From ecf0d52f765142ffa47c2d756fbf665d0939c55c Mon Sep 17 00:00:00 2001 From: DerGrumpf Date: Wed, 18 Feb 2026 16:35:01 +0100 Subject: [PATCH] Added: k3s setup; Changed Firewall --- hosts/cyper-pi-1/configuration.nix | 5 +--- hosts/cyper-pi-1/k3s-master.nix | 38 ++++++++++++++++++++++++++++++ hosts/cyper-pi-1/postgres.nix | 2 ++ hosts/cyper-pi-2/configuration.nix | 6 +---- hosts/services/k3s-agent.nix | 29 +++++++++++++++++++++++ 5 files changed, 71 insertions(+), 9 deletions(-) create mode 100644 hosts/cyper-pi-1/k3s-master.nix create mode 100644 hosts/services/k3s-agent.nix diff --git a/hosts/cyper-pi-1/configuration.nix b/hosts/cyper-pi-1/configuration.nix index 1a59457..17a4420 100644 --- a/hosts/cyper-pi-1/configuration.nix +++ b/hosts/cyper-pi-1/configuration.nix @@ -6,6 +6,7 @@ { imports = [ ./postgres.nix + ./k3s-master.nix ]; # Any RPi 4 specific customizations go here @@ -17,9 +18,5 @@ # prefixLength = 24; # } # ]; - - firewall = { - allowedTCPPorts = [ 5432 ]; - }; }; } diff --git a/hosts/cyper-pi-1/k3s-master.nix b/hosts/cyper-pi-1/k3s-master.nix new file mode 100644 index 0000000..bdf7be0 --- /dev/null +++ b/hosts/cyper-pi-1/k3s-master.nix @@ -0,0 +1,38 @@ +{ pkgs, ... }: + +{ + boot.kernelParams = [ + "cgroup_memory=1" + "cgroup_enable=memory" + "cgroup_enable=cpuset" + ]; + + services.k3s = { + enable = true; + role = "server"; + clusterInit = true; + extraFlags = '' + --disable=traefik + --flannel-backend=host-gw + ''; + }; + + networking.firewall = { + allowedTCPPorts = [ 6443 ]; + allowedTCPPortRanges = [ + { + from = 10250; + to = 10250; + } + { + from = 30000; + to = 32767; + } + ]; + trustedInterfaces = [ "cni0" ]; + }; + + environment.systemPackages = with pkgs; [ + kubectl + ]; +} diff --git a/hosts/cyper-pi-1/postgres.nix b/hosts/cyper-pi-1/postgres.nix index eddff04..83711f4 100644 --- a/hosts/cyper-pi-1/postgres.nix +++ b/hosts/cyper-pi-1/postgres.nix @@ -63,6 +63,8 @@ # Enable the PostgreSQL service to start on boot systemd.services.postgresql.wantedBy = [ "multi-user.target" ]; + networking.firewall.allowedTCPPorts = [ 5432 ]; + # Create mount point for external USB storage (optional, for better performance) # Uncomment if using the USB 3 storage we configured earlier # systemd.tmpfiles.rules = [ diff --git a/hosts/cyper-pi-2/configuration.nix b/hosts/cyper-pi-2/configuration.nix index 8a95445..5954501 100644 --- a/hosts/cyper-pi-2/configuration.nix +++ b/hosts/cyper-pi-2/configuration.nix @@ -4,7 +4,7 @@ }: { - #imports = [ ]; + imports = [ ../services/k3s-agent.nix ]; # Any RPi 4 specific customizations go here networking = { @@ -15,9 +15,5 @@ # prefixLength = 24; # } # ]; - - firewall = { - allowedTCPPorts = [ ]; - }; }; } diff --git a/hosts/services/k3s-agent.nix b/hosts/services/k3s-agent.nix new file mode 100644 index 0000000..ff6ab91 --- /dev/null +++ b/hosts/services/k3s-agent.nix @@ -0,0 +1,29 @@ +{ ... }: + +{ + boot.kernelParams = [ + "cgroup_memory=1" + "cgroup_enable=memory" + "cgroup_enable=cpuset" + ]; + + services.k3s = { + enable = true; + role = "agent"; + serverAddr = "https://192.168.2.199:6443"; + }; + + networking.firewall = { + allowedTCPPortRanges = [ + { + from = 10250; + to = 10250; + } + { + from = 30000; + to = 32767; + } + ]; + trustedInterfaces = [ "cni0" ]; + }; +}