[CLUSTER] Traefik, cloudflare, firewall, ...

2026-02-09 12:29:19 -08:00 · 2023-05-01 10:00:27 -07:00 · 2023-05-01 10:00:27 -07:00 · 9298e8ecdb
commit 9298e8ecdb
parent 3cdb41f137
3 changed files with 14 additions and 4 deletions
--- a/cluster/cloudflare.tf
+++ b/cluster/cloudflare.tf
@ -1,7 +1,7 @@
 variable "cloudflare_api_token" {
    type = string
 }
-/*
+
 resource "kubernetes_secret" "cloudflare_api_token" {
    metadata {
        name = "cloudflare-api-token"
@ -48,4 +48,4 @@ resource "kubernetes_manifest" "cert_manager_cloudflare_issuer" {
            }
        }
    }
-}*/
+}
--- a/cluster/traefik.tf
+++ b/cluster/traefik.tf
@ -24,10 +24,14 @@ resource "helm_release" "traefik" {
                    }
                    web = {
                        hostPort = 80
+                        port = 80
+                        exposedPort = 80
                        expose = true
                    }
                    websecure = {
                        hostPort = 443
+                        port = 443
+                        exposedPort = 443
                        expose = true
                    }
                }
--- a/nixos/roles/k8s-cluster/kubernetes.nix
+++ b/nixos/roles/k8s-cluster/kubernetes.nix
@ -1,4 +1,9 @@
-{pkgs, ...}: let
+{
+  pkgs,
+  lib,
+  ...
+}: let
+  inherit (lib.modules) mkForce;
  kubeMasterIP = "100.105.14.66";
  kubeMasterHostname = "ran.gensokyo.zone";
  kubeMasterAPIServerPort = 6443;
@ -11,7 +16,7 @@ in {
  ];

  networking = {
-    firewall.enable = false;
+    firewall.enable = mkForce false;
    extraHosts = "${kubeMasterIP} ${kubeMasterHostname}";
  };

@ -27,6 +32,7 @@ in {
    apiserver = {
      securePort = kubeMasterAPIServerPort;
      advertiseAddress = kubeMasterIP;
+      extraOpts = "--service-node-port-range=1-65535";
    };
  };
 }