magic_rb/dotfiles
1
0
Fork 0
mirror of https://git.sr.ht/~magic_rb/dotfiles synced 2024-12-02 04:56:14 +01:00
Code Issues Packages Projects Releases Wiki Activity
dotfiles/terranix/main/kubernetes/default.nix
magic_rb 10da34a3ca
Update terranix config for uk3s-nix and terranix changes 
Signed-off-by: magic_rb <magic_rb@redalder.org>
2024-07-16 20:41:59 +02:00

82 lines
1.4 KiB
Nix
Raw Blame History

{
inputs,
pkgs,
lib,
elib,
uterranix-lib,
...
}: let
inherit
(uterranix-lib)
tf
terraformModule
;
inherit
(lib)
filterAttrs
optionalAttrs
;
in {
imports = [
inputs.uk3s-nix.terranixModules.uk3sHelmCharts
inputs.uk3s-nix.terranixModules.uk3sIstio
inputs.uk3s-nix.terranixModules.uk3sMetalLB
./website.nix
./jellyfin.nix
./gitea.nix
];
uk3s.istio = {
enable = true;
istiod.enable = true;
operator.enable = true;
mode = "main";
};
uk3s.metallb = {
enable = true;
mode = "main";
};
resource."kubernetes_manifest"."istio_authorization_policy_deny_by_default" = {
for_each = (list: tf "toset(${builtins.toJSON list})") [
"default"
"kube-system"
"kube-public"
"kube-node-lease"
"istio-system"
"metallb-system"
"website"
"ingress"
];
manifest = {
apiVersion = "security.istio.io/v1";
kind = "AuthorizationPolicy";
metadata = {
name = "deny-by-default";
namespace = tf "each.key";
};
spec = {};
};
};
resource."kubernetes_manifest"."istio_peer_authentication" = {
manifest = {
apiVersion = "security.istio.io/v1beta1";
kind = "PeerAuthentication";
metadata = {
name = "default";
namespace = "istio-system";
};
spec = {
mtls = {
mode = "STRICT";
};
};
};
};
}
Reference in a new issue View git blame Copy permalink