This repository contains a flake-based NixOS configuration for a K3s cluster with a master node and worker nodes.
├── flake.nix # Main flake configuration with flexible server setup
├── modules/ # Reusable NixOS modules
│ ├── common.nix # Shared configuration (users, packages, etc.)
│ ├── server.nix # Server-specific optimizations
│ ├── nvidia.nix # NVIDIA driver configuration
│ ├── k3s-master.nix # K3s master node configuration
│ ├── k3s-node.nix # K3s worker node configuration
│ └── tunnel.nix # Tunnel service configuration
├── secrets.nix.template # Template for sensitive configuration
├── secrets.nix # Actual secrets (DO NOT COMMIT TO GIT)
├── hardware-configuration.nix # Hardware configuration template
└── add-server.sh # Helper script to add new servers
-
create secrets.nix with your actual values based on the template:
k3sToken: Generate withopenssl rand -base64 32tunnel.idandtunnel.secret: Your tunnel credentialssshKeys: Your actual SSH public keysuserPasswords: Generate withmkpasswd -m yescrypt
-
Initialize the flake:
nix flake update
-
Check the configuration:
nix flake check
On each target machine, switch to the new configuration:
# On master node (dvbar)
sudo nixos-rebuild switch --flake .#dvbar
# On worker node (dvbaguette)
sudo nixos-rebuild switch --flake .#dvbaguette
# On any custom server
sudo nixos-rebuild switch --flake .#servernameTo update specific inputs:
nix flake update nixpkgs
nix flake update nixpkgs-unstableThe flake now supports a flexible configuration system using the mkServerConfig function with these parameters:
serverHostname: The hostname for the serverserverIP: The IP address of the serverisMaster: Boolean - if true, becomes K3s master and enables tunnel servicemasterIP: IP address of the K3s master (defaults to 192.168.0.10)
Add to flake.nix in the nixosConfigurations section:
newserver = mkServerConfig {
serverHostname = "newserver";
serverIP = "192.168.0.13";
isMaster = false;
masterIP = "192.168.0.10";
};-
Master nodes (
isMaster = true):- Run K3s in server mode
- Enable tunnel service
- Act as the cluster control plane
-
Worker nodes (
isMaster = false):- Run K3s in agent mode
- Connect to the specified master
- Provide compute resources
The modular structure allows easy customization:
- common.nix: Shared configuration across all hosts
- server.nix: Server-specific optimizations (headless, watchdog, etc.)
- nvidia.nix: NVIDIA driver and CUDA configuration
- k3s-master.nix: K3s master node setup
- k3s-node.nix: K3s worker node setup
- tunnel.nix: Custom tunnel service
- Secret Management: Sensitive data is stored in
secrets.nix(excluded from git) - SSH Authentication: Password authentication is disabled, key-based only
- Immutable Users: Users are immutable by default for security
- Firewall Configuration: Proper firewall rules for K3s cluster communication
- Encrypted Passwords: User passwords are stored as secure hashes
The configuration uses a secrets.nix file to store sensitive information:
- K3s cluster token: Shared secret for cluster authentication
- SSH public keys: User authentication keys
- Tunnel credentials: Service tunnel configuration
- Password hashes: Secure user password storage
Important: Never commit secrets.nix to version control!
- Master Node: dvbar (192.168.0.10)
- Worker Node: dvbaguette (192.168.0.12)
- K3s API: api.kube (192.168.0.10:6443)
- Network: 192.168.0.0/24
- Gateway: 192.168.0.1
-
Clone:
git clone <this-repo> cd ClusterConfig
-
Edit secrets:
# Generate a strong K3s token openssl rand -base64 32 # Edit secrets.nix with your actual values cp secrets.nix.template secrets.nix nano secrets.nix
-
Deploy:
# Copy to target server scp -r . [email protected]:/home/dvb/ClusterConfig # Deploy on target ssh [email protected] 'cd ClusterConfig && sudo nixos-rebuild switch --flake .#newworker'
- 🔒 Never commit
secrets.nixto git - 🔑 Generate strong tokens:
openssl rand -base64 32 - 🛡️ Use proper SSH key management
- 🔐 Store password hashes, not plaintext:
mkpasswd -m yescrypt