feat: flake: working rke2 package (w/ overlay) and module

.gitignore

@@ -0,0 +1,2 @@
+/.idea
+/result

LICENSE

@@ -0,0 +1,8 @@
+Copyright © 2023 Adrien 'Litarvan' Navratil
+
+Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the “Software”), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED “AS IS”, WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+

flake.nix

@@ -0,0 +1,22 @@
+{
+  description = "Leviathan infrastructure";
+
+  inputs.nixpkgs.url = "github:NixOS/nixpkgs/nixos-22.11";
+
+  outputs = { self, nixpkgs }:
+    let
+      inherit (nixpkgs) lib;
+
+      system = "x86_64-linux";
+      pkgs = import nixpkgs {
+        inherit system;
+        overlays = builtins.attrValues self.overlays;
+      };
+    in
+    {
+      overlays = import ./pkgs/overlays.nix { inherit lib; };
+      packages.${system} = import ./pkgs { inherit lib pkgs; };
+
+      nixosModules = import ./modules;
+    };
+}

modules/default.nix

@@ -0,0 +1,3 @@
+{
+  rke2 = ./services/rke2.nix;
+}

modules/services/rke2.nix

@@ -0,0 +1,130 @@
+{ config, lib, pkgs, ... }:
+
+with lib;
+let
+  cfg = config.services.rke2;
+in
+{
+  # interface
+
+  options.services.rke2 = {
+    enable = mkEnableOption (lib.mdDoc "rke2");
+
+    package = mkOption {
+      type = types.package;
+      default = pkgs.rke2;
+      defaultText = literalExpression "pkgs.rke2";
+      description = lib.mdDoc "Package that should be used for rke2";
+    };
+
+    role = mkOption {
+      description = lib.mdDoc ''
+        Whether rke2 should run as a server or agent.
+
+        If it's a server:
+
+        - By default it also runs workloads as an agent.
+        - Starts by default as a standalone server using an embedded etcd datastore.
+        - Configure `serverAddr` to join an already-initialized cluster.
+
+        If it's an agent:
+
+        - `serverAddr` is required.
+      '';
+      default = "server";
+      type = types.enum [ "server" "agent" ];
+    };
+
+    serverAddr = mkOption {
+      type = types.str;
+      description = lib.mdDoc ''
+        The rke2 server to connect to.
+
+        Servers and agents need to communicate each other. Read
+        [the networking requirements docs](https://docs.rke2.io/install/requirements#networking)
+        to know how to configure the firewall.
+      '';
+      example = "https://10.0.0.10:6443";
+      default = "";
+    };
+
+    token = mkOption {
+      type = types.str;
+      description = lib.mdDoc ''
+        The rke2 token to use when connecting to a server.
+
+        WARNING: This option will expose store your token unencrypted world-readable in the nix store.
+        If this is undesired use the tokenFile option instead.
+      '';
+      default = "";
+    };
+
+    tokenFile = mkOption {
+      type = types.nullOr types.path;
+      description = lib.mdDoc "File path containing rke2 token to use when connecting to the server.";
+      default = null;
+    };
+
+    extraFlags = mkOption {
+      description = lib.mdDoc "Extra flags to pass to the rke2 command.";
+      type = types.str;
+      default = "";
+      example = "--cluster-cidr 10.24.0.0/16 --node-name hello";
+    };
+
+    configPath = mkOption {
+      type = types.nullOr types.path;
+      default = null;
+      description = lib.mdDoc "File path containing the rke2 YAML config. This is useful when the config is generated (for example on boot).";
+    };
+  };
+
+  # implementation
+
+  config = mkIf cfg.enable {
+    assertions = [
+      {
+        assertion = cfg.role == "agent" -> (cfg.configPath != null || cfg.serverAddr != "");
+        message = "serverAddr or configPath (with 'server' key) should be set if role is 'agent'";
+      }
+      {
+        assertion = cfg.role == "agent" -> cfg.configPath != null || cfg.tokenFile != null || cfg.token != "";
+        message = "token or tokenFile or configPath (with 'token' or 'token-file' keys) should be set if role is 'agent'";
+      }
+    ];
+
+    environment.systemPackages = [ cfg.package ];
+
+    systemd.services.rke2 = {
+      description = "rke2 service";
+      after = [ "firewall.service" "network-online.target" ];
+      wants = [ "firewall.service" "network-online.target" ];
+      wantedBy = [ "multi-user.target" ];
+      path = optional config.boot.zfs.enabled config.boot.zfs.package;
+      serviceConfig = {
+        Type = "notify";
+        KillMode = "process";
+        Delegate = "yes";
+        Restart = "always";
+        RestartSec = "5s";
+        LimitNOFILE = 1048576;
+        LimitNPROC = "infinity";
+        LimitCORE = "infinity";
+        TasksMax = "infinity";
+        TimeoutStartSec = 0;
+        Environment = "PATH=/run/current-system/bin/sw:/run/wrappers/bin:${pkgs.iptables}/bin";
+        ExecStart = concatStringsSep " \\\n " (
+          [
+            "${cfg.package}/bin/rke2 ${cfg.role}"
+          ]
+          ++ (optional (cfg.serverAddr != "") "--server ${cfg.serverAddr}")
+          ++ (optional (cfg.token != "") "--token ${cfg.token}")
+          ++ (optional (cfg.tokenFile != null) "--token-file ${cfg.tokenFile}")
+          ++ (optional (cfg.configPath != null) "--config ${cfg.configPath}")
+          ++ [ cfg.extraFlags ]
+        );
+        ExecStopPost = ''/bin/sh -c "${pkgs.systemd}/bin/systemd-cgls /system/slice/%n | grep -Eo '[0-9]+ (containerd|kubelet)' | awk '{print $1}' | xargs -r kill"'';
+      };
+    };
+  };
+}

pkgs/applications/rke2.nix

@@ -0,0 +1,18 @@
+{ lib, fetchurl, stdenv }:
+
+stdenv.mkDerivation rec {
+  pname = "rke2";
+  version = "1.26.4+rke2r1";
+
+  src = fetchurl {
+    url = "https://github.com/rancher/rke2/releases/download/v${version}/rke2.linux-amd64.tar.gz";
+    hash = "sha256-LaSRPSZDWAkaBlKz2e+QcY5reFWI7cVPqILaKyk1FJE=";
+  };
+
+  sourceRoot = ".";
+  installPhase = ''
+    install -Dm755 bin/rke2 $out/bin/rke2
+    install -Dm755 bin/rke2-killall.sh $out/bin/rke2-killall.sh
+    install -Dm644 share/rke2/LICENSE.txt $out/share/rke2/LICENSE.txt
+  '';
+}

pkgs/default.nix

@@ -0,0 +1,6 @@
+{ lib, pkgs }:
+
+let
+  allPackagesNames = builtins.attrNames (import ./top-level/all-packages.nix);
+in
+lib.filterAttrs (name: _: builtins.elem name allPackagesNames) pkgs

pkgs/overlays.nix

@@ -0,0 +1,30 @@
+{ lib }:
+
+with lib;
+
+let
+  tlAllPackages = import ./top-level/all-packages.nix;
+
+  mkCallPackage = pkgArgs: final: prev:
+    let
+      defaultArgs = {
+        callPackage = final: prev: final.callPackage;
+        args = final: prev: { };
+      };
+
+      p =
+        if builtins.isAttrs pkgArgs then
+          (defaultArgs // pkgArgs)
+        else
+          defaultArgs // { path = pkgArgs; };
+    in
+    (p.callPackage final prev) p.path (p.args final prev);
+
+
+  mkOverlay = name: pkgArgs: final: prev: {
+    "${name}" = mkCallPackage pkgArgs final prev;
+  };
+
+  allPackages = mapAttrs mkOverlay tlAllPackages;
+in
+allPackages

pkgs/top-level/all-packages.nix

@@ -0,0 +1,3 @@
+{
+  rke2 = ../applications/rke2.nix;
+}