dotfiles/nixos/k3s.nix

{
  pkgs,
  config,
  lib,
  ...
}:
with lib; let
  cfg = config.myModules.railbird-k3s;
  mount-path = "/var/lib/railbird/bucket";
  bucket-name = "railbird-dev-videos";
  plugins-path = pkgs.buildEnv {
    name = "combined-cni-plugins";
    paths = [
      pkgs.cni-plugins
      pkgs.calico-cni-plugin
      pkgs.calico-kube-controllers
    ];
  };
in {
  options = {
    myModules.railbird-k3s = {
      enable = mkEnableOption "railbird k3s";
      serverAddr = mkOption {
        type = lib.types.str;
        default = "";
      };
      extraFlags = mkOption {
        type = lib.types.listOf lib.types.str;
        default = [];
      };
    };
  };
  config = mkIf cfg.enable {
    age.secrets."1896Folsom-k3s-token.age".file = ./secrets/1896Folsom-k3s-token.age;
    age.secrets."k3s-registry.yaml.age".file = ./secrets/k3s-registry.yaml.age;
    age.secrets.api-service-key = {
      file = ./secrets/api_service_account_key.json.age;
      owner = "railbird";
      group = "users";
    };
    environment.etc."rancher/k3s/registries.yaml".source = config.age.secrets."k3s-registry.yaml.age".path;
    services.dockerRegistry = {
      enable = true;
      listenAddress = "0.0.0.0";
      port = 5279;
      enableDelete = true;
      enableGarbageCollect = true;
    };
    services.flannel.enable = true;

    virtualisation.containerd = {
      enable = true;
      settings = {
        plugins."io.containerd.grpc.v1.cri" = {
          enable_cdi = true;
          cdi_spec_dirs = [ "/var/run/cdi" ];
          cni.bin_dir = "/opt/cni/bin";
        };
      };
    };

    virtualisation.containers = {
      containersConf.cniPlugins = [
        pkgs.cni-plugins
        pkgs.calico-cni-plugin
        pkgs.calico-kube-controllers
      ];
    };

    systemd.services = {
      nvidia-container-toolkit-cdi-generator = {
        # Even with `--library-search-path`, `nvidia-ctk` won't find the libs
        # unless I bodge their path into the environment.
        environment.LD_LIBRARY_PATH = "${config.hardware.nvidia.package}/lib";
      };
      # k3s-containerd-setup = {
      #     # `virtualisation.containerd.settings` has no effect on k3s' bundled containerd.
      #     serviceConfig.Type = "oneshot";
      #     requiredBy = ["k3s.service"];
      #     before = ["k3s.service"];
      #     script = ''
      #       cat << EOF > /var/lib/rancher/k3s/agent/etc/containerd/config.toml.tmpl
      #       {{ template "base" . }}

      #       [plugins]
      #       "io.containerd.grpc.v1.cri".enable_cdi = true
      #       EOF
      #     '';
      # };
    };

    systemd.services.mount-railbird-bucket = {
      after = ["agenix.service"];
      wantedBy = [ "multi-user.target" ];
      description = "Mount railbird bucket";
      serviceConfig = {
        Type = "simple";
        RemainAfterExit = true;
        Restart = "on-failure";  # Restart the service on failure
        RestartSec = 5;  # Wait 5 seconds before restarti
        ExecStartPre = [
          "-${pkgs.util-linux}/bin/umount -f ${mount-path}"
          "${pkgs.coreutils}/bin/mkdir -p ${mount-path}"
          "${pkgs.coreutils}/bin/chown railbird:users ${mount-path}"
          "${pkgs.coreutils}/bin/chmod 0775 ${mount-path}"
        ];
        ExecStart = let
          key-file = config.age.secrets.api-service-key.path;
        in
        pkgs.writeShellScript "mount-railbird-bucket" ''
            while true; do
            if ${pkgs.util-linux}/bin/mount | grep -q "${mount-path}" && [ -d "${mount-path}/dev" ]; then
            echo "Mount path ${mount-path} is mounted and valid (contains directory 'dev')."
            else
            echo "Mount path is not valid or not mounted, attempting remount."
            ${pkgs.util-linux}/bin/umount -f "${mount-path}" || true
            ${pkgs.gcsfuse}/bin/gcsfuse --implicit-dirs --key-file "${key-file}" "${bucket-name}" "${mount-path}"
            fi
            echo "Sleeping"
            sleep 30
            done
          '';
        User = "root";
      };
    };

    services.k3s = {
      enable = true;
      clusterInit = cfg.serverAddr == "";
      serverAddr = cfg.serverAddr;
      configPath = pkgs.writeTextFile {
        name = "k3s-config.yaml";
        text = ''
          kubelet-arg:
          - "eviction-hard=nodefs.available<2Gi"
          - "eviction-soft=nodefs.available<5Gi"
          - "eviction-soft-grace-period=nodefs.available=5m"
        '';
      };
      tokenFile = config.age.secrets."1896Folsom-k3s-token.age".path;
      extraFlags =
        [
          "--container-runtime-endpoint unix:///run/containerd/containerd.sock"
          "--tls-san ryzen-shine.local"
          "--tls-san nixquick.local"
          "--tls-san biskcomp.local"
          "--tls-san jimi-hendnix.local"
          "--tls-san dev.railbird.ai"
          "--node-label nixos-nvidia-cdi=enabled"
        ]
        ++ cfg.extraFlags;
      containerdConfigTemplate = ''
        {{ template "base" . }}

        [plugins]
        "io.containerd.grpc.v1.cri".enable_cdi = true
        "io.containerd.grpc.v1.cri".cdi_spec_dirs = [ "/var/run/cdi" ]
      '';
      gracefulNodeShutdown = {
        enable = true;
      };
    };
  };
}
[NixOS] Trying to mount bucket 2024-10-07 15:00:14 -06:00			`{`
			`pkgs,`
			`config,`
			`lib,`
			`...`
			`}:`
			`with lib; let`
			`cfg = config.myModules.railbird-k3s;`
			`mount-path = "/var/lib/railbird/bucket";`
			`bucket-name = "railbird-dev-videos";`
[NixOS] Add bin to the plugins path 2024-12-29 17:58:31 -07:00			`plugins-path = pkgs.buildEnv {`
			`name = "combined-cni-plugins";`
			`paths = [`
[NixOS] Use /opt/cni/bin as dir for network plugins 2024-12-29 18:10:45 -07:00			`pkgs.cni-plugins`
			`pkgs.calico-cni-plugin`
			`pkgs.calico-kube-controllers`
[NixOS] Add bin to the plugins path 2024-12-29 17:58:31 -07:00			`];`
			`};`
[NixOS] Try to connect jimi-hendnix to ryzen-shine in k3s 2024-09-30 16:35:50 -06:00			`in {`
			`options = {`
[NixOS] Fix k3s definition 2024-09-30 16:42:58 -06:00			`myModules.railbird-k3s = {`
			`enable = mkEnableOption "railbird k3s";`
			`serverAddr = mkOption {`
			`type = lib.types.str;`
			`default = "";`
			`};`
[NixOS] Try to add a taint to ryzen-shine k3s 2024-10-09 11:32:35 -06:00			`extraFlags = mkOption {`
			`type = lib.types.listOf lib.types.str;`
			`default = [];`
			`};`
[NixOS] Try to connect jimi-hendnix to ryzen-shine in k3s 2024-09-30 16:35:50 -06:00			`};`
			`};`
[NixOS] Fix k3s definition 2024-09-30 16:42:58 -06:00			`config = mkIf cfg.enable {`
[NixOS] Try to connect jimi-hendnix to ryzen-shine in k3s 2024-09-30 16:35:50 -06:00			`age.secrets."1896Folsom-k3s-token.age".file = ./secrets/1896Folsom-k3s-token.age;`
[NixOS] k3s registry file working in principle 2024-10-01 16:04:55 -06:00			`age.secrets."k3s-registry.yaml.age".file = ./secrets/k3s-registry.yaml.age;`
[NixOS] Trying to mount bucket 2024-10-07 15:00:14 -06:00			`age.secrets.api-service-key = {`
			`file = ./secrets/api_service_account_key.json.age;`
			`owner = "railbird";`
			`group = "users";`
			`};`
[NixOS] Its registry.yaml registries.yaml 2024-10-02 14:32:21 -06:00			`environment.etc."rancher/k3s/registries.yaml".source = config.age.secrets."k3s-registry.yaml.age".path;`
[NixOS] Try to connect jimi-hendnix to ryzen-shine in k3s 2024-09-30 16:35:50 -06:00			`services.dockerRegistry = {`
			`enable = true;`
			`listenAddress = "0.0.0.0";`
			`port = 5279;`
			`enableDelete = true;`
			`enableGarbageCollect = true;`
			`};`
[NixOS] Enable flannel 2024-12-29 19:20:40 -07:00			`services.flannel.enable = true;`
[NixOS] Periodically check on railbird-bucket state 2024-10-09 13:17:53 -06:00
[NixOS] Renable containerd cdi 2024-11-11 18:58:48 -07:00			`virtualisation.containerd = {`
			`enable = true;`
			`settings = {`
			`plugins."io.containerd.grpc.v1.cri" = {`
			`enable_cdi = true;`
			`cdi_spec_dirs = [ "/var/run/cdi" ];`
[NixOS] Use /opt/cni/bin as dir for network plugins 2024-12-29 18:10:45 -07:00			`cni.bin_dir = "/opt/cni/bin";`
[NixOS] Renable containerd cdi 2024-11-11 18:58:48 -07:00			`};`
			`};`
			`};`

[NixOS] Add calico plugin 2024-12-29 17:20:00 -07:00			`virtualisation.containers = {`
			`containersConf.cniPlugins = [`
[NixOS] Add more cni plugins to containers 2024-12-29 18:56:52 -07:00			`pkgs.cni-plugins`
[NixOS] Add calico plugin 2024-12-29 17:20:00 -07:00			`pkgs.calico-cni-plugin`
[NixOS] Add more cni plugins to containers 2024-12-29 18:56:52 -07:00			`pkgs.calico-kube-controllers`
[NixOS] Use calico cni plugin 2024-12-29 17:17:03 -07:00			`];`
			`};`

[NixOS] A few more cdi/k3s fixes 2024-11-11 19:18:30 -07:00			`systemd.services = {`
			`nvidia-container-toolkit-cdi-generator = {`
			# Even with `--library-search-path`, `nvidia-ctk` won't find the libs
			`# unless I bodge their path into the environment.`
			`environment.LD_LIBRARY_PATH = "${config.hardware.nvidia.package}/lib";`
			`};`
			`# k3s-containerd-setup = {`
			# # `virtualisation.containerd.settings` has no effect on k3s' bundled containerd.
			`# serviceConfig.Type = "oneshot";`
			`# requiredBy = ["k3s.service"];`
			`# before = ["k3s.service"];`
			`# script = ''`
			`# cat << EOF > /var/lib/rancher/k3s/agent/etc/containerd/config.toml.tmpl`
			`# {{ template "base" . }}`

			`# [plugins]`
			`# "io.containerd.grpc.v1.cri".enable_cdi = true`
			`# EOF`
			`# '';`
			`# };`
			`};`

[NixOS] Trying to mount bucket 2024-10-07 15:00:14 -06:00			`systemd.services.mount-railbird-bucket = {`
			`after = ["agenix.service"];`
[NixOS] Add wantedBy to mount-railbird-bucket 2024-10-24 17:10:45 -06:00			`wantedBy = [ "multi-user.target" ];`
[NixOS] Trying to mount bucket 2024-10-07 15:00:14 -06:00			`description = "Mount railbird bucket";`
			`serviceConfig = {`
			`Type = "simple";`
			`RemainAfterExit = true;`
[NixOS] Restart mount bucket service on failure 2024-10-24 17:04:55 -06:00			`Restart = "on-failure"; # Restart the service on failure`
			`RestartSec = 5; # Wait 5 seconds before restarti`
[NixOS] Trying to mount bucket 2024-10-07 15:00:14 -06:00			`ExecStartPre = [`
[NixOS] Fix command 2024-10-07 15:16:16 -06:00			`"-${pkgs.util-linux}/bin/umount -f ${mount-path}"`
			`"${pkgs.coreutils}/bin/mkdir -p ${mount-path}"`
			`"${pkgs.coreutils}/bin/chown railbird:users ${mount-path}"`
			`"${pkgs.coreutils}/bin/chmod 0775 ${mount-path}"`
[NixOS] Trying to mount bucket 2024-10-07 15:00:14 -06:00			`];`
[NixOS] Periodically check on railbird-bucket state 2024-10-09 13:17:53 -06:00			`ExecStart = let`
			`key-file = config.age.secrets.api-service-key.path;`
			`in`
[NixOS] Restart mount bucket service on failure 2024-10-24 17:04:55 -06:00			`pkgs.writeShellScript "mount-railbird-bucket" ''`
[NixOS] Periodically check on railbird-bucket state 2024-10-09 13:17:53 -06:00			`while true; do`
			`if ${pkgs.util-linux}/bin/mount \| grep -q "${mount-path}" && [ -d "${mount-path}/dev" ]; then`
			`echo "Mount path ${mount-path} is mounted and valid (contains directory 'dev')."`
			`else`
			`echo "Mount path is not valid or not mounted, attempting remount."`
			`${pkgs.util-linux}/bin/umount -f "${mount-path}" \|\| true`
			`${pkgs.gcsfuse}/bin/gcsfuse --implicit-dirs --key-file "${key-file}" "${bucket-name}" "${mount-path}"`
			`fi`
[NixOS] Restart mount bucket service on failure 2024-10-24 17:04:55 -06:00			`echo "Sleeping"`
			`sleep 30`
[NixOS] Periodically check on railbird-bucket state 2024-10-09 13:17:53 -06:00			`done`
			`'';`
[NixOS] Fix command 2024-10-07 15:16:16 -06:00			`User = "root";`
[NixOS] Trying to mount bucket 2024-10-07 15:00:14 -06:00			`};`
			`};`

[NixOS] Try to connect jimi-hendnix to ryzen-shine in k3s 2024-09-30 16:35:50 -06:00			`services.k3s = {`
			`enable = true;`
			`clusterInit = cfg.serverAddr == "";`
			`serverAddr = cfg.serverAddr;`
[NixOS] Fix cdi issues with k3s containerd 2024-10-02 18:54:27 -06:00			`configPath = pkgs.writeTextFile {`
			`name = "k3s-config.yaml";`
			`text = ''`
			`kubelet-arg:`
			`- "eviction-hard=nodefs.available<2Gi"`
			`- "eviction-soft=nodefs.available<5Gi"`
			`- "eviction-soft-grace-period=nodefs.available=5m"`
			`'';`
			`};`
[NixOS] Try to connect jimi-hendnix to ryzen-shine in k3s 2024-09-30 16:35:50 -06:00			`tokenFile = config.age.secrets."1896Folsom-k3s-token.age".path;`
[NixOS] Periodically check on railbird-bucket state 2024-10-09 13:17:53 -06:00			`extraFlags =`
			`[`
[NixOS] Set container runtime endpoint 2024-12-23 17:48:27 -07:00			`"--container-runtime-endpoint unix:///run/containerd/containerd.sock"`
[NixOS] Periodically check on railbird-bucket state 2024-10-09 13:17:53 -06:00			`"--tls-san ryzen-shine.local"`
			`"--tls-san nixquick.local"`
			`"--tls-san biskcomp.local"`
			`"--tls-san jimi-hendnix.local"`
			`"--tls-san dev.railbird.ai"`
			`"--node-label nixos-nvidia-cdi=enabled"`
			`]`
			`++ cfg.extraFlags;`
[NixOS] Try to connect jimi-hendnix to ryzen-shine in k3s 2024-09-30 16:35:50 -06:00			`containerdConfigTemplate = ''`
			`{{ template "base" . }}`
[NixOS] k3s draft 2024-09-30 00:05:50 -06:00
[NixOS] Fix cdi issues with k3s containerd 2024-10-02 18:54:27 -06:00			`[plugins]`
			`"io.containerd.grpc.v1.cri".enable_cdi = true`
[NixOS] A few more cdi/k3s fixes 2024-11-11 19:18:30 -07:00			`"io.containerd.grpc.v1.cri".cdi_spec_dirs = [ "/var/run/cdi" ]`
[NixOS] Try to connect jimi-hendnix to ryzen-shine in k3s 2024-09-30 16:35:50 -06:00			`'';`
			`gracefulNodeShutdown = {`
			`enable = true;`
			`};`
[NixOS] k3s draft 2024-09-30 00:05:50 -06:00			`};`
			`};`
			`}`