sync

2026-05-06 10:02:30 +02:00 · 2026-04-07 04:49:06 +02:00 · 2026-04-07 04:49:06 +02:00 · 1b3da60827
commit 1b3da60827
parent dd22a98cdb
4 changed files with 35 additions and 13 deletions
--- a/aliases.nix
+++ b/aliases.nix
@ -28,6 +28,7 @@
      wipe = "sudo rm -fr /var/lib/microvms/kube-* || sudo rm -fr /var/lib/microvms/shared/kube";
      wg-keys = "wg genkey > privatekey && wg pubkey < privatekey > publickey";
      k = "kubectl";
+      metal = "ssh metal@192.168.50.59";

    };

--- a/configuration.nix
+++ b/configuration.nix
@ -2,12 +2,11 @@
 # your system.  Help is available in the configuration.nix(5) man page
 # and in the NixOS manual (accessible by running ‘nixos-help’).

-{
-  config,
-  pkgs,
-  lib,
-  inputs,
-  ...
+{ config
+, pkgs
+, lib
+, inputs
+, ...
 }:

 {
@ -46,6 +45,7 @@
  boot.loader.systemd-boot.enable = true;
  boot.loader.efi.canTouchEfiVariables = true;
  boot.loader.timeout = 2;
+  boot.kernelParams = [ "nomodeset" ];

  networking.hostName = "botkube"; # Define your hostname.
  # networking.wireless.enable = true;  # Enables wireless support via wpa_supplicant.
--- a/programs.nix
+++ b/programs.nix
@ -21,6 +21,7 @@
    kubectl
    lua5_1
    jq
+    osc
    luarocks
    vtk
    immich-cli
--- a/vms/kube-daddy/kubernetes.nix
+++ b/vms/kube-daddy/kubernetes.nix
@ -1,8 +1,7 @@
-{
-  config,
-  pkgs,
-  lib,
-  ...
+{ config
+, pkgs
+, lib
+, ...
 }:
 let
  # When using easyCerts=true the IP Address must resolve to the master on creation.
@ -17,7 +16,9 @@ in
    ${kubeMasterIP} ${kubeMasterHostname}
    10.0.0.2 kube-daddy
    10.0.0.4 kube-desk
-    10.0.0.5 kube-snorre'';
+    10.0.0.5 kube-snorre
+    10.0.0.8 kube-metal
+  '';
  networking.firewall.enable = false;

  imports = [
@ -45,6 +46,25 @@ in
    apiserver = {
      securePort = kubeMasterAPIServerPort;
      advertiseAddress = kubeMasterIP;
+
+      extraOpts =
+        let
+          admissionConfig = pkgs.writeText "admission-config.yaml" ''
+            apiVersion: apiserver.config.k8s.io/v1
+            kind: AdmissionConfiguration
+            plugins:
+            - name: PodSecurity
+              configuration:
+                apiVersion: pod-security.admission.config.k8s.io/v1
+                kind: PodSecurityConfiguration
+                defaults:
+                  enforce: "baseline"
+                  enforce-version: "latest"
+                exemptions:
+                  namespaces: [ "kube-system" ]
+          '';
+        in
+        "--admission-control-config-file=${admissionConfig}";
    };

    flannel.enable = true;
@ -53,7 +73,7 @@ in
    addons.dns.enable = true;

    # needed if you use swap
-    kubelet.extraOpts = "--fail-swap-on=false --resolv-conf=/run/systemd/resolve/resolv.conf";
+    kubelet.extraOpts = "--fail-swap-on=false --allow-privileged=true --resolv-conf=/run/systemd/resolve/resolv.conf";
  };

  services.flannel = {