move files

Author: loic-roux-404

.github/workflows/release-nixos.yml

@@ -4,7 +4,7 @@ on:
     branches:
       - main
     paths:
-      - 'playbook/**.yml'
+      - 'nixos/**.yml'
       - '!**.md'
       - '!playbook/roles/paas/molecule/**'
       - 'packer/**'

flake.lock

@@ -70,14 +70,16 @@
       };
 
       darwinModules = {
-        base = ./nixos/darwin.nix;
+        config = ./nixos-config/default.nix;
+        os = ./nixos-darwin/configuration.nix;
       };
 
       nixosModules = {
         common = srvos.nixosModules.common;
         server = srvos.nixosModules.server;
         home-manager = inputs.home-manager.nixosModules.home-manager;
-        configuration = ./nixos/configuration.nix;
+        os = ./nixos/configuration.nix;
+        config = ./nixos-config/default.nix;
       };
 
       darwinConfigurations = {
@@ -172,7 +174,7 @@
             packages = attrValues {
               inherit (pkgs) bashInteractive kubectl nil pebble jq grpcurl
               e2fsprogs coreutils libvirt qemu tailscale kubernetes-helm docker-client;
-              inherit (stablePkgs) terraform nix-tree waypoint;
+              inherit (stablePkgs) terraform nix-tree waypoint mitmproxy;
             };
             shellHook = ''
               export DOCKER_HOST=tcp://127.0.0.1:2375

flake.nix

@@ -102,4 +102,3 @@ output "token" {
   sensitive = true
   value     = data.kubernetes_secret.waypoint_token.data.token
 }
-

k8s/waypoint/main.tf

@@ -4,9 +4,9 @@
   options.k3s-paas = {
 
     letsencrypt.crt = lib.mkOption {
-      default = ./certs/local.pem;
-      type = lib.types.path;
-      description = "Lets encrypt root ca";
+      default = ["https://localhost:15000/intermediates/0"] ;
+      type = lib.types.list (lib.types.str);
+      description = "Ca url to fetch and trust";
     };
 
     dns.name = lib.mkOption {
@@ -51,17 +51,10 @@
       description = "K3s token";
     };
 
-    dex.http_scheme = lib.mkOption {
-      default = "https";
-      type = lib.types.str;
-      description = "Http protocol for Dex in k3s-paas.";
-    };
-
     dex.dex_client_id = lib.mkOption {
       default = "client-id";
       type = lib.types.str;
       description = "Client ID for Dex";
     };
-
   };
 }

nixos/k3s-paas.nix nixos-config/default.nix

@@ -1,8 +1,5 @@
 { pkgs, lib, config, ... }:
 {
-  imports = [ 
-    "${builtins.toString ./.}/k3s-paas.nix"
-  ];
   programs.fish.enable = true;
   programs.bash.enable = true;
   environment.systemPackages = [ pkgs.bashInteractive ];
@@ -70,8 +67,8 @@
     pebble = {
       listenAddress = "0.0.0.0:14000";
       managementListenAddress = "0.0.0.0:15000";
-      certificate = pkgs.writeText "pebble-cert" (builtins.readFile ./certs/local.pem);
-      privateKey = pkgs.writeText "pebble-key" (builtins.readFile ./certs/local-key.pem);
+      certificate = pkgs.writeText "pebble-cert" (builtins.readFile ./certs/cert.pem);
+      privateKey = pkgs.writeText "pebble-key" (builtins.readFile ./certs/key.pem);
       httpPort = 80;
       tlsPort = 443;
       ocspResponderURL = "";
@@ -98,7 +95,7 @@
   {
     virtualisation.docker.enable = true;
     virtualisation.docker.daemon.settings = {
-      hosts = [ "tcp://127.0.0.1:2375" ];
+      hosts = [ "tcp://0.0.0.0:2375" ];
     };
     networking.firewall.enable = lib.mkForce false;
     virtualisation.forwardPorts = lib.mkForce [

nixos/certs/local.pem nixos-darwin/certs/cert.pem

@@ -6,17 +6,15 @@
 }: 
 
 let
-  dex_hostname = "${config.k3s-paas.dex.http_scheme}://dex.${config.k3s-paas.dns.name}";
+  dex_hostname = "https://dex.${config.k3s-paas.dns.name}";
   k3sTokenFile = pkgs.writeText "token" config.k3s-paas.k3s.token;
-  letsEncryptCa = with config.k3s-paas.letsencrypt; if crt != "" then [crt] else [];
+  certs =  builtins.map (url: builtins.fetchurl { url = url; }) config.k3s-paas.certs;
   certManagerCrds = builtins.fetchurl {
     url = "https://github.com/cert-manager/cert-manager/releases/download/v1.14.4/cert-manager.crds.yaml";
     sha256 = "060bn3gvrr5jphaig1g195prip5rn0x1s7qrp09q47719fgc6636";
   };
   manifests = builtins.filter (d: d != "") [certManagerCrds];
 in {
-  imports = [ ./k3s-paas.nix ];
-
   console = {
     earlySetup = true;
     keyMap = "fr";
@@ -77,16 +75,13 @@ in {
   home-manager.users.${config.k3s-paas.user.name} = {
     xdg.enable = true;
     home.stateVersion = "23.05";
-    home.file.".bashrc".source = lib.mkForce ./bashrc;
-    home.file.".inputrc".source = ./inputrc;
     home.sessionVariables = {
       EDITOR = "vim";
       PAGER = "less -FirSwX";
     };
     programs.bash = {
       enable = true;
       historyControl = [ "ignoredups" "ignorespace" ];
-      initExtra = "/home/${config.k3s-paas.user.name}/bashrc";
     };
   };
 
@@ -145,7 +140,7 @@ in {
     useDHCP = false;
     firewall = {
       enable = true;
-      allowedTCPPorts = lib.mkForce [80 443 22 6443 32701 9701];
+      allowedTCPPorts = lib.mkForce [80 443 22 6443];
     };
     nftables.enable = true;
     networkmanager.enable = true;
@@ -157,7 +152,7 @@ in {
     wait-online.anyInterface = true;
   };
 
-  security.pki.certificateFiles = letsEncryptCa;
+  security.pki.certificateFiles = certs;
 
   nixpkgs = {
     config = {