubectl";
+      metal = "ssh metal@192.168.50.59";
 
     };
 
diff --git a/configuration.nix b/configuration.nix
index 6805e86..4c4655e 100755
--- a/configuration.nix
+++ b/configuration.nix
@@ -2,12 +2,11 @@
 # your system.  Help is available in the configuration.nix(5) man page
 # and in the NixOS manual (accessible by running ‘nixos-help’).
 
-{
-  config,
-  pkgs,
-  lib,
-  inputs,
-  ...
+{ config
+, pkgs
+, lib
+, inputs
+, ...
 }:
 
 {
@@ -46,6 +45,7 @@
   boot.loader.systemd-boot.enable = true;
   boot.loader.efi.canTouchEfiVariables = true;
   boot.loader.timeout = 2;
+  boot.kernelParams = [ "nomodeset" ];
 
   networking.hostName = "botkube"; # Define your hostname.
   # networking.wireless.enable = true;  # Enables wireless support via wpa_supplicant.
diff --git a/programs.nix b/programs.nix
index 3279dbd..7ae978d 100644
--- a/programs.nix
+++ b/programs.nix
@@ -21,6 +21,7 @@
     kubectl
     lua5_1
     jq
+    osc
     luarocks
     vtk
     immich-cli
diff --git a/vms/kube-daddy/kubernetes.nix b/vms/kube-daddy/kubernetes.nix
index 4fe2e9b..57946e4 100644
--- a/vms/kube-daddy/kubernetes.nix
+++ b/vms/kube-daddy/kubernetes.nix
@@ -1,8 +1,7 @@
-{
-  config,
-  pkgs,
-  lib,
-  ...
+{ config
+, pkgs
+, lib
+, ...
 }:
 let
   # When using easyCerts=true the IP Address must resolve to the master on creation.
@@ -17,7 +16,9 @@ in
     ${kubeMasterIP} ${kubeMasterHostname}
     10.0.0.2 kube-daddy
     10.0.0.4 kube-desk
-    10.0.0.5 kube-snorre'';
+    10.0.0.5 kube-snorre
+    10.0.0.8 kube-metal
+  '';
   networking.firewall.enable = false;
 
   imports = [
@@ -45,6 +46,25 @@ in
     apiserver = {
       securePort = kubeMasterAPIServerPort;
       advertiseAddress = kubeMasterIP;
+
+      extraOpts =
+        let
+          admissionConfig = pkgs.writeText "admission-config.yaml" ''
+            apiVersion: apiserver.config.k8s.io/v1
+            kind: AdmissionConfiguration
+            plugins:
+            - name: PodSecurity
+              configuration:
+                apiVersion: pod-security.admission.config.k8s.io/v1
+                kind: PodSecurityConfiguration
+                defaults:
+                  enforce: "baseline"
+                  enforce-version: "latest"
+                exemptions:
+                  namespaces: [ "kube-system" ]
+          '';
+        in
+        "--admission-control-config-file=${admissionConfig}";
     };
 
     flannel.enable = true;
@@ -53,7 +73,7 @@ in
     addons.dns.enable = true;
 
     # needed if you use swap
-    kubelet.extraOpts = "--fail-swap-on=false --resolv-conf=/run/systemd/resolve/resolv.conf";
+    kubelet.extraOpts = "--fail-swap-on=false --allow-privileged=true --resolv-conf=/run/systemd/resolve/resolv.conf";
   };
 
   services.flannel = {