From ec3c62f22a8c76f75d30fb9f380dd321d3d482f8 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jakub=20Krop=C3=A1=C4=8Dek?= <kropikuba@gmail.com>
Date: Wed, 15 Jan 2025 23:51:23 +0100
Subject: [PATCH] cluster (almost) deployed!

---
 hosts/node1/default.nix               |   3 ++-
 hosts/node2/default.nix               |   3 ++-
 nixosModules/networking/default.nix   |  14 ++++++++++++++
 nixosModules/services/k3s/default.nix |  12 +++++-------
 scripts/update.sh                     |   7 ++++---
 secrets/k3stoken.age                  |  16 ++++++++++------
 secrets/keys.json                     |  14 ++++++++++----
 secrets/mypassword.age                | Bin 505 -> 725 bytes
 8 files changed, 47 insertions(+), 22 deletions(-)
diff --git a/hosts/node1/default.nix b/hosts/node1/default.nix
index 6d37b63..b6903f6 100644
--- a/hosts/node1/default.nix
+++ b/hosts/node1/default.nix
@@ -3,12 +3,13 @@
   kropcloud =
     let
       serverIp = "192.168.1.171";
+      k3sMaster = "192.168.1.170";
     in
     {
       services = {
         k3s = {
           enable = true;
-          master = "node0";
+          master = k3sMaster;
         };
       };
       networking = {
diff --git a/hosts/node2/default.nix b/hosts/node2/default.nix
index f4119f1..3b3de95 100644
--- a/hosts/node2/default.nix
+++ b/hosts/node2/default.nix
@@ -3,12 +3,13 @@
   kropcloud =
     let
       serverIp = "192.168.1.172";
+      k3sMaster = "192.168.1.170";
     in
     {
       services = {
         k3s = {
           enable = true;
-          master = "node0";
+          master = k3sMaster;
         };
       };
       networking = {
diff --git a/nixosModules/networking/default.nix b/nixosModules/networking/default.nix
index d52c704..c015ff1 100644
--- a/nixosModules/networking/default.nix
+++ b/nixosModules/networking/default.nix
@@ -5,6 +5,7 @@
 }:
 let
   cfg = config.kropcloud.networking;
+  kc_cfg = config.kropcloud;
   ipopts = version: {
     address = lib.mkOption {
       type = lib.types.nullOr lib.types.str;
@@ -57,6 +58,19 @@ in
       nftables.enable = true;
       firewall = {
         checkReversePath = "loose";
+        allowedUDPPorts = []
+        ++ lib.optionals kc_cfg.services.k3s.enable
+        [
+          8472
+        ];
+        allowedTCPPorts = []
+        ++ lib.optionals kc_cfg.services.k3s.enable
+        [
+          2379
+          2380
+          6443
+          10250
+        ];
       };
       interfaces = {
         ens18 = {
diff --git a/nixosModules/services/k3s/default.nix b/nixosModules/services/k3s/default.nix
index 258f16b..24b16b0 100644
--- a/nixosModules/services/k3s/default.nix
+++ b/nixosModules/services/k3s/default.nix
@@ -21,10 +21,10 @@ in
 
     assertions = [
       {
-        assertion = (!cfg.isMaster && cfg.master == null);
+        assertion = (if cfg.isMaster then cfg.master == null else cfg.master != null);
         message = ''
           You need to provide a valid value for `master` in `kropcloud.services.k3s`
-          when `isMaster` is not set.
+          when `isMaster` is false.
         '';
       }
     ];
@@ -44,12 +44,10 @@ in
           "--disable local-storage"
         ]
         ++ (
-          if cfg.isMaster && cfg.master != null then
-            [ ]
+          if (!cfg.isMaster && cfg.master != null) then
+            [ "--server https://${cfg.master}:6443" ]
           else
-            [
-              "--server https://${cfg.master}:6443"
-            ]
+            [ ]
         )
       );
       clusterInit = cfg.isMaster;
diff --git a/scripts/update.sh b/scripts/update.sh
index c12b64b..4d6d792 100755
--- a/scripts/update.sh
+++ b/scripts/update.sh
@@ -2,8 +2,9 @@
 
 # Parameters
 ip=$1
-if [ -z "$ip" ]; then
-    echo "Usage: $0 <ip>"
+host=$2
+if [ -z "$ip" ] || [ -z "$host" ]; then
+    echo "Usage: $0 <ip> <host>"
     exit 1
 fi
 
@@ -22,4 +23,4 @@ if [ $ret -ne 0 ]; then
     exit $ret
 fi
 
-echo "Successfully updated $ip, rebooting"
\ No newline at end of file
+echo "Successfully updated $ip"
\ No newline at end of file
diff --git a/secrets/k3stoken.age b/secrets/k3stoken.age
index c7da7fc..6070abd 100644
--- a/secrets/k3stoken.age
+++ b/secrets/k3stoken.age
@@ -1,7 +1,11 @@
 age-encryption.org/v1
--> ssh-ed25519 5k28aQ wUKJk8gcxcCqbdXsfuod3dvEtj+pXRe8rLYVv/uyND4
-aHOXSUwP5+AJZ5etU+dj9ssVNQNcDuXSpq+wvIYsoyE
--> ssh-ed25519 MhDGlw Ln5f8TTQFDlp+KGQpRRPNgn/+fzoY7Bnl7FlDg5ZSSs
-uJbxZFjjcSxhIPHvregG1tD8BKKfHHMlvfZ6itDIppY
---- MGApTU7O6xSlpanV9LC22ZX2u7bwULpBMaTLg01SO/0
-šâYøï	ö¯J#Âž6/ó—6 ñwTF¯ìfŒÔ¶¡	x×º™5·Îÿ¸^
\ No newline at end of file
+-> ssh-ed25519 5k28aQ y4XpTfV5UjlrWhTVriFODs+EeHTfbXE4kVxVFtCD8A4
+BChXLfffj6d6j+65QzBxhTG5kMZioABitkapV27VOSE
+-> ssh-ed25519 MhDGlw Vr3tkeYU9t778OOYlnftcNIPW3VT4DiF8fuN7UkRVHM
+EsPGuwRqLZEOD2/ylbyMW7o8ZsHR/OESzj2YnQXYF9A
+-> ssh-ed25519 TFUeMw K8XZcFjQOqYxKt123Ogl7jAGXBfFCzhFFhETvonOqEE
+zJubHpFlsY9VAxLPNcwxwG7Yhdz3Uk1OvuxDL3ydhaw
+-> ssh-ed25519 lMTnvw oPDN69xxiuwx8zcHFHaak4f9MqwUjc8OVvTYcsK2ORg
+yfbPjJivWZ62QaeHC4oPbtbJcAFoAjbnjqIn9caGV/A
+--- ojBfdgjuVJcFYPi2y3smGWbrWFVIO3JMDsHx1mj8apE
+ øÜÉåYÛOÜ‚È†§2ÇÓ”§í4£ü6¹ÌTd¥ãwÕÒÿÒÚ¼³³2)>‡—âÖ
\ No newline at end of file
diff --git a/secrets/keys.json b/secrets/keys.json
index 2f613a1..d868260 100644
--- a/secrets/keys.json
+++ b/secrets/keys.json
@@ -4,17 +4,23 @@
     "lenar": "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOUnlAjPnMwJYgZb7YuholdTxifOEFnAyXVqI+xFlHw6"
   },
   "servers": {
-    "test-server": "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAID4ioqiTzYe6Y6H0YfFkWyDBbCB25wYs3gKNZIufE/Sn"
+    "test-server": "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAID4ioqiTzYe6Y6H0YfFkWyDBbCB25wYs3gKNZIufE/Sn",
+    "node0": "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIITESdAzft5+WqMWM2A9Tix8BDWGnVv3z0IF8mqXwWA0",
+    "node1": "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMxhznyKJwumO3jzm9kjH+lZJln7fypT8YKAdLNhVspU"
   },
   "secrets": {
     "mypassword.age": [
       "hosts:wenar-nix",
       "hosts:lenar",
-      "servers:test-server"
+      "servers:test-server",
+      "servers:node0",
+      "servers:node1"
     ],
     "k3stoken.age": [
       "hosts:wenar-nix",
-      "hosts:lenar"
+      "hosts:lenar",
+      "servers:node0",
+      "servers:node1"
     ]
   }
-}
+}
\ No newline at end of file
diff --git a/secrets/mypassword.age b/secrets/mypassword.age
index 6ae2b0515b274ffac94cbe122168b274498e67fe..a11d9e93a3b7ba5568887a30cce51a1c9886c9b2 100644
GIT binary patch
literal 725
zcmZ9_yNlCs003a&aET6r4u^sU6huNUNz<eW;$h!S+a%4SZBju^(j;w@Ce8DAEeL{&
z=qb7!iXfcaAUHVa>f~~+j^fRtIE$;!{Rh6!aBb8Mta!Odr(v)a#x9l<5V{Q~$pp2>
z1&ShAnDPpYA;HxkrTI?N?^UZqPjI5PP%WDZO($}TWa>;JEhcnbM1~_AK!`Y~^sPm`
zDI)1y^DUq6(5&ESBqn!*!rWf&w8@;s%f-CEzVVY<(+9A~#vPj;N2;u-j30POieQ;D
z3&kcUw6bzFsj&bPmc<dyKpZuiN+uZ+u|83}-Z+jta%MMVo*fQwEY$U-ET^L^ulfA?
z<}RfMUWU7rzY}q?;;IgbjBAmbFH8ksYG0cfLW1-#q}s6gfiw32<T51=XqIfyhQfL6
zk~#JgdseUHR^ITG2~t@Vr#Yg~@er(UYNK!S0PakPW;!5TpCGdo$q_Ia^SRRy-5{*C
z%?K}ZGpp^01=a6EhM*K9MW{HD-_2>?22x=q&8IPv;=^Pp2sGaoh0qptEnMGxUJY^p
z<4H>_u7Gb#UfN|keSA@8E1}`hJvm6T5y|N?uE`}TQg{eYNtdI>VJ)17qgqKWt6jz6
zm=a6$!5~zvxD&2$X*e?h1EDAiGvT6`{D;_VAS^SElU>!s(sV`FoLP_OV@smE1yH?2
z*P-mq4fyIU4S6rc^ZQq}n49{3=R;w4ch@{_{JH&lpE<el_vpl(=SMHze%*WY`|bf;
zX`b2p_N=sjnd=oVz1;lx{c!tJ_siy~!)s4}5a&)mM$g_me{k{D=O-Hv%D>*Bp!M*&
IcH!91e|TH-C;$Ke

delta 451
zcmV~$JBZU@007`q>5{=wD<V|5MQWh^&*Tyc=jCNmnlx#eHfbiW%{xt-=1)jcIByUK
z6{PCq<f3?!;C494fjTL2;vgKjiEcW2+~D_ptNc5+y1wT-5uwL^!CP!kY(%|LU)vOM
z-t!4kY1)cy-LOT*@G-0xBB2jO!;K~2%6;Ca@C94cQzBrNJ7Su`iE9)^sL)ao(Q^dd
zszK<XwgoV(N!BEf<)?X#)3TfajWM+t(m>Tq`j!cMWw61JjWX)6B_k_%2Do%6X*r@a
zhmteYg|VEJb9El5+Q1nPvTi`MITg@?*}*2hLxDwe@c8e=y&2{b5yQ-sI;oI`%QI6-
zVhNDhoLKLOrWn~=qM1~0?otRTl<L6KyK&owvK98ZcIhnAiLMLv#1Te>k!qa;;*LIn
z2#TV$g!3lLTo4Bh(3QveMoKkIho@s07DJ&wuP3uO2{J#}^i&S{0=HNDEqwR*X6xAp
z<9RkcSbuln{m!5LxA70=&aS@wJ1o9m=8C7M4=RVpZ?0H(U#!{D?az^T|6%o|{N&Qv
qPi2a&pRWCUeXo7=@zHE_e(Tk>>eXK>?;tulIc!xc%QHCm%KitPxTFLC

