botalex/nixos-server
1
0
Fork 0
mirror of https://github.com/MagicBOTAlex/nixos-server.git synced 2026-02-04 05:39:18 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions
nixos-server/vms/kube-daddy/kubernetes.old.nix
BOTAlex 38d26110e1 checkpoint
2026-01-26 21:39:43 +01:00

108 lines
3.6 KiB
Nix
Raw Blame History

{ config, pkgs, ... }: {
environment.systemPackages = with pkgs; [
kompose
kubectl
kubernetes
containerd
];
virtualisation = {
docker.enable = true;
containerd.enable = true;
};
services = {
etcd = {
enable = true;
peerCertFile = "/etc/kubernetes/pki/etcd/peer.crt";
peerKeyFile = "/etc/kubernetes/pki/etcd/peer.key";
peerTrustedCaFile = "/etc/kubernetes/pki/etcd/ca.crt";
peerClientCertAuth = true;
certFile = "/etc/kubernetes/pki/etcd/server.crt";
keyFile = "/etc/kubernetes/pki/etcd/server.key";
trustedCaFile = "/etc/kubernetes/pki/etcd/ca.crt";
};
};
services.kubernetes = {
masterAddress = "10.0.2.15"; # From "ip addr" and choosing enp0s4:
kubelet.enable = true;
apiserver = {
enable = true;
advertiseAddress = "10.0.2.15"; # From your logs
bindAddress = "0.0.0.0";
securePort = 6443;
# 1. Etcd Connectivity (Fixes "unknown authority" & "remote error: tls: certificate required")
etcd = {
servers = [ "https://10.0.2.15:2379" ];
caFile = "/etc/kubernetes/pki/etcd/ca.crt"; # MUST be Etcd CA [cite: 60]
certFile = "/etc/kubernetes/pki/apiserver-etcd-client.crt"; # [cite: 59]
keyFile = "/etc/kubernetes/pki/apiserver-etcd-client.key"; # [cite: 59]
};
# 2. Service Account Signing (Fixes "invalid RSA key")
serviceAccountIssuer = "https://kubernetes.default.svc"; # [cite: 108]
serviceAccountSigningKeyFile =
"/etc/kubernetes/pki/sa.key"; # Private Key [cite: 110]
serviceAccountKeyFile =
"/etc/kubernetes/pki/sa.pub"; # Public Key [cite: 112]
# 3. Serving TLS (Fixes Scheduler "certificate signed by unknown authority")
tlsCertFile =
"/etc/kubernetes/pki/apiserver.crt"; # Server Identity [cite: 116]
tlsKeyFile = "/etc/kubernetes/pki/apiserver.key"; # [cite: 117]
clientCaFile =
"/etc/kubernetes/pki/ca.crt"; # Trust Client Certs (Scheduler) [cite: 76]
# 4. Kubelet Communication (Best Practice)
kubeletClientCaFile = "/etc/kubernetes/pki/ca.crt"; # [cite: 94]
kubeletClientCertFile =
"/etc/kubernetes/pki/apiserver-kubelet-client.crt"; # [cite: 96]
kubeletClientKeyFile =
"/etc/kubernetes/pki/apiserver-kubelet-client.key"; # [cite: 98]
};
scheduler = {
enable = true;
address = "0.0.0.0"; # Listen on all interfaces
leaderElect = true;
# Maps to --kubeconfig
kubeconfig = {
server = "https://10.0.2.15:6443";
caFile = "/etc/kubernetes/pki/ca.crt";
certFile = "/etc/kubernetes/pki/scheduler.crt"; # Client Cert
keyFile = "/etc/kubernetes/pki/scheduler.key";
};
};
controllerManager = {
enable = true;
bindAddress = "0.0.0.0"; # Listen on all interfaces
leaderElect = true;
# 1. Signing Service Accounts (MUST match API Server sa.key)
serviceAccountKeyFile = "/etc/kubernetes/pki/sa.key";
# 2. CA included in Service Account secrets
rootCaFile = "/etc/kubernetes/pki/ca.crt";
# 3. Kubeconfig for talking to API Server
kubeconfig = {
server = "https://10.0.2.15:6443";
caFile = "/etc/kubernetes/pki/ca.crt";
certFile = "/etc/kubernetes/pki/controller-manager.crt"; # Client Cert
keyFile = "/etc/kubernetes/pki/controller-manager.key";
};
# 4. HTTPS Serving Certs (for metrics/health)
tlsCertFile =
"/etc/kubernetes/pki/controller-manager.crt"; # Reusing client cert is fine here
tlsKeyFile = "/etc/kubernetes/pki/controller-manager.key";
};
};
}
Reference in a new issue View git blame Copy permalink