Add script to setup k3s nvme
This commit is contained in:
parent
c17344f027
commit
cfaae1ca6a
148
flake.nix
148
flake.nix
|
@ -45,7 +45,9 @@
|
|||
soquartz-blade
|
||||
(btrbkModule {
|
||||
mountDir = "/btrfs/nvme";
|
||||
subvolumes = [ ];
|
||||
subvolumes = [
|
||||
"@k3s-config"
|
||||
];
|
||||
})
|
||||
(if serverIp == null
|
||||
then
|
||||
|
@ -55,60 +57,109 @@
|
|||
inherit serverIp;
|
||||
enable = enableK3s;
|
||||
})
|
||||
({ config, ... }: {
|
||||
services.lvm.enable = true;
|
||||
({ config, pkgs, ... }:
|
||||
let
|
||||
keyFilePath = config.sops.secrets.k3sKeyFile.path;
|
||||
prepareNvme = ''
|
||||
#!/usr/bin/env bash
|
||||
|
||||
networking = {
|
||||
interfaces.end0.ipv4.addresses = [
|
||||
{
|
||||
address = selfIp;
|
||||
prefixLength = 24;
|
||||
}
|
||||
];
|
||||
defaultGateway = "192.168.20.1";
|
||||
nameservers = [ "192.168.20.21" "192.168.20.1" ];
|
||||
};
|
||||
set -e
|
||||
|
||||
sops.secrets.k3sKeyFile = {
|
||||
format = "binary";
|
||||
sopsFile = ./secrets/k3sKeyFile.bin;
|
||||
};
|
||||
echo "Creating two partitions"
|
||||
fdisk -w always /dev/nvme0n1 << EOL
|
||||
g
|
||||
n
|
||||
1
|
||||
|
||||
environment.etc.crypttab = {
|
||||
enable = unlockMounts;
|
||||
text = ''
|
||||
cryptdrive1 /dev/nvme0n1p1 ${config.sops.secrets.k3sKeyFile.path} luks
|
||||
+50G
|
||||
n
|
||||
2
|
||||
|
||||
|
||||
w
|
||||
EOL
|
||||
|
||||
echo "YES" | cryptsetup luksFormat /dev/nvme0n1p1 -d ${keyFilePath}
|
||||
cryptsetup luksOpen /dev/nvme0n1p1 cryptdrive1 -d ${keyFilePath}
|
||||
|
||||
mkfs.btrfs /dev/mapper/cryptdrive1
|
||||
|
||||
mkdir -p /btrfs/nvme
|
||||
mount /dev/mapper/cryptdrive1 /btrfs/nvme
|
||||
|
||||
btrfs subvolume create /btrfs/nvme/@k3s-config
|
||||
btrfs subvolume create /btrfs/nvme/@snapshots
|
||||
btrfs subvolume create /btrfs/nvme/@var-lib-rancher
|
||||
btrfs subvolume create /btrfs/nvme/@var-log-pods
|
||||
|
||||
umount /btrfs/nvme
|
||||
|
||||
cryptsetup luksClose cryptdrive1
|
||||
'';
|
||||
};
|
||||
in
|
||||
{
|
||||
services.lvm.enable = true;
|
||||
|
||||
fileSystems =
|
||||
let
|
||||
device = "/dev/mapper/cryptdrive1";
|
||||
defaultOptions = [ "defaults" "rw" "compress=zstd" ];
|
||||
fileSystemConfig =
|
||||
networking = {
|
||||
interfaces.end0.ipv4.addresses = [
|
||||
{
|
||||
"/btrfs/nvme" = {
|
||||
inherit device;
|
||||
fsType = "btrfs";
|
||||
options = defaultOptions;
|
||||
address = selfIp;
|
||||
prefixLength = 24;
|
||||
}
|
||||
];
|
||||
defaultGateway = "192.168.20.1";
|
||||
nameservers = [ "192.168.20.21" "192.168.20.1" ];
|
||||
};
|
||||
|
||||
sops.secrets.k3sKeyFile = {
|
||||
format = "binary";
|
||||
sopsFile = ./secrets/k3sKeyFile.bin;
|
||||
};
|
||||
|
||||
environment.systemPackages = with pkgs; [
|
||||
(writeShellScriptBin "prepare-nvme" prepareNvme)
|
||||
];
|
||||
|
||||
environment.etc.crypttab = {
|
||||
enable = unlockMounts;
|
||||
text = ''
|
||||
cryptdrive1 /dev/nvme0n1p1 ${keyFilePath} luks
|
||||
'';
|
||||
};
|
||||
|
||||
fileSystems =
|
||||
let
|
||||
device = "/dev/mapper/cryptdrive1";
|
||||
defaultOptions = [ "defaults" "rw" "compress=zstd" ];
|
||||
fileSystemConfig =
|
||||
{
|
||||
"/btrfs/nvme" = {
|
||||
inherit device;
|
||||
fsType = "btrfs";
|
||||
options = defaultOptions;
|
||||
};
|
||||
"/k3s-config" = {
|
||||
inherit device;
|
||||
fsType = "btrfs";
|
||||
options = defaultOptions ++ [ "subvol=@k3s-config" ];
|
||||
};
|
||||
"/var/lib/rancher" = {
|
||||
inherit device;
|
||||
fsType = "btrfs";
|
||||
options = defaultOptions ++ [ "subvol=@var-lib-rancher" ];
|
||||
};
|
||||
"/var/log/pods" = {
|
||||
inherit device;
|
||||
fsType = "btrfs";
|
||||
options = defaultOptions ++ [ "subvol=@var-log-pods" ];
|
||||
};
|
||||
};
|
||||
"/var/lib/rancher" = {
|
||||
inherit device;
|
||||
fsType = "btrfs";
|
||||
options = defaultOptions ++ [ "subvol=@var-lib-rancher" ];
|
||||
};
|
||||
"/var/log/pods" = {
|
||||
inherit device;
|
||||
fsType = "btrfs";
|
||||
options = defaultOptions ++ [ "subvol=@var-log-pods" ];
|
||||
};
|
||||
};
|
||||
in
|
||||
if unlockMounts && mountVolumes then
|
||||
fileSystemConfig
|
||||
else
|
||||
{ };
|
||||
})
|
||||
in
|
||||
if unlockMounts && mountVolumes then
|
||||
fileSystemConfig
|
||||
else
|
||||
{ };
|
||||
})
|
||||
];
|
||||
};
|
||||
|
||||
|
@ -271,7 +322,6 @@
|
|||
k3s1 = makeK3sConfig {
|
||||
hostname = "k3s1";
|
||||
selfIp = "192.168.20.120";
|
||||
enableK3s = false;
|
||||
};
|
||||
|
||||
k3s2 = makeK3sConfig {
|
||||
|
|
|
@ -39,8 +39,8 @@ fi
|
|||
if [ -d "${TARGET_SUBVOLUME}" ]
|
||||
then
|
||||
echo "Removing existing subvolume"
|
||||
sudo btrfs subvolume delete "${TARGET_SUBVOLUME}"
|
||||
btrfs subvolume delete "${TARGET_SUBVOLUME}"
|
||||
fi
|
||||
|
||||
echo "Snapshotting ${SNAPSHOT_PATH} into ${TARGET_SUBVOLUME}"
|
||||
sudo btrfs subvolume snapshot "${SNAPSHOT_PATH}" "${TARGET_SUBVOLUME}"
|
||||
btrfs subvolume snapshot "${SNAPSHOT_PATH}" "${TARGET_SUBVOLUME}"
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
k3s_token: ENC[AES256_GCM,data:IXhvi05qdc51lptYzhv/c8DvFfohU3padWVSudXObwA+eaX2ToerJS9RZ7tInSHhqWbsaFETnb6kgdQ4MnW3QkbaqyrjytKJtGQ3JzxXw1iN/xLtqw8lVo86gtCn4EHGkGvVyj6xt1dtdfh3,iv:fAdT+//qvn6Gog7LZciQt7gYu4OEUiLxTUnsVP9tReI=,tag:rU7gMwEqNSRttAAwRm6S3w==,type:str]
|
||||
k3s_token: ENC[AES256_GCM,data:F/7MJFTsBnEUkHh7BCDRf/VEpg42zSTQVhr7joPtbVOjQr4TggHLErTCat4A1lLnhu0fToiUtNbmuCfUzxjaWivJ/dAWl/rhHwxabmrGosfI5u62TsG7NHkqpJFRs6bXQQac+s4f9N/rOsOR,iv:o1BSHkMVm/0Il9vlX6KDz7b4GWDBGBC8YLYmMU0qHXM=,tag:bdl9glMGFJREfyTKbg0vAg==,type:str]
|
||||
sops:
|
||||
kms: []
|
||||
gcp_kms: []
|
||||
|
@ -23,8 +23,8 @@ sops:
|
|||
NHVtWEdPZjVFdFF0UG4xNEtoU1lBckkKj6Fx2o17lrER5SAIJcqLSlcOmz/qufyE
|
||||
P3l8RCxKtzsGoihsGME1jROMiq2hsWe5uFA7vUiOggqzWV9M9mywBQ==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
lastmodified: "2023-01-27T05:34:51Z"
|
||||
mac: ENC[AES256_GCM,data:naz97mcTjqITvAchg/yExyCkCOZvez3uHPsiF0F9T7WVpdpGrBdn/2iJhIlpJ6mPjoKWw3g85iT80YjMVXeAHFuYR7htvtMH6mpU8dfKmYWNsW2DJs+lMV8/OwDjJ6JWeKxPfX50nOGOxTmMXcPHrh0adeI2gHUfR9FPhr+ikE8=,iv:D/H0TN5X3arYzF9cQkYB2VJ1dYgbUeaBhr1gVfNVyd4=,tag:OjXi7ZDyXFJPp0dnszCaSA==,type:str]
|
||||
lastmodified: "2023-01-27T21:17:49Z"
|
||||
mac: ENC[AES256_GCM,data:YGRnJjU00jLTz4crkQYbNrQCVA0K7mZmoIGlMZA+0bJLv4b5qV3Oh7X62aApCUL17tXXjjaJCVb1NZ2pOVmIlR9sx0+FurMJsjebGHu96zqxZ/NogCJ3KM10KUH1hb7wCUDdTe1wDavEjEcuNnVV2YAkGlp+qNOb9hHdafKrqwk=,iv:kDrIqT3tunv6FKUqLRwCFdBHVn2dqoYM6rgTmdy3kDE=,tag:ff0ARafpF0I8JRsSLHTQlg==,type:str]
|
||||
pgp: []
|
||||
unencrypted_suffix: _unencrypted
|
||||
version: 3.7.3
|
||||
|
|
Loading…
Reference in a new issue