feat: refactor infra to cp/wk kubeadm topology

Provision 3 thin control planes and 3 workers with role-specific sizing and VMID ranges (701/711), generate per-node cloud-init snippets with SSH key injection, and add NixOS kubeadm host/module scaffolding for cp-1..3 and wk-1..3.
2026-02-28 14:16:55 +00:00
parent c516c8ba35
commit 21be01346b
19 changed files with 348 additions and 62 deletions
--- a/nixos/kubeadm/README.md
+++ b/nixos/kubeadm/README.md
@@ -0,0 +1,42 @@
+# Kubeadm Cluster Layout (NixOS)
+
+This folder defines role-based NixOS configs for a kubeadm cluster.
+
+## Topology
+
+- Control planes: `cp-1`, `cp-2`, `cp-3`
+- Workers: `wk-1`, `wk-2`, `wk-3`
+
+## What this provides
+
+- Shared Kubernetes/node prerequisites in `modules/k8s-common.nix`
+- Role-specific settings for control planes and workers
+- Host configs for each node in `hosts/`
+
+## Hardware config files
+
+Each host file optionally imports `hosts/hardware/<host>.nix` if present.
+Copy each node's generated hardware config into this folder:
+
+```bash
+sudo nixos-generate-config
+sudo cp /etc/nixos/hardware-configuration.nix ./hosts/hardware/cp-1.nix
+```
+
+Repeat for each node (`cp-2`, `cp-3`, `wk-1`, `wk-2`, `wk-3`).
+
+## Deploy approach
+
+Start from one node at a time while experimenting:
+
+```bash
+sudo nixos-rebuild switch --flake .#cp-1
+```
+
+For remote target-host workflows, use your preferred deploy wrapper later
+(`nixos-rebuild --target-host ...` or deploy-rs/colmena).
+
+## Notes
+
+- This does not run `kubeadm init/join` automatically.
+- It prepares OS/runtime/kernel prerequisites so kubeadm bootstrapping is clean.
--- a/nixos/kubeadm/flake.nix
+++ b/nixos/kubeadm/flake.nix
@@ -0,0 +1,26 @@
+{
+  description = "NixOS kubeadm cluster configs";
+
+  inputs = {
+    nixpkgs.url = "github:NixOS/nixpkgs/nixos-25.05";
+  };
+
+  outputs = { nixpkgs, ... }:
+    let
+      system = "x86_64-linux";
+      mkHost = hostModules:
+        nixpkgs.lib.nixosSystem {
+          inherit system;
+          modules = hostModules;
+        };
+    in {
+      nixosConfigurations = {
+        cp-1 = mkHost [ ./hosts/cp-1.nix ];
+        cp-2 = mkHost [ ./hosts/cp-2.nix ];
+        cp-3 = mkHost [ ./hosts/cp-3.nix ];
+        wk-1 = mkHost [ ./hosts/wk-1.nix ];
+        wk-2 = mkHost [ ./hosts/wk-2.nix ];
+        wk-3 = mkHost [ ./hosts/wk-3.nix ];
+      };
+    };
+}
--- a/nixos/kubeadm/hosts/cp-1.nix
+++ b/nixos/kubeadm/hosts/cp-1.nix
@@ -0,0 +1,14 @@
+{ lib, ... }:
+
+{
+  imports =
+    [
+      ../modules/k8s-common.nix
+      ../modules/k8s-control-plane.nix
+    ]
+    ++ lib.optional (builtins.pathExists ./hardware/cp-1.nix) ./hardware/cp-1.nix;
+
+  networking.hostName = "cp-1";
+
+  system.stateVersion = "25.05";
+}
--- a/nixos/kubeadm/hosts/cp-2.nix
+++ b/nixos/kubeadm/hosts/cp-2.nix
@@ -0,0 +1,14 @@
+{ lib, ... }:
+
+{
+  imports =
+    [
+      ../modules/k8s-common.nix
+      ../modules/k8s-control-plane.nix
+    ]
+    ++ lib.optional (builtins.pathExists ./hardware/cp-2.nix) ./hardware/cp-2.nix;
+
+  networking.hostName = "cp-2";
+
+  system.stateVersion = "25.05";
+}
--- a/nixos/kubeadm/hosts/cp-3.nix
+++ b/nixos/kubeadm/hosts/cp-3.nix
@@ -0,0 +1,14 @@
+{ lib, ... }:
+
+{
+  imports =
+    [
+      ../modules/k8s-common.nix
+      ../modules/k8s-control-plane.nix
+    ]
+    ++ lib.optional (builtins.pathExists ./hardware/cp-3.nix) ./hardware/cp-3.nix;
+
+  networking.hostName = "cp-3";
+
+  system.stateVersion = "25.05";
+}
--- a/nixos/kubeadm/hosts/hardware/.gitkeep
+++ b/nixos/kubeadm/hosts/hardware/.gitkeep
--- a/nixos/kubeadm/hosts/wk-1.nix
+++ b/nixos/kubeadm/hosts/wk-1.nix
@@ -0,0 +1,14 @@
+{ lib, ... }:
+
+{
+  imports =
+    [
+      ../modules/k8s-common.nix
+      ../modules/k8s-worker.nix
+    ]
+    ++ lib.optional (builtins.pathExists ./hardware/wk-1.nix) ./hardware/wk-1.nix;
+
+  networking.hostName = "wk-1";
+
+  system.stateVersion = "25.05";
+}
--- a/nixos/kubeadm/hosts/wk-2.nix
+++ b/nixos/kubeadm/hosts/wk-2.nix
@@ -0,0 +1,14 @@
+{ lib, ... }:
+
+{
+  imports =
+    [
+      ../modules/k8s-common.nix
+      ../modules/k8s-worker.nix
+    ]
+    ++ lib.optional (builtins.pathExists ./hardware/wk-2.nix) ./hardware/wk-2.nix;
+
+  networking.hostName = "wk-2";
+
+  system.stateVersion = "25.05";
+}
--- a/nixos/kubeadm/hosts/wk-3.nix
+++ b/nixos/kubeadm/hosts/wk-3.nix
@@ -0,0 +1,14 @@
+{ lib, ... }:
+
+{
+  imports =
+    [
+      ../modules/k8s-common.nix
+      ../modules/k8s-worker.nix
+    ]
+    ++ lib.optional (builtins.pathExists ./hardware/wk-3.nix) ./hardware/wk-3.nix;
+
+  networking.hostName = "wk-3";
+
+  system.stateVersion = "25.05";
+}
--- a/nixos/kubeadm/modules/k8s-common.nix
+++ b/nixos/kubeadm/modules/k8s-common.nix
@@ -0,0 +1,35 @@
+{ pkgs, ... }:
+
+{
+  boot.kernelModules = [ "overlay" "br_netfilter" ];
+
+  boot.kernel.sysctl = {
+    "net.ipv4.ip_forward" = 1;
+    "net.bridge.bridge-nf-call-iptables" = 1;
+    "net.bridge.bridge-nf-call-ip6tables" = 1;
+  };
+
+  virtualisation.containerd.enable = true;
+
+  services.openssh.enable = true;
+  services.openssh.settings = {
+    PasswordAuthentication = false;
+    KbdInteractiveAuthentication = false;
+  };
+
+  environment.systemPackages = with pkgs; [
+    containerd
+    cri-tools
+    cni-plugins
+    kubernetes
+    kubectl
+    kubernetes-helm
+    conntrack-tools
+    socat
+    ethtool
+    ipvsadm
+    jq
+    curl
+    vim
+  ];
+}
--- a/nixos/kubeadm/modules/k8s-control-plane.nix
+++ b/nixos/kubeadm/modules/k8s-control-plane.nix
@@ -0,0 +1,14 @@
+{
+  networking.firewall.allowedTCPPorts = [
+    6443
+    2379
+    2380
+    10250
+    10257
+    10259
+  ];
+
+  networking.firewall.allowedUDPPorts = [
+    8472
+  ];
+}
--- a/nixos/kubeadm/modules/k8s-worker.nix
+++ b/nixos/kubeadm/modules/k8s-worker.nix
@@ -0,0 +1,11 @@
+{
+  networking.firewall.allowedTCPPorts = [
+    10250
+    30000
+    32767
+  ];
+
+  networking.firewall.allowedUDPPorts = [
+    8472
+  ];
+}