This project has been described in a medium article that can be found here. It gives more explanation about the whole construction of the project.
To build an sd image, run the following command.
$ ./runner-wrapper.sh nix build .#nixosConfigurations.<host>.config.system.build.sdImageWhere <host> is the name of the nixosConfiguration.
This project uses colmena for deployment. In order for all the certificates to be pushed to the remote hosts, one needs to use colmena to deploy the keys.
- Generate the keys
$ nix run .\#gen-certs- Upload the keys
$ ./runner-wrapper.sh colmena upload-keysOnce the keys has been deployed, the proper deployment can begin.
$ colmena apply --no-keysNote: when applying, we are not deploying the keys once again are they are meant to be kept the same amongst multiple deployments.
Calico is the cni used on each machine.
The gateway module is a wireguard server that serves as entrypoint for the cluster.
The subnet for the vpn is 10.200.0.0/24.
The IP Addresses for the nodes are
10.200.0.1-10.200.0.99, and the remaining range
is for other clients.
To deploy secrets, you need to upload an ssh key that has been used to encrypt the secrets onto the node.
Push key secrets/servers.key to /var/lib/nixos/servers.key on the remote
node to allow it.
To install calico, follow this guide.
There are a few steps to configure calico.
- Configure the ipv4 pool (follow guide)
- Remove the initContainer called
install-cniin thecalico-nodedaemonset.