ghostfox/nixpkgs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

push sheeet
Some checks failed
Periodic Merges (6h) / master → staging-nixos (push) Failing after 12m50s
Details
Periodic Merges (6h) / master → staging-next (push) Failing after 12m54s
Details
Periodic Merges (24h) / merge-base(master,staging) → haskell-updates (push) Failing after 11m54s
Details
Periodic Merges (6h) / staging-next → staging (push) Failing after 12m13s
Details
Periodic Merges (24h) / staging-next-25.05 → staging-25.05 (push) Failing after 13m24s
Details
Periodic Merges (24h) / release-25.05 → staging-next-25.05 (push) Failing after 14m28s
Details

Browse Source
This commit is contained in:
Dark Steveneq
2025-10-09 14:15:47 +02:00
commit 646b892680
49168 changed files with 5897842 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

99
pkgs/applications/networking/cluster/calico/default.nix Normal file
View File

@@ -0,0 +1,99 @@
{
lib,
buildGoModule,
fetchFromGitHub,
}:
builtins.mapAttrs
(
pname:
{
doCheck ? true,
mainProgram ? pname,
subPackages,
}:
buildGoModule rec {
inherit pname;
version = "3.30.3";
src = fetchFromGitHub {
owner = "projectcalico";
repo = "calico";
rev = "v${version}";
hash = "sha256-Z2kYUak/zzO0IsKQyQ6sb3UD4QUZ9+9vGGVfl4qdPF8=";
};
vendorHash = "sha256-C9sge+xNTsW30PF2wJhRUNI1YEmXInD+xcboCtcC9kc=";
inherit doCheck subPackages;
ldflags = [
"-s"
"-w"
];
meta = {
homepage = "https://projectcalico.docs.tigera.io";
changelog = "https://github.com/projectcalico/calico/releases/tag/v${version}";
description = "Cloud native networking and network security";
license = lib.licenses.asl20;
maintainers = with lib.maintainers; [ urandom ];
platforms = lib.platforms.linux;
inherit mainProgram;
};
}
)
{
calico-apiserver = {
mainProgram = "apiserver";
subPackages = [
"apiserver/cmd/..."
];
};
calico-app-policy = {
# integration tests require network
doCheck = false;
mainProgram = "dikastes";
subPackages = [
"app-policy/cmd/..."
];
};
calico-cni-plugin = {
mainProgram = "calico";
subPackages = [
"cni-plugin/cmd/..."
];
};
calico-kube-controllers = {
# integration tests require network and docker
doCheck = false;
mainProgram = "kube-controllers";
subPackages = [
"kube-controllers/cmd/..."
];
};
calico-pod2daemon = {
mainProgram = "flexvol";
subPackages = [
"pod2daemon/csidriver"
"pod2daemon/flexvol"
"pod2daemon/nodeagent"
];
};
calico-typha = {
subPackages = [
"typha/cmd/..."
];
};
calicoctl = {
subPackages = [
"calicoctl/calicoctl"
];
};
confd-calico = {
mainProgram = "confd";
subPackages = [
"confd"
];
};
}

43
pkgs/applications/networking/cluster/cni/default.nix Normal file
View File

@@ -0,0 +1,43 @@
{
lib,
fetchFromGitHub,
buildGoModule,
}:
buildGoModule rec {
pname = "cni";
version = "1.3.0";
src = fetchFromGitHub {
owner = "containernetworking";
repo = "cni";
rev = "v${version}";
hash = "sha256-xeajsM8ZIlI6Otv9CQhPfYaVQwmJ5QcFEn1xt6e/ivQ=";
};
vendorHash = "sha256-uo3ZwFdD6aJ0WDGmt51l3hs9agUnv1cIQY/KMlNe5nI=";
subPackages = [
"./cnitool"
];
ldflags = [
"-s"
"-w"
];
meta = with lib; {
description = "Container Network Interface - networking for Linux containers";
mainProgram = "cnitool";
license = licenses.asl20;
homepage = "https://github.com/containernetworking/cni";
maintainers = with maintainers; [
offline
vdemeester
];
platforms = [
"x86_64-linux"
"aarch64-linux"
];
};
}

58
pkgs/applications/networking/cluster/cni/plugins.nix Normal file
View File

@@ -0,0 +1,58 @@
{
lib,
fetchFromGitHub,
buildGoModule,
nixosTests,
}:
buildGoModule rec {
pname = "cni-plugins";
version = "1.8.0";
src = fetchFromGitHub {
owner = "containernetworking";
repo = "plugins";
rev = "v${version}";
hash = "sha256-/I2fEVVQ89y8l95Ri0V5qxVj/SzXVqP0IT2vSdz8jC8=";
};
vendorHash = null;
doCheck = false;
ldflags = [
"-X github.com/containernetworking/plugins/pkg/utils/buildversion.BuildVersion=v${version}"
];
subPackages = [
"plugins/ipam/dhcp"
"plugins/ipam/host-local"
"plugins/ipam/static"
"plugins/main/bridge"
"plugins/main/dummy"
"plugins/main/host-device"
"plugins/main/ipvlan"
"plugins/main/loopback"
"plugins/main/macvlan"
"plugins/main/ptp"
"plugins/main/tap"
"plugins/main/vlan"
"plugins/meta/bandwidth"
"plugins/meta/firewall"
"plugins/meta/portmap"
"plugins/meta/sbr"
"plugins/meta/tuning"
"plugins/meta/vrf"
];
passthru.tests = { inherit (nixosTests) cri-o; };
meta = with lib; {
changelog = "https://github.com/containernetworking/plugins/releases/tag/${src.rev}";
description = "Some standard networking plugins, maintained by the CNI team";
homepage = "https://www.cni.dev/plugins/";
license = licenses.asl20;
platforms = platforms.linux;
teams = [ teams.podman ];
};
}

35
pkgs/applications/networking/cluster/docker-machine/hyperkit.nix Normal file
View File

@@ -0,0 +1,35 @@
{
lib,
buildGoModule,
minikube,
}:
buildGoModule rec {
inherit (minikube)
version
src
nativeBuildInputs
buildInputs
vendorHash
doCheck
postPatch
;
pname = "docker-machine-hyperkit";
buildPhase = ''
make docker-machine-driver-hyperkit COMMIT=${src.rev}
'';
installPhase = ''
install out/docker-machine-driver-hyperkit -Dt $out/bin
'';
meta = with lib; {
homepage = "https://minikube.sigs.k8s.io/docs/drivers/hyperkit";
description = "HyperKit driver for docker-machine";
license = licenses.asl20;
maintainers = with maintainers; [ atkinschang ];
platforms = [ "x86_64-darwin" ];
};
}

42
pkgs/applications/networking/cluster/docker-machine/kvm2.nix Normal file
View File

@@ -0,0 +1,42 @@
{
lib,
buildGoModule,
minikube,
}:
buildGoModule rec {
inherit (minikube)
version
src
nativeBuildInputs
buildInputs
vendorHash
doCheck
;
pname = "docker-machine-kvm2";
postPatch = minikube.postPatch + ''
sed -i '/GOARCH=$*/d' Makefile
'';
buildPhase = ''
make docker-machine-driver-kvm2 COMMIT=${src.rev}
'';
installPhase = ''
install out/docker-machine-driver-kvm2 -Dt $out/bin
'';
meta = with lib; {
homepage = "https://minikube.sigs.k8s.io/docs/drivers/kvm2";
description = "KVM2 driver for docker-machine";
mainProgram = "docker-machine-driver-kvm2";
license = licenses.asl20;
maintainers = with maintainers; [
tadfisher
atkinschang
];
platforms = platforms.linux;
};
}

47
pkgs/applications/networking/cluster/hadoop/containerExecutor.nix Normal file
View File

@@ -0,0 +1,47 @@
{
version,
stdenv,
fetchurl,
lib,
cmake,
openssl,
platformAttrs,
...
}:
stdenv.mkDerivation (finalAttrs: {
pname = "hadoop-yarn-containerexecutor";
inherit version;
src = fetchurl {
url = "mirror://apache/hadoop/common/hadoop-${finalAttrs.version}/hadoop-${finalAttrs.version}-src.tar.gz";
hash = platformAttrs.${stdenv.system}.srcHash;
};
sourceRoot =
"hadoop-${finalAttrs.version}-src/hadoop-yarn-project/hadoop-yarn/"
+ "hadoop-yarn-server/hadoop-yarn-server-nodemanager/src";
nativeBuildInputs = [ cmake ];
buildInputs = [ openssl ];
cmakeFlags = [ "-DHADOOP_CONF_DIR=/run/wrappers/yarn-nodemanager/etc/hadoop" ];
installPhase = ''
mkdir $out
mv target/var/empty/local/bin $out/
'';
meta = with lib; {
homepage = "https://hadoop.apache.org/";
description = "Framework for distributed processing of large data sets across clusters of computers";
license = licenses.asl20;
longDescription = ''
The Hadoop YARN Container Executor is a native component responsible for managing the lifecycle of containers
on individual nodes in a Hadoop YARN cluster. It launches, monitors, and terminates containers, ensuring that
resources like CPU and memory are allocated according to the policies defined in the ResourceManager.
'';
maintainers = with maintainers; [ illustris ];
platforms = filter (strings.hasSuffix "linux") (attrNames platformAttrs);
};
})

224
pkgs/applications/networking/cluster/hadoop/default.nix Normal file
View File

@@ -0,0 +1,224 @@
{
lib,
stdenv,
fetchurl,
makeWrapper,
autoPatchelfHook,
jdk8_headless,
jdk11_headless,
jdk21_headless,
bash,
coreutils,
which,
bzip2,
cyrus_sasl,
protobuf,
snappy,
zlib,
zstd,
openssl,
nixosTests,
sparkSupport ? true,
spark,
libtirpc,
callPackage,
}:
assert lib.elem stdenv.system [
"x86_64-linux"
"x86_64-darwin"
"aarch64-linux"
"aarch64-darwin"
];
let
common =
{
pname,
platformAttrs,
jdk,
tests,
}:
stdenv.mkDerivation (finalAttrs: {
inherit pname;
jdk = platformAttrs.${stdenv.system}.jdk or jdk;
version = platformAttrs.${stdenv.system}.version or (throw "Unsupported system: ${stdenv.system}");
src = fetchurl {
url =
"mirror://apache/hadoop/common/hadoop-${finalAttrs.version}/hadoop-${finalAttrs.version}"
+
lib.optionalString (lib.hasAttr "variant" platformAttrs.${stdenv.system})
"-${platformAttrs.${stdenv.system}.variant}"
+ lib.optionalString stdenv.hostPlatform.isAarch64 "-aarch64"
+ ".tar.gz";
inherit (platformAttrs.${stdenv.system} or (throw "Unsupported system: ${stdenv.system}"))
hash
;
};
doCheck = true;
# Build the container executor binary from source
# InstallPhase is not lazily evaluating containerExecutor for some reason
containerExecutor =
if stdenv.hostPlatform.isLinux then
(callPackage ./containerExecutor.nix {
inherit (finalAttrs) version;
inherit platformAttrs;
})
else
"";
nativeBuildInputs = [
makeWrapper
]
++ lib.optionals stdenv.hostPlatform.isLinux [ autoPatchelfHook ];
buildInputs = lib.optionals stdenv.hostPlatform.isLinux [
(lib.getLib stdenv.cc.cc)
openssl
protobuf
zlib
snappy
libtirpc
];
installPhase = ''
mkdir $out
mv * $out/
''
+ lib.optionalString stdenv.hostPlatform.isLinux ''
for n in $(find ${finalAttrs.containerExecutor}/bin -type f); do
ln -sf "$n" $out/bin
done
# these libraries are loaded at runtime by the JVM
ln -s ${lib.getLib cyrus_sasl}/lib/libsasl2.so $out/lib/native/libsasl2.so.2
ln -s ${lib.getLib openssl}/lib/libcrypto.so $out/lib/native/
ln -s ${lib.getLib zlib}/lib/libz.so.1 $out/lib/native/
ln -s ${lib.getLib zstd}/lib/libzstd.so.1 $out/lib/native/
ln -s ${lib.getLib bzip2}/lib/libbz2.so.1 $out/lib/native/
ln -s ${lib.getLib snappy}/lib/libsnappy.so.1 $out/lib/native/
# libjvm.so is in different paths for java 8 and 11
# libnativetask.so in hadooop 3 and libhdfs.so in hadoop 2 depend on it
find $out/lib/native/ -name 'libnativetask.so*' -o -name 'libhdfs.so*' | \
xargs -n1 patchelf --add-rpath $(dirname $(find ${finalAttrs.jdk.home} -name libjvm.so | head -n1))
# NixOS/nixpkgs#193370
# This workaround is needed to use protobuf 3.19
# hadoop 3.3+ depends on protobuf 3.18, 3.2 depends on 3.8
find $out/lib/native -name 'libhdfspp.so*' | \
xargs -r -n1 patchelf --replace-needed libprotobuf.so.${
if (lib.versionAtLeast finalAttrs.version "3.4.1") then
"32"
else if (lib.versionAtLeast finalAttrs.version "3.3") then
"18"
else
"8"
} libprotobuf.so
patchelf --replace-needed libcrypto.so.1.1 libcrypto.so \
$out/lib/native/{libhdfs{pp,}.so*,examples/{pipes-sort,wordcount-nopipe,wordcount-part,wordcount-simple}}
''
+ ''
for n in $(find $out/bin -type f ! -name "*.*"); do
wrapProgram "$n"\
--set-default JAVA_HOME ${finalAttrs.jdk.home}\
--set-default HADOOP_HOME $out/\
--run "test -d /etc/hadoop-conf && export HADOOP_CONF_DIR=\''${HADOOP_CONF_DIR-'/etc/hadoop-conf/'}"\
--set-default HADOOP_CONF_DIR $out/etc/hadoop/\
--prefix PATH : "${
lib.makeBinPath [
bash
coreutils
which
]
}"\
--prefix JAVA_LIBRARY_PATH : "${lib.makeLibraryPath finalAttrs.buildInputs}"
done
''
+ (lib.optionalString sparkSupport ''
# Add the spark shuffle service jar to YARN
cp ${spark.src}/yarn/spark-${spark.version}-yarn-shuffle.jar $out/share/hadoop/yarn/
'');
passthru = { inherit tests; };
meta =
with lib;
recursiveUpdate {
homepage = "https://hadoop.apache.org/";
description = "Framework for distributed processing of large data sets across clusters of computers";
license = licenses.asl20;
sourceProvenance = with sourceTypes; [ binaryBytecode ];
longDescription = ''
The Apache Hadoop software library is a framework that allows for
the distributed processing of large data sets across clusters of
computers using a simple programming model. It is designed to
scale up from single servers to thousands of machines, each
offering local computation and storage. Rather than rely on
hardware to deliver high-avaiability, the library itself is
designed to detect and handle failures at the application layer,
so delivering a highly-availabile service on top of a cluster of
computers, each of which may be prone to failures.
'';
maintainers = with maintainers; [ illustris ];
platforms = attrNames platformAttrs;
} (attrByPath [ stdenv.system "meta" ] { } platformAttrs);
});
in
{
# Different version of hadoop support different java runtime versions
# https://cwiki.apache.org/confluence/display/HADOOP/Hadoop+Java+Versions
hadoop_3_4 = common {
pname = "hadoop";
platformAttrs = rec {
x86_64-linux = {
version = "3.4.2";
hash = "sha256-YySoP+EeUXiQQ2/G2AvIKVBu0lLL4kZXUrkSIJAN+4M=";
srcHash = "sha256-AkZjpHk57S3pYiZambxgRHR7PD51HSI4H1HHW9ICah4=";
variant = "lean";
};
x86_64-darwin = x86_64-linux;
aarch64-linux = {
version = "3.4.0";
hash = "sha256-QWxzKtNyw/AzcHMv0v7kj91pw1HO7VAN9MHO84caFk8=";
srcHash = "sha256-viDF3LdRCZHqFycOYfN7nUQBPHiMCIjmu7jgIAaaK9E=";
jdk = jdk11_headless;
};
aarch64-darwin = aarch64-linux;
};
jdk = jdk21_headless;
# TODO: Package and add Intel Storage Acceleration Library
tests = nixosTests.hadoop;
};
hadoop_3_3 = common {
pname = "hadoop";
platformAttrs = rec {
x86_64-linux = {
version = "3.3.6";
hash = "sha256-9RlQWcDUECrap//xf3sqhd+Qa8tuGZSHFjGfmXhkGgQ=";
srcHash = "sha256-4OEsVhBNV9CJ+PN4FgCduUCVA9/el5yezSCZ6ko3+bU=";
};
x86_64-darwin = x86_64-linux;
aarch64-linux = x86_64-linux // {
hash = "sha256-5Lv2uA72BJEva5v2yncyPe5gKNCNOPNsoHffVt6KXQ0=";
};
aarch64-darwin = aarch64-linux;
};
jdk = jdk11_headless;
# TODO: Package and add Intel Storage Acceleration Library
tests = nixosTests.hadoop_3_3;
};
hadoop2 = common {
pname = "hadoop";
platformAttrs.x86_64-linux = {
version = "2.10.2";
hash = "sha256-xhA4zxqIRGNhIeBnJO9dLKf/gx/Bq+uIyyZwsIafEyo=";
srcHash = "sha256-ucxCyXiJo8aL6aNMhZgKEbn8sGKOoMPVREbMGSfSdAI=";
};
jdk = jdk8_headless;
tests = nixosTests.hadoop2;
};
}

87
pkgs/applications/networking/cluster/helm/default.nix Normal file
View File

@@ -0,0 +1,87 @@
{
lib,
stdenv,
buildGoModule,
fetchFromGitHub,
installShellFiles,
testers,
}:
buildGoModule (finalAttrs: {
pname = "kubernetes-helm";
version = "3.19.0";
src = fetchFromGitHub {
owner = "helm";
repo = "helm";
rev = "v${finalAttrs.version}";
sha256 = "sha256-ssOebBeIFVd6N0CDWfAU3HN0j4Rw7twncokzorHWJig=";
};
vendorHash = "sha256-G3PLT2jE+Oitct5F+o/hr8GDAKWcvp23dcpezuBge6k=";
subPackages = [ "cmd/helm" ];
ldflags = [
"-w"
"-s"
"-X helm.sh/helm/v3/internal/version.version=v${finalAttrs.version}"
"-X helm.sh/helm/v3/internal/version.gitCommit=${finalAttrs.src.rev}"
];
preBuild = ''
# set k8s version to client-go version, to match upstream
K8S_MODULES_VER="$(go list -f '{{.Version}}' -m k8s.io/client-go)"
K8S_MODULES_MAJOR_VER="$(($(cut -d. -f1 <<<"$K8S_MODULES_VER") + 1))"
K8S_MODULES_MINOR_VER="$(cut -d. -f2 <<<"$K8S_MODULES_VER")"
old_ldflags="''${ldflags}"
ldflags="''${ldflags} -X helm.sh/helm/v3/pkg/lint/rules.k8sVersionMajor=''${K8S_MODULES_MAJOR_VER}"
ldflags="''${ldflags} -X helm.sh/helm/v3/pkg/lint/rules.k8sVersionMinor=''${K8S_MODULES_MINOR_VER}"
ldflags="''${ldflags} -X helm.sh/helm/v3/pkg/chartutil.k8sVersionMajor=''${K8S_MODULES_MAJOR_VER}"
ldflags="''${ldflags} -X helm.sh/helm/v3/pkg/chartutil.k8sVersionMinor=''${K8S_MODULES_MINOR_VER}"
'';
__darwinAllowLocalNetworking = true;
preCheck = ''
# restore ldflags for tests
ldflags="''${old_ldflags}"
# skipping version tests because they require dot git directory
substituteInPlace cmd/helm/version_test.go \
--replace "TestVersion" "SkipVersion"
# skipping plugin tests
substituteInPlace cmd/helm/plugin_test.go \
--replace "TestPluginDynamicCompletion" "SkipPluginDynamicCompletion" \
--replace "TestLoadPlugins" "SkipLoadPlugins"
substituteInPlace cmd/helm/helm_test.go \
--replace "TestPluginExitCode" "SkipPluginExitCode"
'';
nativeBuildInputs = [ installShellFiles ];
postInstall = lib.optionalString (stdenv.buildPlatform.canExecute stdenv.hostPlatform) ''
$out/bin/helm completion bash > helm.bash
$out/bin/helm completion zsh > helm.zsh
$out/bin/helm completion fish > helm.fish
installShellCompletion helm.{bash,zsh,fish}
'';
passthru.tests.version = testers.testVersion {
package = finalAttrs.finalPackage;
command = "helm version";
version = "v${finalAttrs.version}";
};
meta = with lib; {
homepage = "https://github.com/helm/helm";
description = "Package manager for kubernetes";
mainProgram = "helm";
license = licenses.asl20;
maintainers = with maintainers; [
rlupton20
edude03
saschagrunert
Frostman
Chili-Man
techknowlogick
];
};
})

21
pkgs/applications/networking/cluster/helm/plugins/default.nix Normal file
View File

@@ -0,0 +1,21 @@
{ callPackage }:
{
helm-cm-push = callPackage ./helm-cm-push.nix { };
helm-diff = callPackage ./helm-diff.nix { };
helm-dt = callPackage ./helm-dt.nix { };
helm-git = callPackage ./helm-git.nix { };
helm-mapkubeapis = callPackage ./helm-mapkubeapis.nix { };
helm-s3 = callPackage ./helm-s3.nix { };
helm-secrets = callPackage ./helm-secrets.nix { };
helm-schema = callPackage ./helm-schema.nix { };
helm-unittest = callPackage ./helm-unittest.nix { };
}

48
pkgs/applications/networking/cluster/helm/plugins/helm-cm-push.nix Normal file
View File

@@ -0,0 +1,48 @@
{
lib,
buildGoModule,
fetchFromGitHub,
}:
buildGoModule rec {
pname = "helm-cm-push";
version = "0.10.4";
src = fetchFromGitHub {
owner = "chartmuseum";
repo = "helm-push";
rev = "v${version}";
hash = "sha256-YnhI1/BDk9swr3YFm5ajGf4LLgPty7blA2tlsMH0erY=";
};
vendorHash = "sha256-7bUDKqkvBV1Upcrj4DQnVCP74QtKlSwF0Kl2sPFZpjc=";
subPackage = [ "cmd/helm-cm-push" ];
# Remove hooks.
postPatch = ''
sed -e '/^hooks:/,+2 d' -i plugin.yaml
'';
env.CGO_ENABLED = 0;
ldflags = [
"-s"
"-w"
];
postInstall = ''
install -Dm644 plugin.yaml $out/helm-cm-push/plugin.yaml
mv $out/bin $out/helm-cm-push
'';
# Tests require the ChartMuseum service.
doCheck = false;
meta = with lib; {
description = "Helm plugin to push chart package to ChartMuseum";
homepage = "https://github.com/chartmuseum/helm-push";
license = licenses.asl20;
maintainers = [ ];
};
}

44
pkgs/applications/networking/cluster/helm/plugins/helm-diff.nix Normal file
View File

@@ -0,0 +1,44 @@
{
buildGoModule,
fetchFromGitHub,
lib,
}:
buildGoModule rec {
pname = "helm-diff";
version = "3.13.0";
src = fetchFromGitHub {
owner = "databus23";
repo = "helm-diff";
rev = "v${version}";
hash = "sha256-U1lNCOYix+7aPNq4U0A7KU4Cr+AqQsTUrYTg/0Zg5cs=";
};
vendorHash = "sha256-nwL6n0pthW12ij9iqmS404r0m9xv0qh8RYiQhqvJC2U=";
ldflags = [
"-s"
"-w"
"-X github.com/databus23/helm-diff/v3/cmd.Version=${version}"
];
# NOTE: Remove the install and upgrade hooks.
postPatch = ''
sed -i '/^hooks:/,+2 d' plugin.yaml
'';
postInstall = ''
install -dm755 $out/${pname}
mv $out/bin $out/${pname}/
mv $out/${pname}/bin/{helm-,}diff
install -m644 -Dt $out/${pname} plugin.yaml
'';
meta = with lib; {
description = "Helm plugin that shows a diff";
homepage = "https://github.com/databus23/helm-diff";
license = licenses.asl20;
maintainers = with maintainers; [ yurrriq ];
};
}

48
pkgs/applications/networking/cluster/helm/plugins/helm-dt.nix Normal file
View File

@@ -0,0 +1,48 @@
{
buildGoModule,
fetchFromGitHub,
lib,
}:
buildGoModule rec {
pname = "helm-dt";
version = "0.4.9";
src = fetchFromGitHub {
owner = "vmware-labs";
repo = "distribution-tooling-for-helm";
rev = "refs/tags/v${version}";
hash = "sha256-3zEu4fnvjM1SvyOyj6NzQteyfEh5X7ro/G0gkzt7ghY=";
};
vendorHash = "sha256-CIVgNS74V75etC9WBzoxu6aoMHlUYxWd22h2NG1uNn0=";
ldflags = [
"-s"
"-w"
"-X 'main.BuildDate=1970-01-01 00:00:00 UTC'"
"-X 'main.Commit=v${version}'"
];
# NOTE: Remove the install and upgrade hooks.
postPatch = ''
sed -i '/^hooks:/,+2 d' plugin.yaml
'';
# require network/login
doCheck = false;
env.CGO_ENABLED = 1;
postInstall = ''
install -dm755 $out/helm-dt/bin
mv $out/bin/dt $out/helm-dt/bin/dt
rmdir $out/bin
install -m644 -Dt $out/helm-dt plugin.yaml
'';
meta = {
description = "Helm Distribution plugin is is a set of utilities and Helm Plugin for making offline work with Helm Charts easier";
homepage = "https://github.com/vmware-labs/distribution-tooling-for-helm";
maintainers = with lib.maintainers; [ ascii17 ];
license = lib.licenses.mit;
};
}

55
pkgs/applications/networking/cluster/helm/plugins/helm-git.nix Normal file
View File

@@ -0,0 +1,55 @@
{
lib,
stdenv,
fetchFromGitHub,
coreutils,
findutils,
gitMinimal,
gnugrep,
gnused,
makeWrapper,
}:
stdenv.mkDerivation rec {
pname = "helm-git";
version = "1.4.1";
src = fetchFromGitHub {
owner = "aslafy-z";
repo = "helm-git";
rev = "v${version}";
sha256 = "sha256-gMx61fhAaiYHYd/so65DEBKANZZO826AFLU1FIE3hSs=";
};
nativeBuildInputs = [ makeWrapper ];
# NOTE: helm-git is comprised of shell scripts.
dontBuild = true;
installPhase = ''
install -dm755 $out/helm-git
install -m644 -Dt $out/helm-git plugin.yaml
cp helm-git helm-git-plugin.sh $out/helm-git/
patchShebangs $out/helm-git/helm-git{,-plugin.sh}
wrapProgram $out/helm-git/helm-git \
--prefix PATH : ${
lib.makeBinPath [
coreutils
findutils
gitMinimal
gnugrep
gnused
]
}
runHook postInstall
'';
meta = with lib; {
description = "Helm downloader plugin that provides GIT protocol support";
homepage = "https://github.com/aslafy-z/helm-git";
license = licenses.mit;
maintainers = with maintainers; [ flokli ];
};
}

38
pkgs/applications/networking/cluster/helm/plugins/helm-mapkubeapis.nix Normal file
View File

@@ -0,0 +1,38 @@
{
buildGoModule,
fetchFromGitHub,
lib,
}:
buildGoModule rec {
pname = "helm-mapkubeapis";
version = "0.6.1";
src = fetchFromGitHub {
owner = "helm";
repo = "helm-mapkubeapis";
rev = "v${version}";
hash = "sha256-RvyoqfhvoXESmc6M4B1XeUtal0zQt6LCKjByyBe6pUU=";
};
vendorHash = "sha256-ZnfNje0JuTCckW9SMc2TLb968nHiGK/bgOJnIllJJq4=";
# NOTE: Remove the install and upgrade hooks.
postPatch = ''
sed -i '/^hooks:/,+2 d' plugin.yaml
'';
postInstall = ''
install -dm755 $out/helm-mapkubeapis
mv $out/bin $out/helm-mapkubeapis/
install -m644 -Dt $out/helm-mapkubeapis/config/ config/Map.yaml
install -m644 -Dt $out/helm-mapkubeapis plugin.yaml
'';
meta = {
description = "Helm plugin which maps deprecated or removed Kubernetes APIs in a release to supported APIs";
homepage = "https://github.com/helm/helm-mapkubeapis";
license = with lib.licenses; [ asl20 ];
maintainers = with lib.maintainers; [ aos ];
};
}

50
pkgs/applications/networking/cluster/helm/plugins/helm-s3.nix Normal file
View File

@@ -0,0 +1,50 @@
{
buildGoModule,
fetchFromGitHub,
lib,
}:
buildGoModule rec {
pname = "helm-s3";
version = "0.17.0";
src = fetchFromGitHub {
owner = "hypnoglow";
repo = "helm-s3";
rev = "v${version}";
hash = "sha256-9n/Dzgr/wYGgJq47FdNGPPpOFzTRt4VaK8HA06F5FIE=";
};
vendorHash = "sha256-6YBIUUIvQ6ZDPF9Dz5tNXuHS+pa/yiNs4sKZbMudMxs=";
# NOTE: Remove the install and upgrade hooks.
postPatch = ''
sed -i '/^hooks:/,+2 d' plugin.yaml
'';
# NOTE: make test-unit, but skip awsutil, which needs internet access
checkPhase = ''
go test $(go list ./... | grep -vE '(awsutil|e2e)')
'';
ldflags = [
"-s"
"-w"
"-X main.version=${version}"
];
subPackages = [ "cmd/helm-s3" ];
postInstall = ''
install -dm755 $out/helm-s3
mv $out/bin $out/helm-s3/
install -m644 -Dt $out/helm-s3 plugin.yaml
'';
meta = with lib; {
description = "Helm plugin that allows to set up a chart repository using AWS S3";
homepage = "https://github.com/hypnoglow/helm-s3";
license = licenses.mit;
maintainers = with maintainers; [ yurrriq ];
};
}

66
pkgs/applications/networking/cluster/helm/plugins/helm-schema.nix Normal file
View File

@@ -0,0 +1,66 @@
{
buildGoModule,
fetchFromGitHub,
lib,
versionCheckHook,
nix-update-script,
}:
buildGoModule (finalAttrs: {
pname = "helm-schema";
version = "2.3.0";
src = fetchFromGitHub {
owner = "losisin";
repo = "helm-values-schema-json";
tag = "v${finalAttrs.version}";
hash = "sha256-q5A+tCnuHTtUyejP4flID7XhsoBfWGge2jCgsL0uEOc=";
};
vendorHash = "sha256-xmj2i1WNI/9ItbxRk8mPIygjq83xuvNu6THyPqZsysY=";
ldflags = [
"-s"
"-w"
"-X 'main.Version=v${finalAttrs.version}'"
];
postPatch = ''
# Remove the install and upgrade hooks
sed -i '/^hooks:/,+2 d' plugin.yaml
substituteInPlace {plugin.yaml,plugin.complete} \
--replace-fail '$HELM_PLUGIN_DIR' '${placeholder "out"}/${finalAttrs.pname}/bin'
'';
postInstall = ''
install -D plugin.complete -t $out/helm-schema/
install -m644 plugin.yaml -t $out/helm-schema/
mv $out/bin/{helm-values-schema-json,schema}
mv $out/bin $out/helm-schema
'';
# Unit tests try to open web server on port 0
__darwinAllowLocalNetworking = true;
doInstallCheck = true;
nativeInstallCheckInputs = [ versionCheckHook ];
versionCheckProgram = "${placeholder "out"}/helm-schema/bin/schema";
versionCheckProgramArg = "--version";
passthru.updateScript = nix-update-script { };
meta = {
mainProgram = "schema";
description = "Helm plugin for generating values.schema.json from multiple values files";
longDescription = ''
Helm plugin for generating `values.schema.json` from single or
multiple values files. Schema can be enriched by reading
annotations from comments. Works only with Helm3 charts.
'';
homepage = "https://github.com/losisin/helm-values-schema-json";
changelog = "https://github.com/losisin/helm-values-schema-json/releases/tag/v${finalAttrs.version}";
maintainers = with lib.maintainers; [ applejag ];
license = lib.licenses.mit;
};
})

67
pkgs/applications/networking/cluster/helm/plugins/helm-secrets.nix Normal file
View File

@@ -0,0 +1,67 @@
{
lib,
stdenv,
fetchFromGitHub,
makeWrapper,
coreutils,
findutils,
getopt,
gnugrep,
gnused,
sops,
}:
stdenv.mkDerivation rec {
pname = "helm-secrets";
version = "4.6.10";
src = fetchFromGitHub {
owner = "jkroepke";
repo = "helm-secrets";
rev = "v${version}";
hash = "sha256-hno6+kik+U9XA7Mr9OnuuVidfc/xoqWRjMbBMI6M3QA=";
};
nativeBuildInputs = [ makeWrapper ];
buildInputs = [
getopt
sops
];
# NOTE: helm-secrets is comprised of shell scripts.
dontBuild = true;
# NOTE: Fix version string
postPatch = ''
sed -i 's/^version:.*/version: "${version}"/' plugin.yaml
'';
installPhase = ''
runHook preInstall
install -dm755 $out/helm-secrets $out/helm-secrets/scripts
install -m644 -Dt $out/helm-secrets plugin.yaml
cp -r scripts/* $out/helm-secrets/scripts
wrapProgram $out/helm-secrets/scripts/run.sh \
--prefix PATH : ${
lib.makeBinPath [
coreutils
findutils
getopt
gnugrep
gnused
sops
]
}
runHook postInstall
'';
meta = with lib; {
description = "Helm plugin that helps manage secrets";
homepage = "https://github.com/jkroepke/helm-secrets";
license = licenses.asl20;
maintainers = with maintainers; [ yurrriq ];
platforms = platforms.unix;
};
}

38
pkgs/applications/networking/cluster/helm/plugins/helm-unittest.nix Normal file
View File

@@ -0,0 +1,38 @@
{
buildGoModule,
fetchFromGitHub,
lib,
}:
buildGoModule rec {
pname = "helm-unittest";
version = "0.7.2";
src = fetchFromGitHub {
owner = "helm-unittest";
repo = "helm-unittest";
rev = "v${version}";
hash = "sha256-RWucFZlyVYV5pHFGP7x5I+SILAJ9k12R7l5o7WKGS/c=";
};
vendorHash = "sha256-tTM9n/ahtAJoQt0fwf1jrSokWER+cOnpPX7NTNrhKc4=";
# NOTE: Remove the install and upgrade hooks.
postPatch = ''
sed -i '/^hooks:/,+2 d' plugin.yaml
'';
postInstall = ''
install -dm755 $out/helm-unittest
mv $out/bin/helm-unittest $out/helm-unittest/untt
rmdir $out/bin
install -m644 -Dt $out/helm-unittest plugin.yaml
'';
meta = with lib; {
description = "BDD styled unit test framework for Kubernetes Helm charts as a Helm plugin";
homepage = "https://github.com/helm-unittest/helm-unittest";
license = licenses.mit;
maintainers = with maintainers; [ yurrriq ];
};
}

56
pkgs/applications/networking/cluster/helm/wrapper.nix Normal file
View File

@@ -0,0 +1,56 @@
{
symlinkJoin,
lib,
makeWrapper,
writeText,
}:
helm:
let
wrapper =
{
plugins ? [ ],
extraMakeWrapperArgs ? "",
}:
let
initialMakeWrapperArgs = [
];
pluginsDir = symlinkJoin {
name = "helm-plugins";
paths = plugins;
};
in
symlinkJoin {
name = "helm-${lib.getVersion helm}";
# Remove the symlinks created by symlinkJoin which we need to perform
# extra actions upon
postBuild = ''
wrapProgram "$out/bin/helm" \
"--set" "HELM_PLUGINS" "${pluginsDir}" ${extraMakeWrapperArgs}
'';
paths = [
helm
pluginsDir
];
preferLocalBuild = true;
nativeBuildInputs = [ makeWrapper ];
passthru = {
inherit pluginsDir;
unwrapped = helm;
};
meta = helm.meta // {
# To prevent builds on hydra
hydraPlatforms = [ ];
# prefer wrapper over the package
priority = (helm.meta.priority or lib.meta.defaultPriority) - 1;
};
};
in
lib.makeOverridable wrapper

10
pkgs/applications/networking/cluster/k3s/1_31/chart-versions.nix Normal file
View File

@@ -0,0 +1,10 @@
{
traefik-crd = {
url = "https://k3s.io/k3s-charts/assets/traefik-crd/traefik-crd-27.0.201+up27.0.2.tgz";
sha256 = "0vwprcb60y15sc4lmi58gl1zr3yhsq43jlbsfm7gs20ci90frv16";
};
traefik = {
url = "https://k3s.io/k3s-charts/assets/traefik/traefik-27.0.201+up27.0.2.tgz";
sha256 = "12dp1r82qfzqfzs4sfxc54rnw8kv42a3w4gpk5v3qkhqm6fkrnn1";
};
}

26
pkgs/applications/networking/cluster/k3s/1_31/images-versions.json Normal file
View File

@@ -0,0 +1,26 @@
{
"airgap-images-amd64-tar-gz": {
"url": "https://github.com/k3s-io/k3s/releases/download/v1.31.13%2Bk3s1/k3s-airgap-images-amd64.tar.gz",
"sha256": "22972425bc5554ce4d9958a3b7b5b3c1d4d80d9e6dd9494e9853fc659b944724"
},
"airgap-images-amd64-tar-zst": {
"url": "https://github.com/k3s-io/k3s/releases/download/v1.31.13%2Bk3s1/k3s-airgap-images-amd64.tar.zst",
"sha256": "2b89cf256067bb292cc24e0a93688c2e4704387910a37cda38ef83727121c780"
},
"airgap-images-arm-tar-gz": {
"url": "https://github.com/k3s-io/k3s/releases/download/v1.31.13%2Bk3s1/k3s-airgap-images-arm.tar.gz",
"sha256": "2437c19cfe19a8d62097430e8f51cab2ed740b42b18ee060bc7a18a7421f8ac9"
},
"airgap-images-arm-tar-zst": {
"url": "https://github.com/k3s-io/k3s/releases/download/v1.31.13%2Bk3s1/k3s-airgap-images-arm.tar.zst",
"sha256": "e7ba4d17e439863f71f303d871f6c700fdafc3b96fb69323cb59f2319ab844d4"
},
"airgap-images-arm64-tar-gz": {
"url": "https://github.com/k3s-io/k3s/releases/download/v1.31.13%2Bk3s1/k3s-airgap-images-arm64.tar.gz",
"sha256": "90abbf66bae88eec6016c2a5053523dcbcdf94d215775b4bd773d322b236fc84"
},
"airgap-images-arm64-tar-zst": {
"url": "https://github.com/k3s-io/k3s/releases/download/v1.31.13%2Bk3s1/k3s-airgap-images-arm64.tar.zst",
"sha256": "fd166a50cbe9be3e3a41d5e3292357168578622a5d1211642206b9afd6cf1ddc"
}
}

15
pkgs/applications/networking/cluster/k3s/1_31/versions.nix Normal file
View File

@@ -0,0 +1,15 @@
{
k3sVersion = "1.31.13+k3s1";
k3sCommit = "a4ca1794628ec6d699b5768ef9fc1b99e1694efc";
k3sRepoSha256 = "0zlvbkidan1jpdbcqqvpr46701rcnch4q7iczbpadbx7ixq7qmwj";
k3sVendorHash = "sha256-wR4GNGd9QK/6IVdoXmcPDQwj0dvA/ofwVBgWXDmHz1U=";
chartVersions = import ./chart-versions.nix;
imagesVersions = builtins.fromJSON (builtins.readFile ./images-versions.json);
k3sRootVersion = "0.15.0";
k3sRootSha256 = "008n8xx7x36y9y4r24hx39xagf1dxbp3pqq2j53s9zkaiqc62hd0";
k3sCNIVersion = "1.7.1-k3s1";
k3sCNISha256 = "0k1qfmsi5bqgwd5ap8ndimw09hsxn0cqf4m5ad5a4mgl6akw6dqz";
containerdVersion = "2.1.4-k3s1.32";
containerdSha256 = "05dcyv5kxic99ghi8wb1b544kmq0ccc06yiln2yfh49h11hngw50";
criCtlVersion = "1.31.0-k3s2";
}

10
pkgs/applications/networking/cluster/k3s/1_32/chart-versions.nix Normal file
View File

@@ -0,0 +1,10 @@
{
traefik-crd = {
url = "https://k3s.io/k3s-charts/assets/traefik-crd/traefik-crd-34.2.1+up34.2.0.tgz";
sha256 = "0bnvkp1bxfsccgdnvpq3ni3p2h8jyvj0iclbqj0rsls8vv1jnp9z";
};
traefik = {
url = "https://k3s.io/k3s-charts/assets/traefik/traefik-34.2.1+up34.2.0.tgz";
sha256 = "16ljy2ncn2kc4kr3m93w2kfw4vjk8is3cp3i2lx4b7afbmi75zyw";
};
}

26
pkgs/applications/networking/cluster/k3s/1_32/images-versions.json Normal file
View File

@@ -0,0 +1,26 @@
{
"airgap-images-amd64-tar-gz": {
"url": "https://github.com/k3s-io/k3s/releases/download/v1.32.9%2Bk3s1/k3s-airgap-images-amd64.tar.gz",
"sha256": "50ba2c60c4541a2f09436e7fd91b8b782b2055f91b60ee668d70b29b9f6f1783"
},
"airgap-images-amd64-tar-zst": {
"url": "https://github.com/k3s-io/k3s/releases/download/v1.32.9%2Bk3s1/k3s-airgap-images-amd64.tar.zst",
"sha256": "079ef47f09b80397402a818c748aeebd6ba41a405f04c81c80ef05fbffc11dee"
},
"airgap-images-arm-tar-gz": {
"url": "https://github.com/k3s-io/k3s/releases/download/v1.32.9%2Bk3s1/k3s-airgap-images-arm.tar.gz",
"sha256": "7718b0be16c4cd336ca79df2bb1a0688fe1d76fdb83c584adb47a44ce70a630e"
},
"airgap-images-arm-tar-zst": {
"url": "https://github.com/k3s-io/k3s/releases/download/v1.32.9%2Bk3s1/k3s-airgap-images-arm.tar.zst",
"sha256": "2dcb0dcbb9d50ceef87be1125b6d6ca7a7f7ac233c3715d67db0680153486ed6"
},
"airgap-images-arm64-tar-gz": {
"url": "https://github.com/k3s-io/k3s/releases/download/v1.32.9%2Bk3s1/k3s-airgap-images-arm64.tar.gz",
"sha256": "dfe042271ed97ef15a418cb219d31952914b4e78027d8dd871382e5e6bdbc7d1"
},
"airgap-images-arm64-tar-zst": {
"url": "https://github.com/k3s-io/k3s/releases/download/v1.32.9%2Bk3s1/k3s-airgap-images-arm64.tar.zst",
"sha256": "b92d129d8e182fd8079be5fa1442116e47cb8e298f9a3ced0e401b2d02929675"
}
}

15
pkgs/applications/networking/cluster/k3s/1_32/versions.nix Normal file
View File

@@ -0,0 +1,15 @@
{
k3sVersion = "1.32.9+k3s1";
k3sCommit = "062b953493abc18cbf3a85d76a71d70a9ea4b5cd";
k3sRepoSha256 = "0hsdkrdqb9dbi60k8fczxg23n72mp191qmpd0kqa0x1s6hq2pjw2";
k3sVendorHash = "sha256-ou169BNhsrY66iLVPufvOp1lYdiqR5e7mzNGDLOlW2I=";
chartVersions = import ./chart-versions.nix;
imagesVersions = builtins.fromJSON (builtins.readFile ./images-versions.json);
k3sRootVersion = "0.15.0";
k3sRootSha256 = "008n8xx7x36y9y4r24hx39xagf1dxbp3pqq2j53s9zkaiqc62hd0";
k3sCNIVersion = "1.7.1-k3s1";
k3sCNISha256 = "0k1qfmsi5bqgwd5ap8ndimw09hsxn0cqf4m5ad5a4mgl6akw6dqz";
containerdVersion = "2.1.4-k3s1.32";
containerdSha256 = "05dcyv5kxic99ghi8wb1b544kmq0ccc06yiln2yfh49h11hngw50";
criCtlVersion = "1.31.0-k3s2";
}

10
pkgs/applications/networking/cluster/k3s/1_33/chart-versions.nix Normal file
View File

@@ -0,0 +1,10 @@
{
traefik-crd = {
url = "https://k3s.io/k3s-charts/assets/traefik-crd/traefik-crd-34.2.1+up34.2.0.tgz";
sha256 = "0bnvkp1bxfsccgdnvpq3ni3p2h8jyvj0iclbqj0rsls8vv1jnp9z";
};
traefik = {
url = "https://k3s.io/k3s-charts/assets/traefik/traefik-34.2.1+up34.2.0.tgz";
sha256 = "16ljy2ncn2kc4kr3m93w2kfw4vjk8is3cp3i2lx4b7afbmi75zyw";
};
}

26
pkgs/applications/networking/cluster/k3s/1_33/images-versions.json Normal file
View File

@@ -0,0 +1,26 @@
{
"airgap-images-amd64-tar-gz": {
"url": "https://github.com/k3s-io/k3s/releases/download/v1.33.5%2Bk3s1/k3s-airgap-images-amd64.tar.gz",
"sha256": "580c09a6f8c088de023ff8ce256371e807edb45d60db9e53505db263e8987110"
},
"airgap-images-amd64-tar-zst": {
"url": "https://github.com/k3s-io/k3s/releases/download/v1.33.5%2Bk3s1/k3s-airgap-images-amd64.tar.zst",
"sha256": "c1d71ab864b6b7de087d0827a1810c5fd271134e317af8730ec9211eaf34b097"
},
"airgap-images-arm-tar-gz": {
"url": "https://github.com/k3s-io/k3s/releases/download/v1.33.5%2Bk3s1/k3s-airgap-images-arm.tar.gz",
"sha256": "940581b495178e35865db8bc7791052bfc3f62bc01fc960e7de27807b50473bd"
},
"airgap-images-arm-tar-zst": {
"url": "https://github.com/k3s-io/k3s/releases/download/v1.33.5%2Bk3s1/k3s-airgap-images-arm.tar.zst",
"sha256": "7a31e2d1d3bb220fe9073bf58051046745dfb871ca51230e56ec5789cb97d875"
},
"airgap-images-arm64-tar-gz": {
"url": "https://github.com/k3s-io/k3s/releases/download/v1.33.5%2Bk3s1/k3s-airgap-images-arm64.tar.gz",
"sha256": "2ea460f5c783cec0479e6cf8d82e11ed6b6fee6c8e7622243fadd5f8b7476beb"
},
"airgap-images-arm64-tar-zst": {
"url": "https://github.com/k3s-io/k3s/releases/download/v1.33.5%2Bk3s1/k3s-airgap-images-arm64.tar.zst",
"sha256": "b0408ae107ce0ddbd47b62242d8e2e97532b1cfeeef1a38cad0cc54dfd289edc"
}
}

15
pkgs/applications/networking/cluster/k3s/1_33/versions.nix Normal file
View File

@@ -0,0 +1,15 @@
{
k3sVersion = "1.33.5+k3s1";
k3sCommit = "fab4a5c3de46748494cf7ad5dccc89b213965b08";
k3sRepoSha256 = "0c0phxnx09gainay4cgbcc2j1ddci73a9i0q92zf32whkbp06112";
k3sVendorHash = "sha256-v+tfVL9sDyiDRB3/IDDfyDekFAdjdUtTTChu6l5Qvg0=";
chartVersions = import ./chart-versions.nix;
imagesVersions = builtins.fromJSON (builtins.readFile ./images-versions.json);
k3sRootVersion = "0.15.0";
k3sRootSha256 = "008n8xx7x36y9y4r24hx39xagf1dxbp3pqq2j53s9zkaiqc62hd0";
k3sCNIVersion = "1.7.1-k3s1";
k3sCNISha256 = "0k1qfmsi5bqgwd5ap8ndimw09hsxn0cqf4m5ad5a4mgl6akw6dqz";
containerdVersion = "2.1.4-k3s1";
containerdSha256 = "0fg9py52hac5bdmrabvkcpc1aawxl5xc0ij9zx964qkkc7fa19ca";
criCtlVersion = "1.33.0-k3s2";
}

21
pkgs/applications/networking/cluster/k3s/README.md Normal file
View File

@@ -0,0 +1,21 @@
# K3s
K3s is a simplified [Kubernetes](https://wiki.nixos.org/wiki/Kubernetes) version that bundles Kubernetes cluster components into a few small binaries optimized for Edge and IoT devices.
## Usage
* [Module Usage](docs/USAGE.md).
## Configuration Examples
* [Nvidia GPU Passthru](docs/examples/NVIDIA.md)
* [Storage Examples](docs/examples/STORAGE.md)
## Cluster Maintenance and Troubleshooting
* [Cluster Upkeep](docs/CLUSTER_UPKEEP.md).
## K3s Package Upkeep
* [Package Versioning Rationale](docs/VERSIONING.md)
* [Package Maintenance Documentation](docs/PKG_UPKEEP.md)

482
pkgs/applications/networking/cluster/k3s/builder.nix Normal file
View File

@@ -0,0 +1,482 @@
lib:
{
# git tag
k3sVersion,
# commit hash
k3sCommit,
k3sRepoSha256 ? lib.fakeHash,
k3sVendorHash ? lib.fakeHash,
# taken from ./scripts/version.sh VERSION_ROOT https://github.com/k3s-io/k3s/blob/v1.23.3%2Bk3s1/scripts/version.sh#L47
k3sRootVersion,
k3sRootSha256 ? lib.fakeHash,
# Based on the traefik charts here: https://github.com/k3s-io/k3s/blob/d71ab6317e22dd34673faa307a412a37a16767f6/scripts/download#L29-L32
# see also https://github.com/k3s-io/k3s/blob/d71ab6317e22dd34673faa307a412a37a16767f6/manifests/traefik.yaml#L8
chartVersions,
# Air gap container images that are released as assets with every k3s release
imagesVersions,
# taken from ./scripts/version.sh VERSION_CNIPLUGINS https://github.com/k3s-io/k3s/blob/v1.23.3%2Bk3s1/scripts/version.sh#L45
k3sCNIVersion,
k3sCNISha256 ? lib.fakeHash,
# taken from ./scripts/version.sh VERSION_CONTAINERD
containerdVersion,
containerdSha256 ? lib.fakeHash,
# run `grep github.com/kubernetes-sigs/cri-tools go.mod | head -n1 | awk '{print $4}'` in the k3s repo at the tag
criCtlVersion,
updateScript ? null,
}@attrs:
# builder.nix contains a "builder" expression that, given k3s version and hash
# variables, creates a package for that version.
# Due to variance in k3s's build process, this builder only works for k3s 1.26+
# currently.
# It is likely we will have to split out additional builders for additional
# versions in the future, or customize this one further.
{
bash,
bridge-utils,
btrfs-progs,
buildGoModule,
conntrack-tools,
coreutils,
ethtool,
fetchFromGitHub,
fetchgit,
fetchurl,
fetchzip,
findutils,
gnugrep,
gnused,
go,
iproute2,
ipset,
iptables,
nftables,
kmod,
lib,
libseccomp,
makeBinaryWrapper,
nixosTests,
overrideBundleAttrs ? { }, # An attrSet/function to override the `k3sBundle` derivation.
overrideCniPluginsAttrs ? { }, # An attrSet/function to override the `k3sCNIPlugins` derivation.
overrideContainerdAttrs ? { }, # An attrSet/function to override the `k3sContainerd` derivation.
pkg-config,
pkgsBuildBuild,
procps,
rsync,
runCommand,
runc,
socat,
sqlite,
stdenv,
su,
systemdMinimal,
util-linuxMinimal,
yq-go,
zstd,
versionCheckHook,
}:
# k3s is a kinda weird derivation. One of the main points of k3s is the
# simplicity of it being one binary that can perform several tasks.
# However, when you have a good package manager (like nix), that doesn't
# actually make much of a difference; you don't really care if it's one binary
# or 10 since with a good package manager, installing and running it is
# identical.
# Since upstream k3s packages itself as one large binary with several
# "personalities" (in the form of subcommands like 'k3s agent' and 'k3s
# kubectl'), it ends up being easiest to mostly mimic upstream packaging, with
# some exceptions.
# K3s also carries patches to some packages (such as containerd and cni
# plugins), so we intentionally use the k3s versions of those binaries for k3s,
# even if the upstream version of those binaries exist in nixpkgs already. In
# the end, that means we have a thick k3s binary that behaves like the upstream
# one for the most part.
# However, k3s also bundles several pieces of unpatched software, from the
# strongswan vpn software, to iptables, to socat, conntrack, busybox, etc.
# Those pieces of software we entirely ignore upstream's handling of, and just
# make sure they're in the path if desired.
let
baseMeta = {
description = "Lightweight Kubernetes distribution";
license = lib.licenses.asl20;
homepage = "https://k3s.io";
teams = [ lib.teams.k3s ];
platforms = lib.platforms.linux;
# resolves collisions with other installations of kubectl, crictl, ctr
# prefer non-k3s versions
priority = 5;
};
# https://github.com/k3s-io/k3s/blob/5fb370e53e0014dc96183b8ecb2c25a61e891e76/scripts/build#L19-L40
versionldflags = [
"-X github.com/k3s-io/k3s/pkg/version.Version=v${k3sVersion}"
"-X github.com/k3s-io/k3s/pkg/version.GitCommit=${lib.substring 0 8 k3sCommit}"
"-X github.com/k3s-io/k3s/pkg/version.UpstreamGolang=go${go.version}"
"-X k8s.io/client-go/pkg/version.gitVersion=v${k3sVersion}"
"-X k8s.io/client-go/pkg/version.gitCommit=${k3sCommit}"
"-X k8s.io/client-go/pkg/version.gitTreeState=clean"
"-X k8s.io/client-go/pkg/version.buildDate=1970-01-01T01:01:01Z"
"-X k8s.io/component-base/version.gitVersion=v${k3sVersion}"
"-X k8s.io/component-base/version.gitCommit=${k3sCommit}"
"-X k8s.io/component-base/version.gitTreeState=clean"
"-X k8s.io/component-base/version.buildDate=1970-01-01T01:01:01Z"
"-X github.com/kubernetes-sigs/cri-tools/pkg/version.Version=v${criCtlVersion}"
"-X github.com/containerd/containerd/version.Version=v${containerdVersion}"
"-X github.com/containerd/containerd/version.Package=github.com/k3s-io/containerd"
];
# bundled into the k3s binary
traefik = {
chart = fetchurl chartVersions.traefik;
name = baseNameOf chartVersions.traefik.url;
};
traefik-crd = {
chart = fetchurl chartVersions.traefik-crd;
name = baseNameOf chartVersions.traefik-crd.url;
};
# a shortcut that provides the images archive for the host platform. Currently only supports
# aarch64 (arm64) and x86_64 (amd64), throws on other architectures.
airgap-images =
{
x86_64-linux = fetchurl imagesVersions.airgap-images-amd64-tar-zst;
aarch64-linux = fetchurl imagesVersions.airgap-images-arm64-tar-zst;
}
.${stdenv.hostPlatform.system}
or (throw "k3s: no airgap images available for system ${stdenv.hostPlatform.system}, consider using an image archive with an explicit architecture.");
# so, k3s is a complicated thing to package
# This derivation attempts to avoid including any random binaries from the
# internet. k3s-root is _mostly_ binaries built to be bundled in k3s (which
# we don't care about doing, we can add those as build or runtime
# dependencies using a real package manager).
# In addition to those binaries, it's also configuration though (right now
# mostly strongswan configuration), and k3s does use those files.
# As such, we download it in order to grab 'etc' and bundle it into the final
# k3s binary.
k3sRoot = fetchzip {
# Note: marked as apache 2.0 license
url = "https://github.com/k3s-io/k3s-root/releases/download/v${k3sRootVersion}/k3s-root-amd64.tar";
sha256 = k3sRootSha256;
stripRoot = false;
};
k3sCNIPlugins =
(buildGoModule rec {
pname = "k3s-cni-plugins";
version = k3sCNIVersion;
vendorHash = null;
subPackages = [ "." ];
src = fetchFromGitHub {
owner = "rancher";
repo = "plugins";
rev = "v${version}";
sha256 = k3sCNISha256;
};
postInstall = ''
mv $out/bin/plugins $out/bin/cni
'';
meta = baseMeta // {
description = "CNI plugins, as patched by rancher for k3s";
};
}).overrideAttrs
overrideCniPluginsAttrs;
# Grab this separately from a build because it's used by both stages of the
# k3s build.
k3sRepo = fetchgit {
url = "https://github.com/k3s-io/k3s";
rev = "v${k3sVersion}";
sha256 = k3sRepoSha256;
};
# Modify the k3s installer script so that we can let it install only
# killall.sh
k3sKillallSh = runCommand "k3s-killall.sh" { } ''
# Copy the upstream k3s install script except for the last lines that
# actually run the install process
sed --quiet '/# --- run the install process --/q;p' ${k3sRepo}/install.sh > install.sh
# Let killall expect "containerd-shim" in the Nix store
substituteInPlace install.sh \
--replace-fail '/data/[^/]*/bin/containerd-shim' \
'/nix/store/.*k3s-containerd.*/bin/containerd-shim'
remove_matching_line() {
line_to_delete=$(grep -n "$1" install.sh | cut -d : -f 1 || true)
if [ -z $line_to_delete ]; then
echo "failed to find expression \"$1\" in k3s installer script (install.sh)"
exit 1
fi
sed -i "''${line_to_delete}d" install.sh
}
# Don't change mode and owner of killall
remove_matching_line "chmod.*KILLALL_K3S_SH"
remove_matching_line "chown.*KILLALL_K3S_SH"
# Execute only the "create_killall" function of the installer script
sed -i '$acreate_killall' install.sh
KILLALL_K3S_SH=$out bash install.sh
'';
# Stage 1 of the k3s build:
# Let's talk about how k3s is structured.
# One of the ideas of k3s is that there's the single "k3s" binary which can
# do everything you need, from running a k3s server, to being a worker node,
# to running kubectl.
# The way that actually works is that k3s is a single go binary that contains
# a bunch of bindata that it unpacks at runtime into directories (either the
# user's home directory or /var/lib/rancher if run as root).
# This bindata includes both binaries and configuration.
# In order to let nixpkgs do all its autostripping/patching/etc, we split this into two derivations.
# First, we build all the binaries that get packed into the thick k3s binary
# (and output them from one derivation so they'll all be suitably patched up).
# Then, we bundle those binaries into our thick k3s binary and use that as
# the final single output.
# This approach was chosen because it ensures the bundled binaries all are
# correctly built to run with nix (we can lean on the existing buildGoModule
# stuff), and we can again lean on that tooling for the final k3s binary too.
# Other alternatives would be to manually run the
# strip/patchelf/remove-references step ourselves in the installPhase of the
# derivation when we've built all the binaries, but haven't bundled them in
# with generated bindata yet.
k3sBundle =
(buildGoModule {
pname = "k3s-bin";
version = k3sVersion;
src = k3sRepo;
vendorHash = k3sVendorHash;
nativeBuildInputs = [ pkg-config ];
buildInputs = [
libseccomp
sqlite.dev
];
subPackages = [ "cmd/server" ];
ldflags = versionldflags;
tags = [
"ctrd"
"libsqlite3"
"linux"
];
# Set flags for sqlite dbstat
CGO_CFLAGS = "-DSQLITE_ENABLE_DBSTAT_VTAB=1 -DSQLITE_USE_ALLOCA=1";
# Copy manifests and static charts pre build so they get embedded during build
preBuild = ''
cp -av manifests/* ./pkg/deploy/embed/
mkdir -p ./pkg/static/embed/charts/
cp -v ${traefik.chart} ./pkg/static/embed/charts/${traefik.name}
cp -v ${traefik-crd.chart} ./pkg/static/embed/charts/${traefik-crd.name}
'';
# create the multicall symlinks for k3s
postInstall = ''
mv $out/bin/server $out/bin/k3s
pushd $out
# taken verbatim from https://github.com/k3s-io/k3s/blob/v1.23.3%2Bk3s1/scripts/build#L105-L113
ln -s k3s ./bin/containerd
ln -s k3s ./bin/crictl
ln -s k3s ./bin/ctr
ln -s k3s ./bin/k3s-agent
ln -s k3s ./bin/k3s-certificate
ln -s k3s ./bin/k3s-completion
ln -s k3s ./bin/k3s-etcd-snapshot
ln -s k3s ./bin/k3s-secrets-encrypt
ln -s k3s ./bin/k3s-server
ln -s k3s ./bin/k3s-token
ln -s k3s ./bin/kubectl
popd
'';
meta = baseMeta // {
description = "Various binaries that get packaged into the final k3s binary";
};
}).overrideAttrs
overrideBundleAttrs;
# Only used for the shim since
# https://github.com/k3s-io/k3s/blob/v1.27.2%2Bk3s1/scripts/build#L153
k3sContainerd =
(buildGoModule {
pname = "k3s-containerd";
version = containerdVersion;
src = fetchFromGitHub {
owner = "k3s-io";
repo = "containerd";
rev = "v${containerdVersion}";
sha256 = containerdSha256;
};
vendorHash = null;
buildInputs = [ btrfs-progs ];
subPackages = [ "cmd/containerd-shim-runc-v2" ];
ldflags = versionldflags;
}).overrideAttrs
overrideContainerdAttrs;
in
buildGoModule (finalAttrs: {
pname = "k3s";
version = k3sVersion;
pos = builtins.unsafeGetAttrPos "k3sVersion" attrs;
tags = [
"libsqlite3"
"linux"
"ctrd"
];
src = k3sRepo;
vendorHash = k3sVendorHash;
postPatch = ''
# Nix prefers dynamically linked binaries over static binary.
substituteInPlace scripts/package-cli \
--replace-fail '"$LDFLAGS $STATIC" -o' \
'"$LDFLAGS" -o'
# Upstream codegen fails with trimpath set. Removes "trimpath" for 'go generate':
substituteInPlace scripts/package-cli \
--replace-fail '"''${GO}" generate' \
'GOFLAGS="" \
GOOS="${pkgsBuildBuild.go.GOOS}" \
GOARCH="${pkgsBuildBuild.go.GOARCH}" \
CC="${pkgsBuildBuild.stdenv.cc}/bin/cc" \
"''${GO}" generate'
'';
# Important utilities used by the kubelet, see
# https://github.com/kubernetes/kubernetes/issues/26093#issuecomment-237202494
# Note the list in that issue is stale and some aren't relevant for k3s.
k3sRuntimeDeps = [
kmod
socat
iptables
nftables
iproute2
ipset
bridge-utils
ethtool
util-linuxMinimal # kubelet wants 'nsenter' and 'mount' from util-linux: https://github.com/kubernetes/kubernetes/issues/26093#issuecomment-705994388
conntrack-tools
runc
bash
su
];
k3sKillallDeps = [
bash
systemdMinimal
procps
coreutils
gnugrep
findutils
gnused
];
buildInputs = finalAttrs.k3sRuntimeDeps;
nativeBuildInputs = [
makeBinaryWrapper
rsync
yq-go
zstd
];
# embedded in the final k3s cli
propagatedBuildInputs = [
k3sCNIPlugins
k3sContainerd
k3sBundle
];
# We override most of buildPhase due to peculiarities in k3s's build.
# Specifically, it has a 'go generate' which runs part of the package. See
# this comment:
# https://github.com/NixOS/nixpkgs/pull/158089#discussion_r799965694
# So, why do we use buildGoModule at all? For the `vendorHash` / `go mod download` stuff primarily.
buildPhase = ''
runHook preBuild
patchShebangs ./scripts/package-cli ./scripts/download ./scripts/build-upload
# copy needed 'go generate' inputs into place
mkdir -p ./bin/aux
rsync -a --no-perms ${k3sBundle}/bin/ ./bin/
ln -vsf ${k3sCNIPlugins}/bin/cni ./bin/cni
ln -vsf ${k3sContainerd}/bin/containerd-shim-runc-v2 ./bin
rsync -a --no-perms --chmod u=rwX ${k3sRoot}/etc/ ./etc/
export ARCH=$GOARCH
export DRONE_TAG="v${k3sVersion}"
export DRONE_COMMIT="${k3sCommit}"
# use ./scripts/package-cli to run 'go generate' + 'go build'
./scripts/package-cli
mkdir -p $out/bin
runHook postBuild
'';
# Otherwise it depends on 'getGoDirs', which is normally set in buildPhase
doCheck = false;
installPhase = ''
runHook preInstall
# wildcard to match the arm64 build too
install -m 0755 dist/artifacts/k3s* -D $out/bin/k3s
wrapProgram $out/bin/k3s \
--prefix PATH : ${lib.makeBinPath finalAttrs.k3sRuntimeDeps} \
--prefix PATH : "$out/bin"
ln -s $out/bin/k3s $out/bin/kubectl
ln -s $out/bin/k3s $out/bin/crictl
ln -s $out/bin/k3s $out/bin/ctr
install -m 0755 ${k3sKillallSh} -D $out/bin/k3s-killall.sh
wrapProgram $out/bin/k3s-killall.sh \
--prefix PATH : ${lib.makeBinPath (finalAttrs.k3sRuntimeDeps ++ finalAttrs.k3sKillallDeps)}
runHook postInstall
'';
doInstallCheck = true;
nativeInstallCheckInputs = [ versionCheckHook ];
versionCheckProgramArg = "--version";
passthru = {
inherit
airgap-images
k3sCNIPlugins
k3sContainerd
k3sRepo
k3sRoot
k3sBundle
updateScript
;
tests =
let
mkTests =
version:
let
k3s_version = "k3s_" + lib.replaceStrings [ "." ] [ "_" ] (lib.versions.majorMinor version);
in
lib.mapAttrs (name: value: nixosTests.k3s.${name}.${k3s_version}) nixosTests.k3s;
in
mkTests k3sVersion;
imagesList = throw "k3s.imagesList was removed";
airgapImages = throw "k3s.airgapImages was renamed to k3s.airgap-images";
airgapImagesAmd64 = throw "k3s.airgapImagesAmd64 was renamed to k3s.airgap-images-amd64-tar-zst";
airgapImagesArm64 = throw "k3s.airgapImagesArm64 was renamed to k3s.airgap-images-arm64-tar-zst";
airgapImagesArm = throw "k3s.airgapImagesArm was renamed to k3s.airgap-images-arm-tar-zst";
}
// (lib.mapAttrs (_: value: fetchurl value) imagesVersions);
meta = baseMeta;
})

44
pkgs/applications/networking/cluster/k3s/default.nix Normal file
View File

@@ -0,0 +1,44 @@
{ lib, callPackage, ... }@args:
let
k3s_builder = import ./builder.nix lib;
common = opts: callPackage (k3s_builder opts);
# extraArgs is the extra arguments passed in by the caller to propagate downward.
# This is to allow all-packages.nix to do:
#
# let k3s_1_23 = (callPackage ./path/to/k3s {
# commonK3sArg = ....
# }).k3s_1_23;
extraArgs = removeAttrs args [ "callPackage" ];
in
{
k3s_1_31 = common (
(import ./1_31/versions.nix)
// {
updateScript = [
./update-script.sh
"31"
];
}
) extraArgs;
k3s_1_32 = common (
(import ./1_32/versions.nix)
// {
updateScript = [
./update-script.sh
"32"
];
}
) extraArgs;
k3s_1_33 = common (
(import ./1_33/versions.nix)
// {
updateScript = [
./update-script.sh
"33"
];
}
) extraArgs;
}

86
pkgs/applications/networking/cluster/k3s/docs/CLUSTER_UPKEEP.md Normal file
View File

@@ -0,0 +1,86 @@
# K3s Upkeep for Users
General documentation for the K3s user for cluster tasks and troubleshooting steps.
## Upkeep
### Changing K3s Token
Changing the K3s token requires resetting cluster. To reset the cluster, you must do the following:
#### Stopping K3s
Disabling K3s NixOS module won't stop K3s related dependencies, such as containerd or networking. For stopping everything, either run "k3s-killall.sh" script (available on $PATH under `/run/current-system/sw/bin/k3s-killall.sh`) or reboot host.
### Syncing K3s in multiple hosts
Nix automatically syncs hosts to `configuration.nix`, for syncing configuration.nix's git repository and triggering `nixos-rebuild switch` in multiple hosts, it is commonly used `ansible`, which enables automation of cluster provisioning, upgrade and reset.
### Cluster Reset
As upstream "k3s-uninstall.sh" is yet to be packaged for NixOS, it's necessary to run manual steps for resetting cluster.
Disable K3s instances in **all** hosts:
In NixOS configuration, set:
```
services.k3s.enable = false;
```
Rebuild NixOS. This is going to remove K3s service files. But it won't delete K3s data.
To delete K3s files:
Dismount kubelet:
```
KUBELET_PATH=$(mount | grep kubelet | cut -d' ' -f3);
${KUBELET_PATH:+umount $KUBELET_PATH}
```
Delete k3s data:
```
rm -rf /etc/rancher/{k3s,node};
rm -rf /var/lib/{rancher/k3s,kubelet,longhorn,etcd,cni}
```
When using Etcd, Reset Etcd:
Certify **all** K3s instances are stopped, because a single instance can re-seed etcd database with previous cryptographic key.
Disable etcd database in NixOS configuration:
```
services.etcd.enable = false;
```
Rebuild NixOS.
Delete etcd files:
```
rm -rf /var/lib/etcd/
```
Reboot hosts.
In NixOS configuration:
```
Re-enable Etcd first. Rebuild NixOS. Certify service health. (systemctl status etcd)
Re-enable K3s second. Rebuild NixOS. Certify service health. (systemctl status k3s)
```
Etcd & K3s cluster will be provisioned new.
Tip: Use Ansible to automate reset routine, like this.
## Troubleshooting
### Raspberry Pi not working
If the k3s.service/k3s server does not start and gives you the error FATA[0000] failed to find memory cgroup (v2) Here's the github issue: https://github.com/k3s-io/k3s/issues/2067 .
To fix the problem, you can add these things to your configuration.nix.
```
boot.kernelParams = [
"cgroup_enable=cpuset" "cgroup_memory=1" "cgroup_enable=memory"
];
```
### FailedKillPod: failed to get network "cbr0" cached result
> KillPodSandboxError: failed to get network "cbr0" cached result: decoding version from network config: unexpected end of JSON input
Workaround: https://github.com/k3s-io/k3s/issues/6185#issuecomment-1581245331

45
pkgs/applications/networking/cluster/k3s/docs/ONBOARDING_MAINTAINER.md Normal file
View File

@@ -0,0 +1,45 @@
# Onboarding Maintainer
Anyone willing can become a maintainer, no pre-requisite knowledge is required. Willingness to learn is enough.
A K3s maintainer, maintains K3s's:
- [documentation](https://github.com/NixOS/nixpkgs/blob/master/pkgs/applications/networking/cluster/k3s/README.md)
- [issues](https://github.com/NixOS/nixpkgs/issues?q=is%3Aissue+is%3Aopen+k3s)
- [pull requests](https://github.com/NixOS/nixpkgs/pulls?q=is%3Aopen+is%3Apr+label%3A%226.topic%3A+k3s%22)
- [NixOS tests](https://github.com/NixOS/nixpkgs/tree/master/nixos/tests/k3s)
- [NixOS service module](https://github.com/NixOS/nixpkgs/blob/master/nixos/modules/services/cluster/k3s/default.nix)
- [update script](https://github.com/NixOS/nixpkgs/blob/master/pkgs/applications/networking/cluster/k3s/update-script.sh) (the process of updating)
- updates (the act of updating) and [r-ryantm bot logs](https://r.ryantm.com/log/k3s/)
- deprecations
- CVEs
- NixOS releases
- dependencies (runc, containerd, ipset)
Anything that is due, basically.
As a maintainer, feel free to improve anything and everything at your discretion. Meaning, at your pace and according to your capabilities and interests.
Only consensus is required to move forward any proposal. Consensus meaning the approval of others.
If you cause a regression (we've all been there), you are responsible for fixing it, but in case you can't fix it (it happens), feel free to ask for help. That's fine, just let us know.
To merge code, you need to be a committer, or use the merge-bot, but currently the merge-bot only works for packages located at `pkgs/by-name/`, which means, K3s still need to be migrated there before you can use merge-bot for merging. As a non-committer, once you have approved a PR you need to forward the request to a committer. For deciding which committer, give preference initially to K3s committers, but any committer can commit. A committer usually has a green approval in PRs.
K3s's committers currently are: marcusramberg, Mic92.
@euank is often silent but still active and has always handled anything dreadful, internal parts of K3s/Kubernetes or architecture things, he initially packaged K3s for nixpkgs, think of him as a last resort, when we fail to accomplish a fix, he comes to rescue us from ourselves.
@mic92 stepped up when @superherointj stepped down a time ago, as Mic92 has a broad responsibility in nixpkgs (he is responsible for far too many things already, nixpkgs-reviews, sops-nix, release manager, bot-whatever), we avoid giving him chore work for `nixos-unstable`, only pick him as committer last. As Mic92 runs K3s in a `nixos-stable` setting, he might help in testing stable backports.
On how to handle requests, it's the usual basics, such as, when reviewing PRs, issues, be welcoming, helpful, provide hints whenever possible, try to move things forward, assume good will, ignore [as don't react to] any negativity [since it spirals badly], delay and sort any (severe) disagreement in private. Even on disagrements, be thankful to people for their dedicated time, no matter what happens. In essence, on any unfortunate event, **always put people over code**.
Dumbshit happens, we make mistakes, the CI, reviews, fellow maintainers are there to nudge us on a better direction, no need to over think interactions, if a problem happens, we'll handle it.
We should optimize for maintainers satisfaction, because it is maintainers that make the service great. The best kind of win we have is when someone new steps up for being a maintainer. This multiplies our capabilities of doing meaningful work and increases our knowledge pool.
Know that your participation matters most for us. And we thank you for stepping up. It's good to have you here!
We welcome you and wish you the best in this new journey!
K3s Maintainers

60
pkgs/applications/networking/cluster/k3s/docs/PKG_UPKEEP.md Normal file
View File

@@ -0,0 +1,60 @@
# K3s Upkeep for Maintainers
General documentation for the K3s maintainer and reviewer use for consistency in maintenance processes.
## NixOS Release Maintenance
This process split into two sections and adheres to the versioning policy outlined in [VERSIONING.md](VERSIONING.md).
### Pre-Release
* Prior to the breaking change window of the next release being closed:
* `nixos-unstable`: Ensure k3s points to latest versioned release
* `nixos-unstable`: Ensure release notes are up to date
* `nixos-unstable`: Remove k3s releases which will be end of life upstream prior to end-of-life for the next NixOS stable release are removed with proper deprecation notice (process listed below)
### Post-Release
* For major/minor releases of k3s:
* `nixos-unstable`: Create a new versioned k3s package
* `nixos-unstable`: Update k3s alias to point to new versioned k3s package
* `nixos-unstable`: Add NixOS Release note denoting:
* Removal of deprecated K3s packages
* Migration information from the Kubernetes and K3s projects
* `nixos-stable`: Backport the versioned package
* For patch releases of existing packages:
* `nixos-unstable`: Update package version (process listed below)
* `nixos-stable`: Backport package update done to nixos-unstable
## Patch Upgrade Process
Patch upgrades can use the [update script](../update-script.sh) in the root of the package. To update k3s 1.30.x, for example, you can run the following from the root of the nixpkgs git repo:
> ./pkgs/applications/networking/cluster/k3s/update-script.sh "30"
To update another version, just replace the `"30"` with the appropriate minor revision.
If the script should fail, the first goal would be to fix the script. If you are unable to fix the script, open an issue reporting the update script failure with the exact command used and the failure observed.
RyanTM bot can automatically do patch upgrades. Update logs are available at versioned urls, e.g. for 1.30.x: https://r.ryantm.com/log/k3s_1_30
## Package Removal Process
Package removal policy and timelines follow our reasoning in the [versioning documentation](VERSIONING.md#patch-release-support-lifecycle). In order to remove a versioned k3s package, create a PR achieving the following:
* Remove the versioned folder containing the chart and package version files (e.g. `./1_30/`)
* Remove the package block from [default.nix](../default.nix) (e.g. `k3s_1_30 = ...`)
* Remove the package reference from [pkgs/top-level/all-packages.nix](/pkgs/top-level/all-packages.nix)
* Add a deprecation notice in [pkgs/top-level/aliases.nix](/pkgs/top-level/aliases.nix), such as `k3s_1_26 = throw "'k3s_1_26' has been removed from nixpkgs as it has reached end of life"; # Added 2024-05-20`.
## Change Request Review Process
Quick checklist for reviewers of the k3s package:
* Is the version of the Go compiler pinned according to the go.mod file for the release?
* Update script will not pin nor change the go version.
* Do the K3s passthru.tests work for all architectures supported? (linux-x86_64, aarch64-linux)
* For GitHub CI, [OfBorg](https://github.com/NixOS/ofborg) can be used to test all platforms.
* For Local testing, the following can be run in nixpkgs root on the upgrade branch: `nix build .#k3s_1_29.passthru.tests.{etcd,single-node,multi-node}` (Replace "29" to the version tested)
* Anything unusual in the nix build logs or test logs?

100
pkgs/applications/networking/cluster/k3s/docs/USAGE.md Normal file
View File

@@ -0,0 +1,100 @@
# K3s Usage
## Single Node
```
{
networking.firewall.allowedTCPPorts = [
6443 # k3s: required so that pods can reach the API server (running on port 6443 by default)
# 2379 # k3s, etcd clients: required if using a "High Availability Embedded etcd" configuration
# 2380 # k3s, etcd peers: required if using a "High Availability Embedded etcd" configuration
];
networking.firewall.allowedUDPPorts = [
# 8472 # k3s, flannel: required if using multi-node for inter-node networking
];
services.k3s.enable = true;
services.k3s.role = "server";
services.k3s.extraFlags = toString [
# "--debug" # Optionally add additional args to k3s
];
}
```
Once the above changes are active, you can access your cluster through `sudo k3s kubectl` (e.g. `sudo k3s kubectl cluster-info`) or by using the generated kubeconfig file in `/etc/rancher/k3s/k3s.yaml`.
Multi-node setup
## Multi-Node
it is simple to create a cluster of multiple nodes in a highly available setup (all nodes are in the control-plane and are a part of the etcd cluster).
The first node is configured like this:
```
{
services.k3s = {
enable = true;
role = "server";
token = "<randomized common secret>";
clusterInit = true;
};
}
```
Any other subsequent nodes can be added with a slightly different config:
```
{
services.k3s = {
enable = true;
role = "server"; # Or "agent" for worker only nodes
token = "<randomized common secret>";
serverAddr = "https://<ip of first node>:6443";
};
}
```
For this to work you need to open the aforementioned API, etcd, and flannel ports in the firewall. Official documentation on what ports need to be opened for specific use cases can be found on [k3s' documentation site](https://docs.k3s.io/installation/requirements#inbound-rules-for-k3s-nodes). Note that it is [recommended](https://etcd.io/docs/v3.3/faq/#why-an-odd-number-of-cluster-members) to use an odd number of nodes in such a cluster.
Tip: If you run into connectivity issues between nodes for specific applications (e.g. ingress controller), please verify the firewall settings you have enabled (example under [Single Node](#single-node)) against the documentation for that specific application. In the ingress controller example, you may want to open 443 or 80 depending on your use case.
## Quirks
### `prefer-bundled-bin`
K3s has a config setting `prefer-bundled-bin` (and CLI flag `--prefer-bundled-bin`) that makes k3s use binaries from the `/var/lib/rancher/k3s/data/current/bin/aux/` directory, as unpacked by the k3s binary, before the system `$PATH`.
This works with the official distribution of k3s but not with the package from nixpkgs, as it does not bundle the upstream binaries from [`k3s-root`](https://github.com/k3s-io/k3s-root) into the k3s binary.
Thus the `prefer-bundled-bin` setting **cannot** be used to work around issues (like [this `mount` regression](https://github.com/util-linux/util-linux/issues/3474)) with binaries used/called by the kubelet.
### Building from a different source
Because the package is split into multiple derivations and the build process is generally more complex, it is not very obvious how to build k3s from a different source (fork or arbitrary commit).
To build k3s from a different source, you must use `.override` together with `overrideBundleAttrs` (for the k3sBundle derivation) and another `.overrideAttrs` (for the final derivation):
```nix
{ fetchgit, k3s }:
let
k3sRepo = fetchgit {
url = "https://github.com/k3s-io/k3s";
rev = "99d91538b1327da933356c318dc8040335fbb66c";
hash = "sha256-vVqZzVp0Tea27s8HDVq4SgqlbHBdZcFzNKmPFi0Yktk=";
};
vendorHash = "sha256-jrPVY+FVZV9wlbik/I35W8ChcLrHlYbLAwUYU16mJLM=";
in
(k3s.override {
overrideBundleAttrs = {
src = k3sRepo;
inherit vendorHash;
};
}).overrideAttrs
{
src = k3sRepo;
inherit vendorHash;
}
```
- Additionally to `overrideBundleAttrs` there are also: `overrideCniPluginsAttrs` and `overrideContainerdAttrs`.
- `k3s --version` still prints the commit SHA (`k3sCommit` passed into `builder.nix`) from the "base" package instead of the actually used `rev`.
- Depending on the changes made in the fork / commit, the `k3s.override` (without the `overrideAttrs` of the final derivation) might already be enough.
- If the commit is for a different version of k3s, make sure to use the correct "base" package, e.g., `k3s_1_31.override`. Otherwise the build fails with `Tagged version 'v1.33.1+k3s1' does not match expected version 'v1.31.9[+-]*'`
- When adding an entirely new k3s version by calling `builder.nix`, keep in mind that the `k3sCommit` parameter is not used as the `k3sRepo` `rev` (it uses `v${k3sVersion}`). Therefore, you additionally must override the package, as shown above.

46
pkgs/applications/networking/cluster/k3s/docs/VERSIONING.md Normal file
View File

@@ -0,0 +1,46 @@
# Versioning
K3s, Kubernetes, and other clustered software has the property of not being able to update atomically. Most software in nixpkgs, like for example bash, can be updated as part of a "nixos-rebuild switch" without having to worry about the old and the new bash interacting in some way.
K3s/Kubernetes, on the other hand, is typically run across several NixOS machines, and each NixOS machine is updated independently. As such, different versions of the package and NixOS module must maintain compatibility with each other through temporary version skew during updates.
The upstream Kubernetes project [documents this in their version-skew policy](https://kubernetes.io/releases/version-skew-policy/#supported-component-upgrade-order).
Within nixpkgs, we strive to maintain a valid "upgrade path" that does not run
afoul of the upstream version skew policy.
## Patch Release Support Lifecycle
K3s is built on top of K8s and typically provides a similar release cadence and support window (simply by cherry-picking over k8s patches). As such, we assume k3s's support lifecycle is identical to upstream K8s. The upstream K8s release and support lifecycle, including maintenance and end-of-life dates for current releases, is documented [on their support site](https://kubernetes.io/releases/patch-releases/#support-period). A more tabular view of the current support timeline can also be found on [endoflife.date](https://endoflife.date/kubernetes).
In short, a new Kubernetes version is released roughly every 4 months and each release is supported for a little over 1 year.
## Versioning in nixpkgs
There are two package types that are maintained within nixpkgs when we are looking at the `nixos-unstable` branch. A standard `k3s` package and versioned releases such as `k3s_1_28`, `k3s_1_29`, and `k3s_1_30`.
The standard `k3s` package will be updated as new versions of k3s are released upstream. Versioned releases, on the other hand, will follow the path release support lifecycle as detailed in the previous section and be removed from `nixos-unstable` when they are either end-of-life upstream or older than the current `k3s` package in `nixos-stable`.
## Versioning in NixOS Releases
Those same package types are also maintained on the release branches of NixOS, but have some special considerations within a release.
NixOS releases (24.05, 24.11, etc) should avoid having deprecated software or major version upgrades during the support lifecycle of that release wherever possible. As such, each NixOS release should only ever have one version of `k3s` when it is released. An example for the NixOS 24.05 release would be that `k3s` package points to `k3s_1_30` for the full lifecycle of its release with no other versions present at release.
However, this conflicts with our desire for users to be able to upgrade between stable NixOS releases without needing to make a large enough k3s version jump as to violate the skew policy listed previously. Given NixOS 24.05 has 1.30.x as its k3s version and the NixOS 24.11 release would have 1.32.x as its k3s version, we need to provide a way for users to upgrade k3s to 1.32.x before upgrading to the next NixOS stable release.
To be able to achieve the goal above, the k3s maintainers would backport `k3s_1_31` and `k3s_1_32` from `nixos-unstable` to NixOS 24.05 as they release. This means that when NixOS 24.11 is released with only the `k3s` package pointing to `k3s_1_32`, users will have an upgrade path on 24.05 to first upgrade locally to `k3s_1_31` and then to `k3s_1_32` (e.g. pointing `services.k3s.package` from `k3s` to `k3s_1_31`, upgrading the cluster, and repeating the process through versions).
Using the above as the example, a three NixOS release example would look like:
* NixOS 23.11
* k3s/k3s_1_27 (Release Version, patches backported)
* k3s_1_28 (Backported)
* k3s_1_29 (Backported)
* k3s_1_30 (Backported)
* NixOS 24.05
* k3s/k3s_1_30 (Release Version, patches backported)
* k3s_1_31 (Backported)
* k3s_1_32 (Backported)
* NixOS 24.11
* k3s/k3s_1_32 (Release Version, patches backported)

40
pkgs/applications/networking/cluster/k3s/docs/examples/EXTERNAL_CONTAINERD.md Normal file
View File

@@ -0,0 +1,40 @@
# Using an external Containerd
K3s ships with its own containerd binary, however, sometimes it's necessary to use an external
containerd. This can be done in a few lines of configuration.
## Configure Containerd
```nix
{
virtualisation.containerd = {
enable = true;
settings.plugins."io.containerd.grpc.v1.cri".cni = {
bin_dir = "/var/lib/rancher/k3s/data/current/bin";
conf_dir = "/var/lib/rancher/k3s/agent/etc/cni/net.d";
};
# Optionally, configure containerd to use the k3s pause image
settings.plugins."io.containerd.grpc.v1.cri" = {
sandbox_image = "docker.io/rancher/mirrored-pause:3.6";
};
};
}
```
## Configure k3s
```nix
{
services.k3s = {
enable = true;
extraFlags = [ "--container-runtime-endpoint unix:///run/containerd/containerd.sock" ];
};
}
```
## Importing Container Images
K3s provides the `services.k3s.images` option to import container images at startup. This option
does **not** work with an external containerd, but you can import the images via
`ctr -n=k8s.io image import /var/lib/rancher/k3s/agent/images/*`. Note that you need to set the
`k8s.io` namespace to make the images available to the cluster.

256
pkgs/applications/networking/cluster/k3s/docs/examples/NVIDIA.md Normal file
View File

@@ -0,0 +1,256 @@
# Nvidia GPU Support
> Note: this article assumes `services.k3s.enable = true;` is already set
## Enable the Nvidia driver
```
hardware.nvidia = {
open = true;
package = config.boot.kernelPackages.nvidiaPackages.stable; # change to match your kernel
nvidiaSettings = true;
};
# Hack for getting the nvidia driver recognized
services.xserver = {
enable = false;
videoDrivers = [ "nvidia" ];
};
nixpkgs.config.allowUnfreePredicate = pkg: builtins.elem (lib.getName pkg) [
"nvidia-x11"
"nvidia-settings"
];
```
Also, enable the Nvidia container toolkit:
```
hardware.nvidia-container-toolkit.enable = true;
hardware.nvidia-container-toolkit.mount-nvidia-executables = true;
environment.systemPackages = with pkgs; [
nvidia-container-toolkit
];
```
Rebuild your NixOS configuration.
### Verify that the GPU is accessible
Use the following command to ensure the GPU is accessible:
```
nvidia-smi
```
If there is an error in the output, a reboot may be required for the driver to be assigned to the GPU.
Additionally, `lspci -k` can be used to ensure the driver has been assigned to the GPU:
```
# lspci -k | grep -i nvidia
01:00.0 VGA compatible controller: NVIDIA Corporation TU106 [GeForce RTX 2060 Rev. A] (rev a1)
Kernel driver in use: nvidia
Kernel modules: nvidiafb, nouveau, nvidia_drm, nvidia
```
## Configure k3s
You now need to create a new file in `/var/lib/rancher/k3s/agent/etc/containerd/config.toml.tmpl` with the following
```
{{ template "base" . }}
[plugins."io.containerd.grpc.v1.cri".containerd.runtimes.nvidia]
privileged_without_host_devices = false
runtime_engine = ""
runtime_root = ""
runtime_type = "io.containerd.runc.v2"
```
Now apply the following runtime class to k3s cluster:
```yaml
apiVersion: node.k8s.io/v1
handler: nvidia
kind: RuntimeClass
metadata:
labels:
app.kubernetes.io/component: gpu-operator
name: nvidia
```
Restart k3s:
```
systemctl restart k3s.service
```
Ensure that the Nvidia runtime is detected by k3s:
```
grep nvidia /var/lib/rancher/k3s/agent/etc/containerd/config.toml
```
Apply the DaemonSet in the [generic-cdi-plugin README](https://github.com/OlfillasOdikno/generic-cdi-plugin):
```
apiVersion: v1
kind: Namespace
metadata:
name: generic-cdi-plugin
---
apiVersion: apps/v1
kind: DaemonSet
metadata:
name: generic-cdi-plugin-daemonset
namespace: generic-cdi-plugin
spec:
selector:
matchLabels:
name: generic-cdi-plugin
template:
metadata:
labels:
name: generic-cdi-plugin
app.kubernetes.io/component: generic-cdi-plugin
app.kubernetes.io/name: generic-cdi-plugin
spec:
containers:
- image: ghcr.io/olfillasodikno/generic-cdi-plugin:main
name: generic-cdi-plugin
command:
- /generic-cdi-plugin
- /var/run/cdi/nvidia-container-toolkit.json
imagePullPolicy: Always
securityContext:
privileged: true
tty: true
volumeMounts:
- name: kubelet
mountPath: /var/lib/kubelet
- name: nvidia-container-toolkit
mountPath: /var/run/cdi/nvidia-container-toolkit.json
volumes:
- name: kubelet
hostPath:
path: /var/lib/kubelet
- name: nvidia-container-toolkit
hostPath:
path: /var/run/cdi/nvidia-container-toolkit.json
affinity:
nodeAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
nodeSelectorTerms:
- matchExpressions:
- key: "nixos-nvidia-cdi"
operator: In
values:
- "enabled"
```
Apply the following node label (replace `#CHANGEME` with your node name):
```
kind: Node
apiVersion: v1
metadata:
name: #CHANGEME
labels:
nixos-nvidia-cdi: enabled
```
Now, GPU-enabled pods can be run with this configuration:
```
spec:
runtimeClassName: nvidia
containers:
resources:
requests:
nvidia.com/gpu-all: "1"
limits:
nvidia.com/gpu-all: "1"
```
### Test pod
This is a complete pod configuration for reference/testing:
```
---
apiVersion: v1
kind: Pod
metadata:
name: gpu-test
namespace: default
spec:
runtimeClassName: nvidia # <- THIS FOR GPU
containers:
- name: gpu-test
image: nvidia/cuda:12.6.3-base-ubuntu22.04
command: [ "/bin/bash", "-c", "--" ]
args: [ "while true; do sleep 30; done;" ]
env:
- name: NVIDIA_VISIBLE_DEVICES
value: all
- name: NVIDIA_DRIVER_CAPABILITIES
value: all
resources: # <- THIS FOR GPU
requests:
nvidia.com/gpu-all: "1"
limits:
nvidia.com/gpu-all: "1"
```
Once the pod is running, use the following command to test that the GPU was detected:
```
kubectl exec -n default -it pod/gpu-test -- nvidia-smi
```
If successful, the output will look like the following:
```
Thu Sep 25 04:17:42 2025
+-----------------------------------------------------------------------------------------+
| NVIDIA-SMI 580.82.09 Driver Version: 580.82.09 CUDA Version: 13.0 |
+-----------------------------------------+------------------------+----------------------+
| GPU Name Persistence-M | Bus-Id Disp.A | Volatile Uncorr. ECC |
| Fan Temp Perf Pwr:Usage/Cap | Memory-Usage | GPU-Util Compute M. |
| | | MIG M. |
|=========================================+========================+======================|
| 0 NVIDIA GeForce RTX 2060 Off | 00000000:01:00.0 On | N/A |
| 0% 36C P8 10W / 190W | 104MiB / 6144MiB | 0% Default |
| | | N/A |
+-----------------------------------------+------------------------+----------------------+
+-----------------------------------------------------------------------------------------+
| Processes: |
| GPU GI CI PID Type Process name GPU Memory |
| ID ID Usage |
|=========================================================================================|
| No running processes found |
+-----------------------------------------------------------------------------------------+
```

108
pkgs/applications/networking/cluster/k3s/docs/examples/STORAGE.md Normal file
View File

@@ -0,0 +1,108 @@
# Storage Examples
The following are some NixOS specific considerations for specific storage mechanisms with kubernetes/k3s.
## Longhorn
NixOS configuration required for Longhorn:
```
environment.systemPackages = [ pkgs.nfs-utils ];
services.openiscsi = {
enable = true;
name = "${config.networking.hostName}-initiatorhost";
};
```
Longhorn container has trouble with NixOS path. Solution is to override PATH environment variable, such as:
```
PATH: /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/run/wrappers/bin:/nix/var/nix/profiles/default/bin:/run/current-system/sw/bin
```
**Kyverno Policy for Fixing Longhorn Container for NixOS**
```
---
apiVersion: v1
kind: ConfigMap
metadata:
name: longhorn-nixos-path
namespace: longhorn-system
data:
PATH: /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/run/wrappers/bin:/nix/var/nix/profiles/default/bin:/run/current-system/sw/bin
---
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: longhorn-add-nixos-path
annotations:
policies.kyverno.io/title: Add Environment Variables from ConfigMap
policies.kyverno.io/subject: Pod
policies.kyverno.io/category: Other
policies.kyverno.io/description: >-
Longhorn invokes executables on the host system, and needs
to be aware of the host systems PATH. This modifies all
deployments such that the PATH is explicitly set to support
NixOS based systems.
spec:
rules:
- name: add-env-vars
match:
resources:
kinds:
- Pod
namespaces:
- longhorn-system
mutate:
patchStrategicMerge:
spec:
initContainers:
- (name): "*"
envFrom:
- configMapRef:
name: longhorn-nixos-path
containers:
- (name): "*"
envFrom:
- configMapRef:
name: longhorn-nixos-path
---
```
## NFS
NixOS configuration required for NFS:
```
boot.supportedFilesystems = [ "nfs" ];
services.rpcbind.enable = true;
```
## Rook/Ceph
In order to support Rook/Ceph, the following NixOS kernelModule configuration is required:
```
boot.kernelModules = [ "rbd" ];
```
## ZFS ContainerD Support
The [ZFS snapshotter](https://github.com/containerd/zfs) can be enabled for k3s' embedded ContainerD though it requires mounting a dataset to a specific path used by k3s: `/var/lib/rancher/k3s/agent/containerd/io.containerd.snapshotter.v1.zfs`
For example:
```bash
$ zfs create -o mountpoint=/var/lib/rancher/k3s/agent/containerd/io.containerd.snapshotter.v1.zfs <zpool name>/containerd
```
You can now configure k3s to use zfs by passing the `--snapshotter` flag.
```
services.k3s = {
...
extraFlags = [
"--snapshotter=zfs"
];
```

146
pkgs/applications/networking/cluster/k3s/update-script.sh Executable file
View File

@@ -0,0 +1,146 @@
#!/usr/bin/env nix-shell
#!nix-shell -i bash -p curl git gnugrep gnused go jq nurl yq-go
set -x -eu -o pipefail
MAJOR_VERSION=1
MINOR_VERSION="${1:?Must provide a minor version number, like '26', as the only argument}"
WORKDIR=$(mktemp -d)
trap "rm -rf ${WORKDIR}" EXIT
# GitHub caps requests to GitHub API without GITHUB_TOKEN
CURL="curl --silent --fail --location ${GITHUB_TOKEN:+-u ":$GITHUB_TOKEN"}"
NIXPKGS_ROOT="$(git rev-parse --show-toplevel)"/
NIXPKGS_K3S_PATH=$(cd $(dirname ${BASH_SOURCE[0]}); pwd -P)/
OLD_VERSION="$(nix-instantiate --eval -E "with import $NIXPKGS_ROOT. {}; k3s_${MAJOR_VERSION}_${MINOR_VERSION}.version or (builtins.parseDrvName k3s_${MAJOR_VERSION}_${MINOR_VERSION}.name).version" | tr -d '"')"
LATEST_TAG_RAWFILE=${WORKDIR}/latest_tag.json
$CURL https://api.github.com/repos/k3s-io/k3s/releases > ${LATEST_TAG_RAWFILE}
LATEST_TAG_NAME=$(cat ${LATEST_TAG_RAWFILE} | \
jq -r 'map(select(.prerelease == false))' | \
jq 'map(.tag_name)' | \
grep -v -e rc -e engine | tail -n +2 | head -n -1 | sed 's|[", ]||g' | sort -rV | grep -E "^v${MAJOR_VERSION}\.${MINOR_VERSION}\." | head -n1)
K3S_VERSION=$(echo ${LATEST_TAG_NAME} | sed 's/^v//')
K3S_COMMIT=$($CURL https://api.github.com/repos/k3s-io/k3s/git/refs/tags \
| jq -r "map(select(.ref == \"refs/tags/${LATEST_TAG_NAME}\")) | .[0] | .object.sha")
PREFETCH_META=$(nix-prefetch-url --unpack --print-path https://github.com/k3s-io/k3s/archive/refs/tags/${LATEST_TAG_NAME}.tar.gz)
K3S_STORE_PATH=${PREFETCH_META#*$'\n'}
K3S_REPO_SHA256=${PREFETCH_META%$'\n'*}
cd "$K3S_STORE_PATH"
# Set the DRONE variables as they are expected to be set in version.sh
DRONE_TAG="$LATEST_TAG_NAME"
DRONE_COMMIT="$K3S_COMMIT"
NO_DAPPER="" # Source git_version.sh in scripts/version.sh#L8
source "${K3S_STORE_PATH}/scripts/version.sh"
K3S_ROOT_SHA256=$(nix-prefetch-url --quiet --unpack \
"https://github.com/k3s-io/k3s-root/releases/download/${VERSION_ROOT}/k3s-root-amd64.tar")
CNIPLUGINS_SHA256=$(nix-prefetch-url --quiet --unpack \
"https://github.com/rancher/plugins/archive/refs/tags/${VERSION_CNIPLUGINS}.tar.gz")
CONTAINERD_SHA256=$(nix-prefetch-url --quiet --unpack \
"https://github.com/k3s-io/containerd/archive/refs/tags/${VERSION_CONTAINERD}.tar.gz")
CHART_FILES=( $(yq eval --no-doc .spec.chart "${K3S_STORE_PATH}/manifests/traefik.yaml" | xargs -n1 basename) )
# These files are:
# 1. traefik-crd-20.3.1+up20.3.0.tgz
# 2. traefik-20.3.1+up20.3.0.tgz
# at the time of writing
if [[ "${#CHART_FILES[@]}" != "2" ]]; then
echo "New manifest charts added, the packaging scripts will need to be updated: ${CHART_FILES}"
exit 1
fi
cd "${NIXPKGS_K3S_PATH}/${MAJOR_VERSION}_${MINOR_VERSION}"
CHARTS_URL=https://k3s.io/k3s-charts/assets
TRAEFIK_CRD_CHART_SHA256=$(nix-hash --type sha256 --base32 --flat <(curl -o - "${CHARTS_URL}/traefik-crd/${CHART_FILES[0]}"))
TRAEFIK_CHART_SHA256=$(nix-hash --type sha256 --base32 --flat <(curl -o - "${CHARTS_URL}/traefik/${CHART_FILES[1]}"))
# Get metadata for both files
rm -f chart-versions.nix.update
cat > chart-versions.nix.update <<EOF
{
traefik-crd = {
url = "${CHARTS_URL}/traefik-crd/${CHART_FILES[0]}";
sha256 = "$TRAEFIK_CRD_CHART_SHA256";
};
traefik = {
url = "${CHARTS_URL}/traefik/${CHART_FILES[1]}";
sha256 = "$TRAEFIK_CHART_SHA256";
};
}
EOF
mv chart-versions.nix.update chart-versions.nix
# Concatenate all sha256sums, one entry per line
SHA256_HASHES="\
$($CURL "https://github.com/k3s-io/k3s/releases/download/v${K3S_VERSION}/sha256sum-amd64.txt")
$($CURL "https://github.com/k3s-io/k3s/releases/download/v${K3S_VERSION}/sha256sum-arm64.txt")
$($CURL "https://github.com/k3s-io/k3s/releases/download/v${K3S_VERSION}/sha256sum-arm.txt")"
# Get all airgap images files associated with this release
IMAGES_ARCHIVES=$($CURL "https://api.github.com/repos/k3s-io/k3s/releases/tags/v${K3S_VERSION}" | \
# Filter the assets for airgap images archives
jq -r '.assets[] | select(.name | test("^k3s-airgap-images-.*\\.tar\\.")) | "\(.name) \(.browser_download_url)"')
# Create a JSON object for each airgap images file and prefetch all download URLs in the process
# Combine all JSON objects and write the result to images-versions.json
while read -r name url; do
# Pick the right hash based on the name
sha256=$(grep "$name" <<< "$SHA256_HASHES" | cut -d ' ' -f 1)
# Remove the k3s prefix and replace all dots with hyphens
clean_name=$(sed -e "s/^k3s-//" -e "s/\./-/g" <<< "$name")
jq --null-input --arg name "$clean_name" \
--arg url "$url" \
--arg sha256 "$sha256" \
'{$name: {"url": $url, "sha256": $sha256}}'
done <<<"${IMAGES_ARCHIVES}" | jq --slurp 'reduce .[] as $item ({}; . * $item)' > images-versions.json
FAKE_HASH="sha256-AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=";
cat >versions.nix <<EOF
{
k3sVersion = "${K3S_VERSION}";
k3sCommit = "${K3S_COMMIT}";
k3sRepoSha256 = "${K3S_REPO_SHA256}";
k3sVendorHash = "${FAKE_HASH}";
chartVersions = import ./chart-versions.nix;
imagesVersions = builtins.fromJSON (builtins.readFile ./images-versions.json);
k3sRootVersion = "${VERSION_ROOT:1}";
k3sRootSha256 = "${K3S_ROOT_SHA256}";
k3sCNIVersion = "${VERSION_CNIPLUGINS:1}";
k3sCNISha256 = "${CNIPLUGINS_SHA256}";
containerdVersion = "${VERSION_CONTAINERD:1}";
containerdSha256 = "${CONTAINERD_SHA256}";
criCtlVersion = "${VERSION_CRICTL:1}";
}
EOF
set +e
K3S_VENDOR_HASH=$(nurl -e "(import ${NIXPKGS_ROOT}. {}).k3s_${MAJOR_VERSION}_${MINOR_VERSION}.goModules")
set -e
if [ -n "${K3S_VENDOR_HASH:-}" ]; then
sed -i "s|${FAKE_HASH}|${K3S_VENDOR_HASH}|g" ./versions.nix
else
echo "Update failed. K3S_VENDOR_HASH is empty."
exit 1
fi
# Implement commit
# See https://nixos.org/manual/nixpkgs/stable/#var-passthru-updateScript-commit
cat <<EOF
[{
"attrPath": "k3s_${MAJOR_VERSION}_${MINOR_VERSION}",
"oldVersion": "$OLD_VERSION",
"newVersion": "$K3S_VERSION",
"files": ["$PWD/versions.nix","$PWD/chart-versions.nix","$PWD/images-versions.json"]
}]
EOF

92
pkgs/applications/networking/cluster/kops/default.nix Normal file
View File

@@ -0,0 +1,92 @@
{
lib,
stdenv,
buildGoModule,
fetchFromGitHub,
installShellFiles,
}:
let
generic =
{
version,
sha256,
rev ? version,
...
}@attrs:
let
attrs' = removeAttrs attrs [
"version"
"sha256"
"rev"
];
in
buildGoModule {
pname = "kops";
inherit version;
src = fetchFromGitHub {
rev = rev;
owner = "kubernetes";
repo = "kops";
inherit sha256;
};
vendorHash = null;
nativeBuildInputs = [ installShellFiles ];
subPackages = [ "cmd/kops" ];
ldflags = [
"-s"
"-w"
"-X k8s.io/kops.Version=${version}"
"-X k8s.io/kops.GitVersion=${version}"
];
doCheck = false;
postInstall = lib.optionalString (stdenv.buildPlatform.canExecute stdenv.hostPlatform) ''
installShellCompletion --cmd kops \
--bash <($GOPATH/bin/kops completion bash) \
--fish <($GOPATH/bin/kops completion fish) \
--zsh <($GOPATH/bin/kops completion zsh)
'';
meta = with lib; {
description = "Easiest way to get a production Kubernetes up and running";
mainProgram = "kops";
homepage = "https://github.com/kubernetes/kops";
changelog = "https://github.com/kubernetes/kops/tree/master/docs/releases";
license = licenses.asl20;
maintainers = with maintainers; [
offline
zimbatm
diegolelis
yurrriq
];
};
}
// attrs';
in
rec {
mkKops = generic;
kops_1_31 = mkKops rec {
version = "1.31.0";
sha256 = "sha256-q9megrNXXKJ/YqP/fjPHh8Oji4dPK5M3HLHa+ufwRAM=";
rev = "v${version}";
};
kops_1_32 = mkKops rec {
version = "1.32.1";
sha256 = "sha256-nQKeTDajtUffPBhPrPuaJ+1XWgLDUltwDQDZHkylys4=";
rev = "v${version}";
};
kops_1_33 = mkKops rec {
version = "1.33.0";
sha256 = "sha256-VnnKWcU83yqsKW54Q1tr99/Ln8ppMyB7GLl70rUFGDY=";
rev = "v${version}";
};
}

33
pkgs/applications/networking/cluster/kubectl-view-allocations/default.nix Normal file
View File

@@ -0,0 +1,33 @@
{
lib,
stdenv,
rustPlatform,
fetchFromGitHub,
versionCheckHook,
}:
rustPlatform.buildRustPackage rec {
pname = "kubectl-view-allocations";
version = "1.0.0";
src = fetchFromGitHub {
owner = "davidB";
repo = "kubectl-view-allocations";
tag = version;
hash = "sha256-R4pxbIUY9QEsblbVv2/QbWZv7A/ZDQmUnOCYB34RkdE=";
};
cargoHash = "sha256-liExE40Ldel1G4RT3P1y5Da65RJSrc7HD+52SwW0oeg=";
doInstallCheck = true;
nativeInstallCheckInputs = [ versionCheckHook ];
versionCheckProgramArg = "--version";
meta = {
description = "kubectl plugin to list allocations (cpu, memory, gpu,... X utilization, requested, limit, allocatable,...)";
homepage = "https://github.com/davidB/kubectl-view-allocations";
license = lib.licenses.cc0;
maintainers = with lib.maintainers; [ mrene ];
platforms = lib.platforms.unix;
};
}

42
pkgs/applications/networking/cluster/kubeval/default.nix Normal file
View File

@@ -0,0 +1,42 @@
{
lib,
fetchFromGitHub,
buildGoModule,
fetchpatch,
}:
buildGoModule rec {
pname = "kubeval";
version = "0.16.1";
src = fetchFromGitHub {
owner = "instrumenta";
repo = "kubeval";
rev = "v${version}";
sha256 = "sha256-pwJOV7V78H2XaMiiJvKMcx0dEwNDrhgFHmCRLAwMirg=";
};
patches = [
# https://github.com/instrumenta/kubeval/pull/346
(fetchpatch {
name = "bump-golang.org/x/sys.patch";
url = "https://github.com/instrumenta/kubeval/commit/d64502b04d9e1b85fd3d5509049adb50f3e39954.patch";
sha256 = "sha256-S/lgwdykFLU2QZRW927fgCPxaIAMK3vSqmH08pXBQxM=";
})
];
vendorHash = "sha256-R/vVrLsVSA9SGra4ytoHlQkPaIgQaj/XdivcQp8xjSM=";
doCheck = false;
meta = with lib; {
description = "Validate your Kubernetes configuration files";
mainProgram = "kubeval";
homepage = "https://github.com/instrumenta/kubeval";
license = licenses.asl20;
maintainers = with maintainers; [
johanot
nicknovitski
];
};
}

16
pkgs/applications/networking/cluster/kubeval/schema.nix Normal file
View File

@@ -0,0 +1,16 @@
{ fetchFromGitHub }:
# To cache schema as a package so network calls are not
# necessary at runtime, allowing use in package builds you can use the following:
# KUBEVAL_SCHEMA_LOCATION="file:///${kubeval-schema}";
(fetchFromGitHub {
name = "kubeval-schema";
owner = "instrumenta";
repo = "kubernetes-json-schema";
rev = "6a498a60dc68c5f6a1cc248f94b5cd1e7241d699";
sha256 = "1y9m2ma3n4h7sf2lg788vjw6pkfyi0fa7gzc870faqv326n6x2jr";
})
// {
# the schema is huge (> 7GB), we don't get any benefit from building int on hydra
meta.hydraPlatforms = [ ];
}

76
pkgs/applications/networking/cluster/kuma/default.nix Normal file
View File

@@ -0,0 +1,76 @@
{
lib,
stdenv,
fetchFromGitHub,
buildGoModule,
coredns,
installShellFiles,
isFull ? false,
enableGateway ? false,
pname ? "kuma",
components ? lib.optionals isFull [
"kumactl"
"kuma-cp"
"kuma-dp"
],
}:
buildGoModule rec {
inherit pname;
version = "2.12.0";
tags = lib.optionals enableGateway [ "gateway" ];
src = fetchFromGitHub {
owner = "kumahq";
repo = "kuma";
tag = version;
hash = "sha256-5syQFcYBY/xKipIsAJdjVrXYXt7NNjjCeXiDVNO9NTo=";
};
vendorHash = "sha256-KgZYKopW+FOdwBIGxa2RLiEbefZ/1vAhcsWtcYhgdFs=";
# no test files
doCheck = false;
nativeBuildInputs = [ installShellFiles ] ++ lib.optionals isFull [ coredns ];
preBuild = ''
export HOME=$TMPDIR
'';
subPackages = map (p: "app/" + p) components;
postInstall =
lib.optionalString (stdenv.buildPlatform.canExecute stdenv.hostPlatform) (
lib.concatMapStringsSep "\n" (p: ''
installShellCompletion --cmd ${p} \
--bash <($out/bin/${p} completion bash) \
--fish <($out/bin/${p} completion fish) \
--zsh <($out/bin/${p} completion zsh)
'') components
)
+ lib.optionalString isFull ''
ln -sLf ${coredns}/bin/coredns $out/bin
'';
ldflags =
let
prefix = "github.com/kumahq/kuma/pkg/version";
in
[
"-s"
"-w"
"-X ${prefix}.version=${version}"
"-X ${prefix}.gitTag=${version}"
"-X ${prefix}.gitCommit=${version}"
"-X ${prefix}.buildDate=${version}"
];
meta = {
description = "Service mesh controller";
homepage = "https://kuma.io/";
changelog = "https://github.com/kumahq/kuma/blob/${version}/CHANGELOG.md";
license = lib.licenses.asl20;
maintainers = with lib.maintainers; [ zbioe ];
};
}

8
pkgs/applications/networking/cluster/linkerd/default.nix Normal file
View File

@@ -0,0 +1,8 @@
{ callPackage }:
(callPackage ./generic.nix { }) {
channel = "stable";
version = "2.14.9";
sha256 = "135x5q0a8knckbjkag2xqcr76zy49i57zf2hlsa70iknynq33ys7";
vendorHash = "sha256-bGl8IZppwLDS6cRO4HmflwIOhH3rOhE/9slJATe+onI=";
}

8
pkgs/applications/networking/cluster/linkerd/edge.nix Normal file
View File

@@ -0,0 +1,8 @@
{ callPackage }:
(callPackage ./generic.nix { }) {
channel = "edge";
version = "25.7.4";
sha256 = "19s32frf6ymfv88zvinakqh23yp7zlcj6dcyzlkkviayf4gk270x";
vendorHash = "sha256-6cUWeJA0nxUMd+mrrHccPu9slebwZGUR0yGxev3k4ls=";
}

81
pkgs/applications/networking/cluster/linkerd/generic.nix Normal file
View File

@@ -0,0 +1,81 @@
{
lib,
stdenv,
fetchFromGitHub,
buildGoModule,
installShellFiles,
}:
{
channel,
version,
sha256,
vendorHash,
}:
buildGoModule rec {
pname = "linkerd-${channel}";
inherit version vendorHash;
src = fetchFromGitHub {
owner = "linkerd";
repo = "linkerd2";
rev = "${channel}-${version}";
inherit sha256;
};
subPackages = [ "cli" ];
preBuild = ''
env GOFLAGS="" go generate ./pkg/charts/static
env GOFLAGS="" go generate ./jaeger/static
env GOFLAGS="" go generate ./multicluster/static
env GOFLAGS="" go generate ./viz/static
# Necessary for building Musl
if [[ $NIX_HARDENING_ENABLE =~ "pie" ]]; then
export GOFLAGS="-buildmode=pie $GOFLAGS"
fi
'';
tags = [
"prod"
];
ldflags = [
"-s"
"-w"
"-X github.com/linkerd/linkerd2/pkg/version.Version=${src.rev}"
];
nativeBuildInputs = [ installShellFiles ];
postInstall = ''
mv $out/bin/cli $out/bin/linkerd
''
+ lib.optionalString (stdenv.buildPlatform.canExecute stdenv.hostPlatform) ''
installShellCompletion --cmd linkerd \
--bash <($out/bin/linkerd completion bash) \
--zsh <($out/bin/linkerd completion zsh) \
--fish <($out/bin/linkerd completion fish)
'';
doInstallCheck = true;
installCheckPhase = ''
$out/bin/linkerd version --client | grep ${src.rev} > /dev/null
'';
passthru.updateScript = (./. + "/update-${channel}.sh");
meta = with lib; {
description = "Simple Kubernetes service mesh that improves security, observability and reliability";
mainProgram = "linkerd";
downloadPage = "https://github.com/linkerd/linkerd2/";
homepage = "https://linkerd.io/";
license = licenses.asl20;
maintainers = with maintainers; [
bryanasdev000
Gonzih
];
};
}

33
pkgs/applications/networking/cluster/linkerd/update-edge.sh Executable file
View File

@@ -0,0 +1,33 @@
#!/usr/bin/env nix-shell
#!nix-shell -i bash -p curl gnugrep gnused jq
set -x -eu -o pipefail
cd $(dirname "$0")
VERSION=$(curl ${GITHUB_TOKEN:+" -u \":$GITHUB_TOKEN\""} \
--silent https://api.github.com/repos/linkerd/linkerd2/releases | \
jq 'map(.tag_name)' | grep -v -e '-rc' | grep edge | sed 's/["|,| ]//g' | sed 's/edge-//' | sort -V -r | head -n1)
SHA256=$(nix-prefetch-url --quiet --unpack https://github.com/linkerd/linkerd2/archive/refs/tags/edge-${VERSION}.tar.gz)
setKV () {
sed -i "s|$1 = \".*\"|$1 = \"${2:-}\"|" ./edge.nix
}
setKV version ${VERSION}
setKV sha256 ${SHA256}
setKV vendorHash "sha256-BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB=" # Necessary to force clean build.
cd ../../../../../
set +e
VENDOR_HASH=$(nix-build --no-out-link -A linkerd_edge 2>&1 >/dev/null | grep "got:" | cut -d':' -f2 | sed 's| ||g')
set -e
cd - > /dev/null
if [ -n "${VENDOR_HASH:-}" ]; then
setKV vendorHash ${VENDOR_HASH}
else
echo "Update failed. VENDOR_HASH is empty."
exit 1
fi

33
pkgs/applications/networking/cluster/linkerd/update-stable.sh Executable file
View File

@@ -0,0 +1,33 @@
#!/usr/bin/env nix-shell
#!nix-shell -i bash -p curl gnugrep gnused jq
set -x -eu -o pipefail
cd $(dirname "$0")
VERSION=$(curl ${GITHUB_TOKEN:+" -u \":$GITHUB_TOKEN\""} \
--silent https://api.github.com/repos/linkerd/linkerd2/releases | \
jq 'map(.tag_name)' | grep -v -e '-rc' | grep stable | sed 's/["|,| ]//g' | sed 's/stable-//' | sort -V -r | head -n1)
SHA256=$(nix-prefetch-url --quiet --unpack https://github.com/linkerd/linkerd2/archive/refs/tags/stable-${VERSION}.tar.gz)
setKV () {
sed -i "s|$1 = \".*\"|$1 = \"${2:-}\"|" ./default.nix
}
setKV version ${VERSION}
setKV sha256 ${SHA256}
setKV vendorHash "sha256-BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB=" # Necessary to force clean build.
cd ../../../../../
set +e
VENDOR_HASH=$(nix-build --no-out-link -A linkerd 2>&1 >/dev/null | grep "got:" | cut -d':' -f2 | sed 's| ||g')
set -e
cd - > /dev/null
if [ -n "${VENDOR_HASH:-}" ]; then
setKV vendorHash ${VENDOR_HASH}
else
echo "Update failed. VENDOR_HASH is empty."
exit 1
fi

164
pkgs/applications/networking/cluster/nixops/default.nix Normal file
View File

@@ -0,0 +1,164 @@
{
lib,
config,
python3,
emptyFile,
}:
let
inherit (lib) extends;
# doc: https://github.com/NixOS/nixpkgs/pull/158781/files#diff-854251fa1fe071654921224671c8ba63c95feb2f96b2b3a9969c81676780053a
encapsulate =
layerZero:
let
fixed = layerZero ({ extend = f: encapsulate (extends f layerZero); } // fixed);
in
fixed.public;
nixopsContextBase = this: {
python = python3.override {
self = this.python;
packageOverrides =
self: super:
{
nixops = self.callPackage ./unwrapped.nix { };
}
// (this.plugins self super);
};
plugins =
ps: _super:
with ps;
(
rec {
nixops-digitalocean = callPackage ./plugins/nixops-digitalocean.nix { };
nixops-encrypted-links = callPackage ./plugins/nixops-encrypted-links.nix { };
nixops-hercules-ci = callPackage ./plugins/nixops-hercules-ci.nix { };
nixops-vbox = callPackage ./plugins/nixops-vbox.nix { };
nixos-modules-contrib = callPackage ./plugins/nixos-modules-contrib.nix { };
# aliases for backwards compatibility
nixopsvbox = nixops-vbox;
}
// lib.optionalAttrs config.allowAliases rec {
nixops-aws = throw "nixops-aws was broken and was removed from nixpkgs";
nixops-gce = throw "nixops-gce was broken and was removed from nixpkgs";
nixops-libvirtd = throw "nixops-libvirtd was broken and was removed from nixpkgs";
nixops-hetzner = throw "nixops-hetzner was broken and was removed from nixpkgs";
nixops-hetznercloud = throw "nixops-hetznercloud was broken and was removed from nixpkgs";
nixops-virtd = nixops-libvirtd;
}
);
# We should not reapply the overlay, but it tends to work out. (It's been this way since poetry2nix was dropped.)
availablePlugins = this.plugins this.python.pkgs this.python.pkgs;
selectedPlugins = [ ];
# selector is a function mapping pythonPackages to a list of plugins
# e.g. nixops_unstable.withPlugins (ps: with ps; [ nixops-digitalocean ])
withPlugins =
selector:
this.extend (
this: _old: {
selectedPlugins = selector this.availablePlugins;
}
);
rawPackage = this.python.pkgs.toPythonApplication (
this.python.pkgs.nixops.overridePythonAttrs (old: {
propagatedBuildInputs = old.propagatedBuildInputs ++ this.selectedPlugins;
# Propagating dependencies leaks them through $PYTHONPATH which causes issues
# when used in nix-shell.
postFixup = ''
rm $out/nix-support/propagated-build-inputs
'';
})
);
# Extra package attributes that aren't derivation attributes, just like `mkDerivation`'s `passthru`.
extraPackageAttrs = {
inherit (this)
selectedPlugins
availablePlugins
withPlugins
python
;
tests =
this.rawPackage.tests
// {
nixos = this.rawPackage.tests.nixos.passthru.override {
nixopsPkg = this.rawPackage;
};
commutative_addAvailablePlugins_withPlugins =
assert
(this.public.addAvailablePlugins (self: super: { inherit emptyFile; })).withPlugins (ps: [
emptyFile
]) ==
# Note that this value proves that the package is not instantiated until the end, where it's valid again.
(this.public.withPlugins (ps: [ emptyFile ])).addAvailablePlugins (
self: super: { inherit emptyFile; }
);
emptyFile;
}
# Make sure we also test with a configuration that's been extended with a plugin.
// lib.optionalAttrs (this.selectedPlugins == [ ]) {
withAPlugin =
lib.recurseIntoAttrs
(this.withPlugins (ps: with ps; [ nixops-encrypted-links ])).tests;
};
overrideAttrs =
f:
this.extend (
this: oldThis: {
rawPackage = oldThis.rawPackage.overrideAttrs f;
}
);
/**
nixops.addAvailablePlugins: Overlay -> Package
Add available plugins to the package. You probably also want to enable
them with the `withPlugins` method.
*/
addAvailablePlugins =
newPlugins:
this.extend (
finalThis: oldThis: {
plugins = lib.composeExtensions oldThis.plugins newPlugins;
}
);
# For those who need or dare.
internals = this;
};
package =
lib.lazyDerivation {
outputs = [
"out"
"dist"
];
derivation = this.rawPackage;
}
// this.extraPackageAttrs;
public = this.package;
};
minimal = encapsulate nixopsContextBase;
in
{
nixops_unstable_minimal = minimal;
# Not recommended; too fragile.
nixops_unstable_full = minimal.withPlugins (ps: [
ps.nixops-digitalocean
ps.nixops-encrypted-links
ps.nixops-hercules-ci
ps.nixops-vbox
]);
}

54
pkgs/applications/networking/cluster/nixops/plugins/nixops-digitalocean.nix Normal file
View File

@@ -0,0 +1,54 @@
{
lib,
buildPythonPackage,
fetchFromGitHub,
unstableGitUpdater,
poetry-core,
nixops,
python-digitalocean,
pythonOlder,
}:
buildPythonPackage {
pname = "nixops-digitalocean";
version = "0.1.0-unstable-2022-08-14";
pyproject = true;
disabled = pythonOlder "3.7";
src = fetchFromGitHub {
owner = "nix-community";
repo = "nixops-digitalocean";
rev = "e977b7f11e264a6a2bff2dcbc7b94c6a97b92fff";
hash = "sha256-aJtShvdqjAiCK5oZL0GR5cleDb4s1pJkO6UPKGd4Dgg=";
};
postPatch = ''
substituteInPlace pyproject.toml \
--replace poetry.masonry.api poetry.core.masonry.api \
--replace "poetry>=" "poetry-core>="
'';
nativeBuildInputs = [
poetry-core
];
buildInputs = [
nixops
];
propagatedBuildInputs = [
python-digitalocean
];
pythonImportsCheck = [ "nixops_digitalocean" ];
passthru.updateScript = unstableGitUpdater { };
meta = with lib; {
description = "NixOps Digitalocean plugin";
homepage = "https://github.com/nix-community/nixops-digitalocean";
license = licenses.lgpl3Only;
maintainers = [ ];
};
}

46
pkgs/applications/networking/cluster/nixops/plugins/nixops-encrypted-links.nix Normal file
View File

@@ -0,0 +1,46 @@
{
lib,
buildPythonPackage,
fetchFromGitHub,
unstableGitUpdater,
poetry-core,
nixops,
}:
buildPythonPackage {
pname = "nixops-encrypted-links";
version = "0-unstable-2021-02-16";
pyproject = true;
src = fetchFromGitHub {
owner = "nix-community";
repo = "nixops-encrypted-links";
rev = "e2f196fce15fcfb00d18c055e1ac53aec33b8fb1";
hash = "sha256-1TTbARyCfrLxF6SVNkmIKNNcLS9FVW22d9w0VRrH1os=";
};
postPatch = ''
substituteInPlace pyproject.toml \
--replace poetry.masonry.api poetry.core.masonry.api \
--replace "poetry>=" "poetry-core>="
'';
nativeBuildInputs = [
poetry-core
];
buildInputs = [
nixops
];
pythonImportsCheck = [ "nixops_encrypted_links" ];
passthru.updateScript = unstableGitUpdater { };
meta = with lib; {
description = "EncryptedLinksTo from Nixops 1 module port";
homepage = "https://github.com/nix-community/nixops-encrypted-links";
license = licenses.mit;
maintainers = [ ];
};
}

40
pkgs/applications/networking/cluster/nixops/plugins/nixops-hercules-ci.nix Normal file
View File

@@ -0,0 +1,40 @@
{
lib,
buildPythonPackage,
fetchFromGitHub,
unstableGitUpdater,
poetry-core,
nixops,
}:
buildPythonPackage {
pname = "nixops-hercules-ci";
version = "0-unstable-2021-10-06";
pyproject = true;
src = fetchFromGitHub {
owner = "hercules-ci";
repo = "nixops-hercules-ci";
rev = "e601d5baffd003fd5f22deeaea0cb96444b054dc";
hash = "sha256-4IZ+qzhERJIhLcIq9FvVml+xAFJ8R4QpUjFRw2DZl2U=";
};
nativeBuildInputs = [
poetry-core
];
buildInputs = [
nixops
];
pythonImportsCheck = [ "nixops_hercules_ci" ];
passthru.updateScript = unstableGitUpdater { };
meta = with lib; {
description = "Use Hercules CI as a NixOps backend";
homepage = "https://github.com/hercules-ci/nixops-hercules-ci";
license = licenses.asl20;
maintainers = with maintainers; [ roberth ];
};
}

48
pkgs/applications/networking/cluster/nixops/plugins/nixops-vbox.nix Normal file
View File

@@ -0,0 +1,48 @@
{
lib,
buildPythonPackage,
fetchFromGitHub,
unstableGitUpdater,
poetry-core,
nixops,
}:
buildPythonPackage {
pname = "nixops-vbox";
version = "1.0.0-unstable-2023-08-10";
pyproject = true;
src = fetchFromGitHub {
owner = "nix-community";
repo = "nixops-vbox";
rev = "baa5f09c9ae9aaf639c95192460ab5dcbe83a883";
hash = "sha256-QrxherQO1t0VpYjJSEbntUWVD6GW4MtVHiKINpzHA1M=";
};
postPatch = ''
substituteInPlace pyproject.toml \
--replace poetry.masonry.api poetry.core.masonry.api \
--replace "poetry>=" "poetry-core>="
'';
nativeBuildInputs = [
poetry-core
];
buildInputs = [
nixops
];
pythonImportsCheck = [ "nixopsvbox" ];
passthru.updateScript = unstableGitUpdater {
tagPrefix = "v";
};
meta = with lib; {
description = "NixOps plugin for VirtualBox VMs";
homepage = "https://github.com/nix-community/nixops-vbox";
license = licenses.lgpl3Only;
maintainers = with maintainers; [ aminechikhaoui ];
};
}

46
pkgs/applications/networking/cluster/nixops/plugins/nixos-modules-contrib.nix Normal file
View File

@@ -0,0 +1,46 @@
{
lib,
buildPythonPackage,
fetchFromGitHub,
unstableGitUpdater,
poetry-core,
nixops,
}:
buildPythonPackage {
pname = "nixos-modules-contrib";
version = "0-unstable-2021-01-20";
pyproject = true;
src = fetchFromGitHub {
owner = "nix-community";
repo = "nixos-modules-contrib";
rev = "81a1c2ef424dcf596a97b2e46a58ca73a1dd1ff8";
hash = "sha256-/RSStpkAxWpUB5saQ8CmQZljFjJyUMOrR1+GiHJR2Tg=";
};
postPatch = ''
substituteInPlace pyproject.toml \
--replace poetry.masonry.api poetry.core.masonry.api \
--replace "poetry>=" "poetry-core>="
'';
nativeBuildInputs = [
poetry-core
];
buildInputs = [
nixops
];
pythonImportsCheck = [ "nixos_modules_contrib" ];
passthru.updateScript = unstableGitUpdater { };
meta = with lib; {
description = "Useful NixOS modules which may not belong in the Nixpkgs repository itself";
homepage = "https://github.com/nix-community/nixos-modules-contrib";
license = licenses.lgpl3;
maintainers = [ ];
};
}

76
pkgs/applications/networking/cluster/nixops/unwrapped.nix Normal file
View File

@@ -0,0 +1,76 @@
{
lib,
buildPythonApplication,
fetchFromGitHub,
unstableGitUpdater,
poetry-core,
sphinx,
pluggy,
prettytable,
typeguard,
typing-extensions,
nixosTests,
}:
buildPythonApplication rec {
pname = "nixops";
version = "1.7-unstable-2024-02-28";
pyproject = true;
src = fetchFromGitHub {
owner = "NixOS";
repo = "nixops";
rev = "08feccb14074c5434f3e483d19a7f7d9bfcdb669";
hash = "sha256-yWeF5apQJdChjYVSOyH6LYjJYGa1RL68LRHrSgZ9l8U=";
};
postPatch = ''
substituteInPlace pyproject.toml --replace-fail \
'include = ["nix/*.nix", "nixops/py.typed" ]' \
'include = [ { path = "nix/*.nix", format = "wheel" }, { path = "nixops/py.typed", format = "wheel" } ]'
substituteInPlace nixops/args.py --replace-fail "@version@" "${version}-pre-${
lib.substring 0 7 src.rev or "dirty"
}"
'';
nativeBuildInputs = [
poetry-core
sphinx
];
propagatedBuildInputs = [
pluggy
prettytable
typeguard
typing-extensions
];
postInstall = ''
doc_cache=$(mktemp -d)
sphinx-build -b man -d $doc_cache doc/ $out/share/man/man1
html=$(mktemp -d)
sphinx-build -b html -d $doc_cache doc/ $out/share/nixops/doc
'';
pythonImportsCheck = [ "nixops" ];
passthru = {
tests.nixos = nixosTests.nixops.unstable;
updateScript = unstableGitUpdater {
tagPrefix = "v";
};
};
meta = with lib; {
description = "Tool for deploying to NixOS machines in a network or cloud";
homepage = "https://github.com/NixOS/nixops";
license = licenses.lgpl3Only;
maintainers = with lib.maintainers; [
aminechikhaoui
roberth
];
platforms = lib.platforms.unix;
mainProgram = "nixops";
};
}

114
pkgs/applications/networking/cluster/nomad/default.nix Normal file
View File

@@ -0,0 +1,114 @@
{
lib,
buildGoModule,
buildGo124Module,
fetchFromGitHub,
nixosTests,
installShellFiles,
}:
let
generic =
{
buildGoModule,
version,
hash,
vendorHash,
license,
...
}@attrs:
let
attrs' = removeAttrs attrs [
"buildGoModule"
"version"
"hash"
"vendorHash"
"license"
];
in
buildGoModule (
rec {
pname = "nomad";
inherit version vendorHash;
subPackages = [ "." ];
src = fetchFromGitHub {
owner = "hashicorp";
repo = "nomad";
rev = "v${version}";
inherit hash;
};
# Nomad requires Go 1.24.6, but nixpkgs doesn't have it in unstable yet.
postPatch = ''
substituteInPlace go.mod \
--replace-warn "go 1.24.6" "go 1.24.5"
'';
nativeBuildInputs = [ installShellFiles ];
ldflags = [
"-X github.com/hashicorp/nomad/version.Version=${version}"
"-X github.com/hashicorp/nomad/version.VersionPrerelease="
"-X github.com/hashicorp/nomad/version.BuildDate=1970-01-01T00:00:00Z"
];
# ui:
# Nomad release commits include the compiled version of the UI, but the file
# is only included if we build with the ui tag.
tags = [ "ui" ];
postInstall = ''
echo "complete -C $out/bin/nomad nomad" > nomad.bash
installShellCompletion nomad.bash
'';
meta = with lib; {
homepage = "https://developer.hashicorp.com/nomad";
description = "Distributed, Highly Available, Datacenter-Aware Scheduler";
mainProgram = "nomad";
inherit license;
maintainers = with maintainers; [
rushmorem
techknowlogick
cottand
];
};
}
// attrs'
);
in
rec {
# Nomad never updates major go versions within a release series and is unsupported
# on Go versions that it did not ship with. Due to historic bugs when compiled
# with different versions we pin Go for all versions.
# Upstream partially documents used Go versions here
# https://github.com/hashicorp/nomad/blob/master/contributing/golang.md
nomad = nomad_1_10;
nomad_1_10 = generic {
buildGoModule = buildGo124Module;
version = "1.10.5";
hash = "sha256-NFH++oYWb6vQN6cOPByscI/ZBWDNy4YbcLiBMO3/jVU=";
vendorHash = "sha256-QcTw9kKwoHIvXZoxfDohFG+sBs8OLvYPeygygDClsn8=";
license = lib.licenses.bsl11;
passthru.tests.nomad = nixosTests.nomad;
preCheck = ''
export PATH="$PATH:$NIX_BUILD_TOP/go/bin"
'';
};
nomad_1_9 = generic {
buildGoModule = buildGo124Module;
version = "1.9.7";
hash = "sha256-U02H6DPr1friQ9EwqD/wQnE2Fm20OE5xNccPDJfnsqI=";
vendorHash = "sha256-9GnwqkexJAxrhW9yJFaDTdSaZ+p+/dcMuhlusp4cmyw=";
license = lib.licenses.bsl11;
passthru.tests.nomad = nixosTests.nomad;
preCheck = ''
export PATH="$PATH:$NIX_BUILD_TOP/go/bin"
'';
};
}

138
pkgs/applications/networking/cluster/rke2/1_30/images-versions.json Normal file
View File

@@ -0,0 +1,138 @@
{
"images-calico-linux-amd64-tar-gz": {
"url": "https://github.com/rancher/rke2/releases/download/v1.30.11%2Brke2r1/rke2-images-calico.linux-amd64.tar.gz",
"sha256": "7993ac9ba2faead011abdc06ab50842abf124ab260fb666d8e3f02b8e7f127e3"
},
"images-calico-linux-amd64-tar-zst": {
"url": "https://github.com/rancher/rke2/releases/download/v1.30.11%2Brke2r1/rke2-images-calico.linux-amd64.tar.zst",
"sha256": "eecb7dcd5026bbc6e9927fc6c7bf3fc3e882f57006b314e13616fbdb22b6ecca"
},
"images-calico-linux-arm64-tar-gz": {
"url": "https://github.com/rancher/rke2/releases/download/v1.30.11%2Brke2r1/rke2-images-calico.linux-arm64.tar.gz",
"sha256": "4aeb703f4b4051ca34aa034e933a967e316cc1d061d874ab656c4d6415abebcb"
},
"images-calico-linux-arm64-tar-zst": {
"url": "https://github.com/rancher/rke2/releases/download/v1.30.11%2Brke2r1/rke2-images-calico.linux-arm64.tar.zst",
"sha256": "cd67c5182564ed2db427fa023613a53d84188338760f27efeab8908e4639b13b"
},
"images-canal-linux-amd64-tar-gz": {
"url": "https://github.com/rancher/rke2/releases/download/v1.30.11%2Brke2r1/rke2-images-canal.linux-amd64.tar.gz",
"sha256": "1ba140457141372eaf757cf7a60996343188f53cabb61fc9fd4156a20f2f0245"
},
"images-canal-linux-amd64-tar-zst": {
"url": "https://github.com/rancher/rke2/releases/download/v1.30.11%2Brke2r1/rke2-images-canal.linux-amd64.tar.zst",
"sha256": "ce90fcc460c45a6e3f36d21889c8b658d64dafc51101af86c2e14d0a9f119203"
},
"images-canal-linux-arm64-tar-gz": {
"url": "https://github.com/rancher/rke2/releases/download/v1.30.11%2Brke2r1/rke2-images-canal.linux-arm64.tar.gz",
"sha256": "bab5e11c3b5d826fdd494424fda237b15495ffc8383d52c3d35626ef0df6d0d1"
},
"images-canal-linux-arm64-tar-zst": {
"url": "https://github.com/rancher/rke2/releases/download/v1.30.11%2Brke2r1/rke2-images-canal.linux-arm64.tar.zst",
"sha256": "12f1a513d58f7e5f60df5735b77bd950b51413875e3950052f8d35f2c39d5cd2"
},
"images-cilium-linux-amd64-tar-gz": {
"url": "https://github.com/rancher/rke2/releases/download/v1.30.11%2Brke2r1/rke2-images-cilium.linux-amd64.tar.gz",
"sha256": "3c497fccdf586fadba9a737fa430f520448088a770f9f0eaa044bfba332ee06c"
},
"images-cilium-linux-amd64-tar-zst": {
"url": "https://github.com/rancher/rke2/releases/download/v1.30.11%2Brke2r1/rke2-images-cilium.linux-amd64.tar.zst",
"sha256": "095d379b88e9b012be66f5f61fd6fc8de9247a9db8d4aed2aa532cf711c67768"
},
"images-cilium-linux-arm64-tar-gz": {
"url": "https://github.com/rancher/rke2/releases/download/v1.30.11%2Brke2r1/rke2-images-cilium.linux-arm64.tar.gz",
"sha256": "0adfa32fc377386527bbfa9491538f02e1da8e96cdd53ecf624b99f9776eb817"
},
"images-cilium-linux-arm64-tar-zst": {
"url": "https://github.com/rancher/rke2/releases/download/v1.30.11%2Brke2r1/rke2-images-cilium.linux-arm64.tar.zst",
"sha256": "af6c6cd6d3b4171b0df9926f418f15907f63d4ae1447c0c88d214994fd5ae7ce"
},
"images-core-linux-amd64-tar-gz": {
"url": "https://github.com/rancher/rke2/releases/download/v1.30.11%2Brke2r1/rke2-images-core.linux-amd64.tar.gz",
"sha256": "55eba7fd7e4d5b30cc4c1702c71776d5e35928a42521cc813672d087af3e66ef"
},
"images-core-linux-amd64-tar-zst": {
"url": "https://github.com/rancher/rke2/releases/download/v1.30.11%2Brke2r1/rke2-images-core.linux-amd64.tar.zst",
"sha256": "5b9077b87c28f66e4405d4b9af964d062da7dec9a70c359ca5cd8b74757224fb"
},
"images-core-linux-arm64-tar-gz": {
"url": "https://github.com/rancher/rke2/releases/download/v1.30.11%2Brke2r1/rke2-images-core.linux-arm64.tar.gz",
"sha256": "5ccfcf9b3842c9ffb8d965e34582b2afdc6004c69f2b134c82a460fd3aa2a113"
},
"images-core-linux-arm64-tar-zst": {
"url": "https://github.com/rancher/rke2/releases/download/v1.30.11%2Brke2r1/rke2-images-core.linux-arm64.tar.zst",
"sha256": "a023f4d48fb4fbafa91aa3876d676f6ab3abd127fac2304e44685a2400d6d6d7"
},
"images-flannel-linux-amd64-tar-gz": {
"url": "https://github.com/rancher/rke2/releases/download/v1.30.11%2Brke2r1/rke2-images-flannel.linux-amd64.tar.gz",
"sha256": "33adefa0c3b50f149aaff7df57a8230b754a603f424169c1542ddfdbbe587120"
},
"images-flannel-linux-amd64-tar-zst": {
"url": "https://github.com/rancher/rke2/releases/download/v1.30.11%2Brke2r1/rke2-images-flannel.linux-amd64.tar.zst",
"sha256": "a2225caa30236c096c65a0c5851e6589f0210fd67869ff28a44e27924473274a"
},
"images-flannel-linux-arm64-tar-gz": {
"url": "https://github.com/rancher/rke2/releases/download/v1.30.11%2Brke2r1/rke2-images-flannel.linux-arm64.tar.gz",
"sha256": "20ac728e807a36f2e3f9b36208bb8ad9ef5919e2b8102b03bac08162b40cc777"
},
"images-flannel-linux-arm64-tar-zst": {
"url": "https://github.com/rancher/rke2/releases/download/v1.30.11%2Brke2r1/rke2-images-flannel.linux-arm64.tar.zst",
"sha256": "d10f1489a5e0a2e219c4b2f83405e98f28992771394ed462f5c9fe4185361b29"
},
"images-harvester-linux-amd64-tar-gz": {
"url": "https://github.com/rancher/rke2/releases/download/v1.30.11%2Brke2r1/rke2-images-harvester.linux-amd64.tar.gz",
"sha256": "5691cd67f3ac5f9335cacaabf94bf5ead3cf7816a46fbc6f2b14817236b7f38e"
},
"images-harvester-linux-amd64-tar-zst": {
"url": "https://github.com/rancher/rke2/releases/download/v1.30.11%2Brke2r1/rke2-images-harvester.linux-amd64.tar.zst",
"sha256": "f174710df0079872230f0b69919679767005daad7858c34276ca1bed95c88eb4"
},
"images-harvester-linux-arm64-tar-gz": {
"url": "https://github.com/rancher/rke2/releases/download/v1.30.11%2Brke2r1/rke2-images-harvester.linux-arm64.tar.gz",
"sha256": "6f916cb1315ca6e1985e2cd4cc9ea64d5ee667949d693c82c99b8bd242fa57aa"
},
"images-harvester-linux-arm64-tar-zst": {
"url": "https://github.com/rancher/rke2/releases/download/v1.30.11%2Brke2r1/rke2-images-harvester.linux-arm64.tar.zst",
"sha256": "56431730158442f0d78a18c1a481fc0fb2c482e677e296fd45c54a7b16587ae7"
},
"images-multus-linux-amd64-tar-gz": {
"url": "https://github.com/rancher/rke2/releases/download/v1.30.11%2Brke2r1/rke2-images-multus.linux-amd64.tar.gz",
"sha256": "880e2ef4894556fedb072eb6b712aafe4a49043a5d32d25a909ccf27e34e544f"
},
"images-multus-linux-amd64-tar-zst": {
"url": "https://github.com/rancher/rke2/releases/download/v1.30.11%2Brke2r1/rke2-images-multus.linux-amd64.tar.zst",
"sha256": "9fe435e7a1864204b30eb11b7df93c26db96cc818964b150857c8e064140c018"
},
"images-multus-linux-arm64-tar-gz": {
"url": "https://github.com/rancher/rke2/releases/download/v1.30.11%2Brke2r1/rke2-images-multus.linux-arm64.tar.gz",
"sha256": "334a1e74320d6784c3b3604c3eadc0639706bf974649f0394a46d0b395bbbd2f"
},
"images-multus-linux-arm64-tar-zst": {
"url": "https://github.com/rancher/rke2/releases/download/v1.30.11%2Brke2r1/rke2-images-multus.linux-arm64.tar.zst",
"sha256": "b8d0c3e00bf59bb1f2207b520c0e52861d6b3b1f10b45d56151b4e5f7dc233ee"
},
"images-traefik-linux-amd64-tar-gz": {
"url": "https://github.com/rancher/rke2/releases/download/v1.30.11%2Brke2r1/rke2-images-traefik.linux-amd64.tar.gz",
"sha256": "a40db73b00ce9644e248a9f6f41c2815cf966540baf56da8c67b3014ccdc571f"
},
"images-traefik-linux-amd64-tar-zst": {
"url": "https://github.com/rancher/rke2/releases/download/v1.30.11%2Brke2r1/rke2-images-traefik.linux-amd64.tar.zst",
"sha256": "9cf68a34212c9f7b466927fd275bab277eb9d8e7c361228986658d2385050452"
},
"images-traefik-linux-arm64-tar-gz": {
"url": "https://github.com/rancher/rke2/releases/download/v1.30.11%2Brke2r1/rke2-images-traefik.linux-arm64.tar.gz",
"sha256": "f1d2b155a18d67f8ef4a643635f7727c2e2b686cd727582d387d288788b3740b"
},
"images-traefik-linux-arm64-tar-zst": {
"url": "https://github.com/rancher/rke2/releases/download/v1.30.11%2Brke2r1/rke2-images-traefik.linux-arm64.tar.zst",
"sha256": "4555469992095c312d3de159779d69e4d6d407c4c97f3ae9e991cdd8de506816"
},
"images-vsphere-linux-amd64-tar-gz": {
"url": "https://github.com/rancher/rke2/releases/download/v1.30.11%2Brke2r1/rke2-images-vsphere.linux-amd64.tar.gz",
"sha256": "e1e22a0b222d9cbbb86f19d7eb6d7aca9991176fd4ab778c56c266d71e208507"
},
"images-vsphere-linux-amd64-tar-zst": {
"url": "https://github.com/rancher/rke2/releases/download/v1.30.11%2Brke2r1/rke2-images-vsphere.linux-amd64.tar.zst",
"sha256": "1627e7b87b5c69cb8697e7b157615ab9e1c8b1f4a6a31091ea68de39d275beb7"
}
}

12
pkgs/applications/networking/cluster/rke2/1_30/versions.nix Normal file
View File

@@ -0,0 +1,12 @@
{
rke2Version = "1.30.11+rke2r1";
rke2Commit = "406a7f6db944b045d8d3ba871b2481b2ebb3f68f";
rke2TarballHash = "sha256-j3Pp+YYS3j0noJ7K1Ub2tNL5JfQyvVgYVck1TCvQq/w=";
rke2VendorHash = "sha256-RiJd4OS0gPICHzcv5brsxwl6FPqlt+HXYWI4xlFXLNU=";
k8sImageTag = "v1.30.11-rke2r1-build20250312";
etcdVersion = "v3.5.19-k3s1-build20250306";
pauseVersion = "3.6";
ccmVersion = "v1.30.6-0.20241016053533-5ec454f50e7a-build20241016";
dockerizedVersion = "v1.30.11-rke2r1";
imagesVersions = with builtins; fromJSON (readFile ./images-versions.json);
}

138
pkgs/applications/networking/cluster/rke2/1_31/images-versions.json Normal file
View File

@@ -0,0 +1,138 @@
{
"images-calico-linux-amd64-tar-gz": {
"url": "https://github.com/rancher/rke2/releases/download/v1.31.11%2Brke2r1/rke2-images-calico.linux-amd64.tar.gz",
"sha256": "c10f3cc19a37702666270c30f4e42696b054e63c9f0d23d02404905a90036c8b"
},
"images-calico-linux-amd64-tar-zst": {
"url": "https://github.com/rancher/rke2/releases/download/v1.31.11%2Brke2r1/rke2-images-calico.linux-amd64.tar.zst",
"sha256": "6ba63ee01aa9f4e5d07dfc3f02a9665961cac47e5ff5121edb5c3c55cdef1989"
},
"images-calico-linux-arm64-tar-gz": {
"url": "https://github.com/rancher/rke2/releases/download/v1.31.11%2Brke2r1/rke2-images-calico.linux-arm64.tar.gz",
"sha256": "d615557c7ed58155e2cbda620465635d7f6b4297660a83458b37cac3fddc5b52"
},
"images-calico-linux-arm64-tar-zst": {
"url": "https://github.com/rancher/rke2/releases/download/v1.31.11%2Brke2r1/rke2-images-calico.linux-arm64.tar.zst",
"sha256": "473582b2f3e2cb0b55fb6477c24d4fe5dd1ea965c8445d8ffe91a9a5a08ea5e6"
},
"images-canal-linux-amd64-tar-gz": {
"url": "https://github.com/rancher/rke2/releases/download/v1.31.11%2Brke2r1/rke2-images-canal.linux-amd64.tar.gz",
"sha256": "b0a5e0f80d8d10604a00d73462f0a5792c9a9fa7e4a236243121804c5adfc48f"
},
"images-canal-linux-amd64-tar-zst": {
"url": "https://github.com/rancher/rke2/releases/download/v1.31.11%2Brke2r1/rke2-images-canal.linux-amd64.tar.zst",
"sha256": "1999d5d42397f6c78a55f79c6b3ddc7f91dd50d1038206d5c513c8691cce1b67"
},
"images-canal-linux-arm64-tar-gz": {
"url": "https://github.com/rancher/rke2/releases/download/v1.31.11%2Brke2r1/rke2-images-canal.linux-arm64.tar.gz",
"sha256": "c431bc15cc130222a31a5edf5bbc5600bb4fb28ebd4c2aaa040cdac51d909dbb"
},
"images-canal-linux-arm64-tar-zst": {
"url": "https://github.com/rancher/rke2/releases/download/v1.31.11%2Brke2r1/rke2-images-canal.linux-arm64.tar.zst",
"sha256": "203eff3588c6be74834d2f9f96d39285c8b3fa447f6e3a656250e05d9592d3c7"
},
"images-cilium-linux-amd64-tar-gz": {
"url": "https://github.com/rancher/rke2/releases/download/v1.31.11%2Brke2r1/rke2-images-cilium.linux-amd64.tar.gz",
"sha256": "7b62e18e0235c6af0f1215235352a493fc535904e3302c7794cdb88a281d581b"
},
"images-cilium-linux-amd64-tar-zst": {
"url": "https://github.com/rancher/rke2/releases/download/v1.31.11%2Brke2r1/rke2-images-cilium.linux-amd64.tar.zst",
"sha256": "19dedf7d67b3d54519ae9c458e1b3a67535a282ba3ecb40d23352239f90a8146"
},
"images-cilium-linux-arm64-tar-gz": {
"url": "https://github.com/rancher/rke2/releases/download/v1.31.11%2Brke2r1/rke2-images-cilium.linux-arm64.tar.gz",
"sha256": "dc6d06744322dd8750efffba82914ee7dbb76d22762248fbdae77941ca38ebb5"
},
"images-cilium-linux-arm64-tar-zst": {
"url": "https://github.com/rancher/rke2/releases/download/v1.31.11%2Brke2r1/rke2-images-cilium.linux-arm64.tar.zst",
"sha256": "10e4b6ba4ef381e0cd95be4a37df7a090956334459d00a54de5559fdb73ed9fd"
},
"images-core-linux-amd64-tar-gz": {
"url": "https://github.com/rancher/rke2/releases/download/v1.31.11%2Brke2r1/rke2-images-core.linux-amd64.tar.gz",
"sha256": "a5e3bd13c6ebeca25e203a84749ee76c62eb7fcab271cf4ecebd4b3448bec47e"
},
"images-core-linux-amd64-tar-zst": {
"url": "https://github.com/rancher/rke2/releases/download/v1.31.11%2Brke2r1/rke2-images-core.linux-amd64.tar.zst",
"sha256": "6c18213b9cf97623bcc418c56b167e1b67187abefe6699ce6756245b3daf28e0"
},
"images-core-linux-arm64-tar-gz": {
"url": "https://github.com/rancher/rke2/releases/download/v1.31.11%2Brke2r1/rke2-images-core.linux-arm64.tar.gz",
"sha256": "37118c56b2b6064a5496a807a4c9cef9622e5c31dc13e4a1486e7879f290d71f"
},
"images-core-linux-arm64-tar-zst": {
"url": "https://github.com/rancher/rke2/releases/download/v1.31.11%2Brke2r1/rke2-images-core.linux-arm64.tar.zst",
"sha256": "d935a702d14e05c9571dfbd7f0010f229640c23140d44110e1b9de01465a825f"
},
"images-flannel-linux-amd64-tar-gz": {
"url": "https://github.com/rancher/rke2/releases/download/v1.31.11%2Brke2r1/rke2-images-flannel.linux-amd64.tar.gz",
"sha256": "e1454cfbeb79a2ee467a0f822ca19f45ab7fbdb9842709153b1383537206b2a6"
},
"images-flannel-linux-amd64-tar-zst": {
"url": "https://github.com/rancher/rke2/releases/download/v1.31.11%2Brke2r1/rke2-images-flannel.linux-amd64.tar.zst",
"sha256": "84f1d386437bd0070e70632da6575e461dbe695b269c8638f9a3f6545fdab8c1"
},
"images-flannel-linux-arm64-tar-gz": {
"url": "https://github.com/rancher/rke2/releases/download/v1.31.11%2Brke2r1/rke2-images-flannel.linux-arm64.tar.gz",
"sha256": "091decc4ca3352f79372c6ca66cb972c9eab0b30f0c93f932676faa6f09323de"
},
"images-flannel-linux-arm64-tar-zst": {
"url": "https://github.com/rancher/rke2/releases/download/v1.31.11%2Brke2r1/rke2-images-flannel.linux-arm64.tar.zst",
"sha256": "76d38238a2c40acc3075d7c9ceb6ae045cf24d7a8fefff7af39cf495720c8445"
},
"images-harvester-linux-amd64-tar-gz": {
"url": "https://github.com/rancher/rke2/releases/download/v1.31.11%2Brke2r1/rke2-images-harvester.linux-amd64.tar.gz",
"sha256": "e676d8f1f5ffe7614c1d920ee90e1186ed7176105e3cde21f7f11afd4aa5b78d"
},
"images-harvester-linux-amd64-tar-zst": {
"url": "https://github.com/rancher/rke2/releases/download/v1.31.11%2Brke2r1/rke2-images-harvester.linux-amd64.tar.zst",
"sha256": "5425055034714708e49e32b2bd1cf2b7aa5e4af7fea193c6689034a50521c7d7"
},
"images-harvester-linux-arm64-tar-gz": {
"url": "https://github.com/rancher/rke2/releases/download/v1.31.11%2Brke2r1/rke2-images-harvester.linux-arm64.tar.gz",
"sha256": "e43895b604b7090ff32b21bf91dbd0167ea9b6f16f35e9c8dc531333523f617a"
},
"images-harvester-linux-arm64-tar-zst": {
"url": "https://github.com/rancher/rke2/releases/download/v1.31.11%2Brke2r1/rke2-images-harvester.linux-arm64.tar.zst",
"sha256": "707589c7bfc89d60ee143192b635ed77fb3e9f15267626a6b527bbefc89b4750"
},
"images-multus-linux-amd64-tar-gz": {
"url": "https://github.com/rancher/rke2/releases/download/v1.31.11%2Brke2r1/rke2-images-multus.linux-amd64.tar.gz",
"sha256": "cd42054b9a7fb1ebfaed757f074822f61f1ccb87bd18236822e9f4cfcd1bb137"
},
"images-multus-linux-amd64-tar-zst": {
"url": "https://github.com/rancher/rke2/releases/download/v1.31.11%2Brke2r1/rke2-images-multus.linux-amd64.tar.zst",
"sha256": "a463a8262063e875cd0469ae347963e25d3bf60446bb57ec1fdd854d966f8c66"
},
"images-multus-linux-arm64-tar-gz": {
"url": "https://github.com/rancher/rke2/releases/download/v1.31.11%2Brke2r1/rke2-images-multus.linux-arm64.tar.gz",
"sha256": "aa0f48a9c78f10f041d49dccefcd6d38bf96d78b8dbeee0aea439264ee1e13f9"
},
"images-multus-linux-arm64-tar-zst": {
"url": "https://github.com/rancher/rke2/releases/download/v1.31.11%2Brke2r1/rke2-images-multus.linux-arm64.tar.zst",
"sha256": "4e586d06fcee46b38a2cec900ae3c98743cc1c12896d690b53e41e2112cc8315"
},
"images-traefik-linux-amd64-tar-gz": {
"url": "https://github.com/rancher/rke2/releases/download/v1.31.11%2Brke2r1/rke2-images-traefik.linux-amd64.tar.gz",
"sha256": "7b4b0b183ade57a0ad59c84337b8ffa6b883b29da51685e166e5b8eb2016c03a"
},
"images-traefik-linux-amd64-tar-zst": {
"url": "https://github.com/rancher/rke2/releases/download/v1.31.11%2Brke2r1/rke2-images-traefik.linux-amd64.tar.zst",
"sha256": "c3b91061a1cae5972cd5c70203cc65254192f2839059e49b17b2707fc88865f6"
},
"images-traefik-linux-arm64-tar-gz": {
"url": "https://github.com/rancher/rke2/releases/download/v1.31.11%2Brke2r1/rke2-images-traefik.linux-arm64.tar.gz",
"sha256": "9481a4840b903bf3d5e02b011e59006e5f09a98d3459584c9b5616311a0ea594"
},
"images-traefik-linux-arm64-tar-zst": {
"url": "https://github.com/rancher/rke2/releases/download/v1.31.11%2Brke2r1/rke2-images-traefik.linux-arm64.tar.zst",
"sha256": "f20f33dba9454912688f4ae511ed6df050b6e5a1fae8887ec5d5d525aefc3c03"
},
"images-vsphere-linux-amd64-tar-gz": {
"url": "https://github.com/rancher/rke2/releases/download/v1.31.11%2Brke2r1/rke2-images-vsphere.linux-amd64.tar.gz",
"sha256": "aa056d8f9c6094c7afa853e5cd9d83f600307a90e7bafaf32d254ce401ede328"
},
"images-vsphere-linux-amd64-tar-zst": {
"url": "https://github.com/rancher/rke2/releases/download/v1.31.11%2Brke2r1/rke2-images-vsphere.linux-amd64.tar.zst",
"sha256": "2a1eb46396f6b88cf4a285d8fca2b8098b69dbc5d8a8f62ce5b5916a88b49938"
}
}

12
pkgs/applications/networking/cluster/rke2/1_31/versions.nix Normal file
View File

@@ -0,0 +1,12 @@
{
rke2Version = "1.31.11+rke2r1";
rke2Commit = "48500b495b74b976f07ebd07a643e40e6c89f355";
rke2TarballHash = "sha256-JPoeNB9jM4h+K5vKWi2KQfPJPTUftxwXYJY6eZN50Zs=";
rke2VendorHash = "sha256-CxNo9HcxuSS0LWawefF0VbtMDofQUzoCzTfBhWAUVrc=";
k8sImageTag = "v1.31.11-rke2r1-build20250716";
etcdVersion = "v3.5.21-k3s1-build20250612";
pauseVersion = "3.6";
ccmVersion = "v1.31.9-rc1.0.20250516171836-812206503b28-build20250612";
dockerizedVersion = "v1.31.11-rke2r1";
imagesVersions = with builtins; fromJSON (readFile ./images-versions.json);
}

138
pkgs/applications/networking/cluster/rke2/1_32/images-versions.json Normal file
View File

@@ -0,0 +1,138 @@
{
"images-calico-linux-amd64-tar-gz": {
"url": "https://github.com/rancher/rke2/releases/download/v1.32.3%2Brke2r1/rke2-images-calico.linux-amd64.tar.gz",
"sha256": "366067329c363a39a6be97d4c656e99c0635ec6405ee3b646edb5cc8293b112c"
},
"images-calico-linux-amd64-tar-zst": {
"url": "https://github.com/rancher/rke2/releases/download/v1.32.3%2Brke2r1/rke2-images-calico.linux-amd64.tar.zst",
"sha256": "7414bd697172e552ab5e9e03c372bda45175830e342894cd9e563f7a97e00b83"
},
"images-calico-linux-arm64-tar-gz": {
"url": "https://github.com/rancher/rke2/releases/download/v1.32.3%2Brke2r1/rke2-images-calico.linux-arm64.tar.gz",
"sha256": "382befa013b6c54f3f71da9e605f0e43424571d8fb46345f01d14e0839ea8fee"
},
"images-calico-linux-arm64-tar-zst": {
"url": "https://github.com/rancher/rke2/releases/download/v1.32.3%2Brke2r1/rke2-images-calico.linux-arm64.tar.zst",
"sha256": "19456c1a101869d52cdf80e90511f37819dc6e689ef3866cef5a2bcb5dae7b02"
},
"images-canal-linux-amd64-tar-gz": {
"url": "https://github.com/rancher/rke2/releases/download/v1.32.3%2Brke2r1/rke2-images-canal.linux-amd64.tar.gz",
"sha256": "a40740b169ba7aec34429468514020474a42572bed528f5e1116489d82959055"
},
"images-canal-linux-amd64-tar-zst": {
"url": "https://github.com/rancher/rke2/releases/download/v1.32.3%2Brke2r1/rke2-images-canal.linux-amd64.tar.zst",
"sha256": "7d7326ccd8fc25005817768fba012e90afc16c7e017931b1305a5545fe3dfad4"
},
"images-canal-linux-arm64-tar-gz": {
"url": "https://github.com/rancher/rke2/releases/download/v1.32.3%2Brke2r1/rke2-images-canal.linux-arm64.tar.gz",
"sha256": "cc4d0f98a24b073927f400baeb6f48465800a95922d9e0a35dd3a2431d3032ca"
},
"images-canal-linux-arm64-tar-zst": {
"url": "https://github.com/rancher/rke2/releases/download/v1.32.3%2Brke2r1/rke2-images-canal.linux-arm64.tar.zst",
"sha256": "75f217b08f716c37e9ae7f44cfd089a055481e9c949e4086496bee4b49c06fc9"
},
"images-cilium-linux-amd64-tar-gz": {
"url": "https://github.com/rancher/rke2/releases/download/v1.32.3%2Brke2r1/rke2-images-cilium.linux-amd64.tar.gz",
"sha256": "d0a8c10104ef59304914400d6a1b8db34677277fb36514736a966662ea5398a0"
},
"images-cilium-linux-amd64-tar-zst": {
"url": "https://github.com/rancher/rke2/releases/download/v1.32.3%2Brke2r1/rke2-images-cilium.linux-amd64.tar.zst",
"sha256": "f65f708ef3c5cca7db10e15981c1151c419ed8685d978b988d73773baae68a48"
},
"images-cilium-linux-arm64-tar-gz": {
"url": "https://github.com/rancher/rke2/releases/download/v1.32.3%2Brke2r1/rke2-images-cilium.linux-arm64.tar.gz",
"sha256": "b53ec98e53a5777f72317abdd4babd9f6b28e42e3e85598cdd464d5527034f64"
},
"images-cilium-linux-arm64-tar-zst": {
"url": "https://github.com/rancher/rke2/releases/download/v1.32.3%2Brke2r1/rke2-images-cilium.linux-arm64.tar.zst",
"sha256": "3c9e19a1dc354fbf0d9ec069696acd7948b132b68f426c9a3e0fd4e1a01d2fdf"
},
"images-core-linux-amd64-tar-gz": {
"url": "https://github.com/rancher/rke2/releases/download/v1.32.3%2Brke2r1/rke2-images-core.linux-amd64.tar.gz",
"sha256": "e8153376693e466de9601d732487187eea8a1512d11c5a42775f042f940ff791"
},
"images-core-linux-amd64-tar-zst": {
"url": "https://github.com/rancher/rke2/releases/download/v1.32.3%2Brke2r1/rke2-images-core.linux-amd64.tar.zst",
"sha256": "824f2b42e9c67828df7c33d98d518f6d77ecaae82cd7a33a2788b55b54d83a85"
},
"images-core-linux-arm64-tar-gz": {
"url": "https://github.com/rancher/rke2/releases/download/v1.32.3%2Brke2r1/rke2-images-core.linux-arm64.tar.gz",
"sha256": "d10a37ec1573cfd7bb5e201a7e54a2dac66591de7d5b81062d9a75443ab19d8f"
},
"images-core-linux-arm64-tar-zst": {
"url": "https://github.com/rancher/rke2/releases/download/v1.32.3%2Brke2r1/rke2-images-core.linux-arm64.tar.zst",
"sha256": "b9305118151cefe643c248a314c73e5e89c98cc7d48c072a1e3f8dc0dc45c9b9"
},
"images-flannel-linux-amd64-tar-gz": {
"url": "https://github.com/rancher/rke2/releases/download/v1.32.3%2Brke2r1/rke2-images-flannel.linux-amd64.tar.gz",
"sha256": "5d9721ceb39d454315857b04e73494614f53313ccbfc450da504149336040857"
},
"images-flannel-linux-amd64-tar-zst": {
"url": "https://github.com/rancher/rke2/releases/download/v1.32.3%2Brke2r1/rke2-images-flannel.linux-amd64.tar.zst",
"sha256": "972f09eee4d3b235196eb2e5ffb113e575c0e9b3f708b18c9c4e7dad9be13847"
},
"images-flannel-linux-arm64-tar-gz": {
"url": "https://github.com/rancher/rke2/releases/download/v1.32.3%2Brke2r1/rke2-images-flannel.linux-arm64.tar.gz",
"sha256": "8d8240574c418cdfeec98f217b1fe265c28fea70b9cb8eb6d14b82aa29f368c3"
},
"images-flannel-linux-arm64-tar-zst": {
"url": "https://github.com/rancher/rke2/releases/download/v1.32.3%2Brke2r1/rke2-images-flannel.linux-arm64.tar.zst",
"sha256": "5aa010ddd7213341050662e59bfeb1264fd8c5a73ff05119926e95a81fc11055"
},
"images-harvester-linux-amd64-tar-gz": {
"url": "https://github.com/rancher/rke2/releases/download/v1.32.3%2Brke2r1/rke2-images-harvester.linux-amd64.tar.gz",
"sha256": "64dc08e0cfd53a6c1629360b1b61800c79df5bb73e5c0d338b7b295c768f59dd"
},
"images-harvester-linux-amd64-tar-zst": {
"url": "https://github.com/rancher/rke2/releases/download/v1.32.3%2Brke2r1/rke2-images-harvester.linux-amd64.tar.zst",
"sha256": "6bec961937ddb448e23f2296f19031892ea1511e84f4e55618a223c17d30e41c"
},
"images-harvester-linux-arm64-tar-gz": {
"url": "https://github.com/rancher/rke2/releases/download/v1.32.3%2Brke2r1/rke2-images-harvester.linux-arm64.tar.gz",
"sha256": "cfe1da61b27791b3e539054481caae1348879beb9b8c136d2454efc251772805"
},
"images-harvester-linux-arm64-tar-zst": {
"url": "https://github.com/rancher/rke2/releases/download/v1.32.3%2Brke2r1/rke2-images-harvester.linux-arm64.tar.zst",
"sha256": "c7b660e9fd0a5f9b72e8bee2046fa56fa96c6619c188ecb5dd6960f7b9e6fcfb"
},
"images-multus-linux-amd64-tar-gz": {
"url": "https://github.com/rancher/rke2/releases/download/v1.32.3%2Brke2r1/rke2-images-multus.linux-amd64.tar.gz",
"sha256": "3479003417146e9759e12e6182ba89f65049d0cdcf2f8243568f353be8b133ea"
},
"images-multus-linux-amd64-tar-zst": {
"url": "https://github.com/rancher/rke2/releases/download/v1.32.3%2Brke2r1/rke2-images-multus.linux-amd64.tar.zst",
"sha256": "773a93fbc333911be9e1d090c4fb2d955cf97d271465038725f999aef3349338"
},
"images-multus-linux-arm64-tar-gz": {
"url": "https://github.com/rancher/rke2/releases/download/v1.32.3%2Brke2r1/rke2-images-multus.linux-arm64.tar.gz",
"sha256": "0bdd2f1d4a50bd5d4f467864d78eaf9949b3959c307723810e0fdfb552dc42ae"
},
"images-multus-linux-arm64-tar-zst": {
"url": "https://github.com/rancher/rke2/releases/download/v1.32.3%2Brke2r1/rke2-images-multus.linux-arm64.tar.zst",
"sha256": "279e47d00d114af8ac80dd0fab3723414bd2623939edc4ea57c39a8dab8146b6"
},
"images-traefik-linux-amd64-tar-gz": {
"url": "https://github.com/rancher/rke2/releases/download/v1.32.3%2Brke2r1/rke2-images-traefik.linux-amd64.tar.gz",
"sha256": "5e0823cfa2dd98005fabfbfc299e453e01f4d2202ddba88df1281dfee2c03673"
},
"images-traefik-linux-amd64-tar-zst": {
"url": "https://github.com/rancher/rke2/releases/download/v1.32.3%2Brke2r1/rke2-images-traefik.linux-amd64.tar.zst",
"sha256": "58c2b4fa7c51e5ed3794fcc44b719b071be0c3909c43eee3262447309da5d631"
},
"images-traefik-linux-arm64-tar-gz": {
"url": "https://github.com/rancher/rke2/releases/download/v1.32.3%2Brke2r1/rke2-images-traefik.linux-arm64.tar.gz",
"sha256": "5a8bce4b36d32cf3379aced5097c7a518af155a61d382af79d46548f9c3e50cd"
},
"images-traefik-linux-arm64-tar-zst": {
"url": "https://github.com/rancher/rke2/releases/download/v1.32.3%2Brke2r1/rke2-images-traefik.linux-arm64.tar.zst",
"sha256": "c6c6138940350e1cc1e5031fd509956a66f6b3615020a25082489af4c7c0ee5e"
},
"images-vsphere-linux-amd64-tar-gz": {
"url": "https://github.com/rancher/rke2/releases/download/v1.32.3%2Brke2r1/rke2-images-vsphere.linux-amd64.tar.gz",
"sha256": "ed78e035f96b518e5b4fac85183855c61b969af542c7d0670b1847dd36c8cf6d"
},
"images-vsphere-linux-amd64-tar-zst": {
"url": "https://github.com/rancher/rke2/releases/download/v1.32.3%2Brke2r1/rke2-images-vsphere.linux-amd64.tar.zst",
"sha256": "020908204aeb40e64bd7b28281be2c7bb70d2c37d9ecbdbe2d5c01e4e52f77a5"
}
}

12
pkgs/applications/networking/cluster/rke2/1_32/versions.nix Normal file
View File

@@ -0,0 +1,12 @@
{
rke2Version = "1.32.3+rke2r1";
rke2Commit = "18005e93ee0b015b78be47cf6515ae6d3a9afd55";
rke2TarballHash = "sha256-rDqSq38WoNN+9dMPTg/iteqkfX/pnlRtzt1HmhkAbRI=";
rke2VendorHash = "sha256-GwwNXW4JmhvO47V9SysOiKTfK2z55PkWpTDUE2qJgpA=";
k8sImageTag = "v1.32.3-rke2r1-build20250312";
etcdVersion = "v3.5.19-k3s1-build20250306";
pauseVersion = "3.6";
ccmVersion = "v1.32.0-rc3.0.20241220224140-68fbd1a6b543-build20250101";
dockerizedVersion = "v1.32.3-rke2r1";
imagesVersions = with builtins; fromJSON (readFile ./images-versions.json);
}

42
pkgs/applications/networking/cluster/rke2/README.md Normal file
View File

@@ -0,0 +1,42 @@
# RKE2 Version
RKE2, Kubernetes, and other clustered software has the property of not being able to update
atomically. Most software in nixpkgs, like for example bash, can be updated as part of a
`nixos-rebuild switch` without having to worry about the old and the new bash interacting in some
way. RKE2/Kubernetes, on the other hand, is typically run across several machines, and each machine
is updated independently. As such, different versions of the package and NixOS module must maintain
compatibility with each other through temporary version skew during updates. The upstream Kubernetes
project documents this in their
[version-skew policy](https://kubernetes.io/releases/version-skew-policy/#supported-component-upgrade-order).
Within nixpkgs, we strive to maintain a valid "upgrade path" that does not run afoul of the upstream
version skew policy.
> [!NOTE]
> Upgrade the server nodes first, one at a time. Once all servers have been upgraded, you may then
> upgrade agent nodes.
## Release Channels
RKE2 has two named release channels, i.e. `stable` and `latest`. Additionally, there exists a
release channel tied to each Kubernetes minor version, e.g. `v1.32`.
Nixpkgs follows active minor version release channels (typically 4 at a time) and sets aliases for
`rke2_stable` and `rke2_latest` accordingly.
Patch releases should be backported to the latest stable release branch; however, new minor
versions are not backported.
For further information visit the
[RKE2 release channels documentation](https://docs.rke2.io/upgrades/manual_upgrade?_highlight=manua#release-channels).
## EOL Versions
Approximately every 4 months a minor RKE2 version reaches EOL. EOL versions should be removed from
`nixpkgs-unstable`, preferably by throwing with an explanatory message in
`pkgs/top-level/aliases.nix`. With stable releases, however, it isn't expected that packages will be
removed. Instead we set `meta.knownVulnerabilities` for stable EOL packages, like it is also done
for EOL JDKs, browser engines, Node.js versions, etc.
For further information on the RKE2 lifecycle, see the
[SUSE Product Support Lifecycle page](https://www.suse.com/lifecycle#rke2).

167
pkgs/applications/networking/cluster/rke2/builder.nix Normal file
View File

@@ -0,0 +1,167 @@
lib:
{
rke2Version,
rke2Commit,
rke2TarballHash,
rke2VendorHash,
updateScript,
k8sImageTag,
etcdVersion,
pauseVersion,
ccmVersion,
dockerizedVersion,
imagesVersions,
}:
# Build dependencies
{
lib,
stdenv,
buildGoModule,
go,
makeWrapper,
fetchzip,
fetchurl,
# Runtime dependencies
procps,
coreutils,
util-linux,
ethtool,
socat,
iptables,
bridge-utils,
iproute2,
kmod,
lvm2,
# Killall Script dependencies
systemd,
gnugrep,
gnused,
# Testing dependencies
nixosTests,
testers,
}:
buildGoModule (finalAttrs: {
pname = "rke2";
version = rke2Version;
src = fetchzip {
url = "https://github.com/rancher/rke2/archive/refs/tags/v${rke2Version}.tar.gz";
hash = "${rke2TarballHash}";
};
vendorHash = rke2VendorHash;
nativeBuildInputs = [ makeWrapper ];
# Important utilities used by the kubelet.
# See: https://github.com/kubernetes/kubernetes/issues/26093#issuecomment-237202494
# Notice the list in that issue is stale, but as a redundancy reservation.
buildInputs = [
procps # pidof pkill
coreutils # uname touch env nice du
util-linux # lsblk fsck mkfs nsenter mount umount
ethtool # ethtool
socat # socat
iptables # iptables iptables-restore iptables-save
bridge-utils # brctl
iproute2 # ip tc
kmod # modprobe
lvm2 # dmsetup
];
# Passing boringcrypto to GOEXPERIMENT variable to build with goboring library
GOEXPERIMENT = "boringcrypto";
# See: https://github.com/rancher/rke2/blob/e7f87c6dd56fdd76a7dab58900aeea8946b2c008/scripts/build-binary#L27-L38
ldflags = [
"-w"
"-X github.com/k3s-io/k3s/pkg/version.GitCommit=${lib.substring 0 6 rke2Commit}"
"-X github.com/k3s-io/k3s/pkg/version.Program=${finalAttrs.pname}"
"-X github.com/k3s-io/k3s/pkg/version.Version=v${finalAttrs.version}"
"-X github.com/k3s-io/k3s/pkg/version.UpstreamGolang=go${go.version}"
"-X github.com/rancher/rke2/pkg/images.DefaultRegistry=docker.io"
"-X github.com/rancher/rke2/pkg/images.DefaultEtcdImage=rancher/hardened-etcd:${etcdVersion}"
"-X github.com/rancher/rke2/pkg/images.DefaultKubernetesImage=rancher/hardened-kubernetes:${k8sImageTag}"
"-X github.com/rancher/rke2/pkg/images.DefaultPauseImage=rancher/mirrored-pause:${pauseVersion}"
"-X github.com/rancher/rke2/pkg/images.DefaultRuntimeImage=rancher/rke2-runtime:${dockerizedVersion}"
"-X github.com/rancher/rke2/pkg/images.DefaultCloudControllerManagerImage=rancher/rke2-cloud-provider:${ccmVersion}"
];
tags = [
"no_cri_dockerd"
"no_embedded_executor"
"no_stage"
"sqlite_omit_load_extension"
"selinux"
"netgo"
"osusergo"
];
subPackages = [ "." ];
installPhase = ''
install -D $GOPATH/bin/rke2 $out/bin/rke2
wrapProgram $out/bin/rke2 \
--prefix PATH : ${lib.makeBinPath finalAttrs.buildInputs}
install -D ./bundle/bin/rke2-killall.sh $out/bin/rke2-killall.sh
wrapProgram $out/bin/rke2-killall.sh \
--prefix PATH : ${
lib.makeBinPath [
systemd
gnugrep
gnused
]
} \
--prefix PATH : ${lib.makeBinPath finalAttrs.buildInputs}
'';
doCheck = false;
doInstallCheck = true;
installCheckPhase = ''
runHook preInstallCheck
# Verify that the binary uses BoringCrypto
go tool nm $out/bin/.rke2-wrapped | grep '_Cfunc__goboringcrypto_' > /dev/null
runHook postInstallCheck
'';
passthru = {
inherit updateScript;
tests =
let
moduleTests =
let
package_version =
"rke2_" + lib.replaceStrings [ "." ] [ "_" ] (lib.versions.majorMinor rke2Version);
in
lib.mapAttrs (name: value: nixosTests.rke2.${name}.${package_version}) nixosTests.rke2;
in
{
version = testers.testVersion {
package = finalAttrs.finalPackage;
version = "v${finalAttrs.version}";
};
}
// moduleTests;
}
// (lib.mapAttrs (_: value: fetchurl value) imagesVersions);
meta = {
homepage = "https://github.com/rancher/rke2";
description = "Rancher's next-generation Kubernetes distribution, also known as RKE Government";
changelog = "https://github.com/rancher/rke2/releases/tag/v${finalAttrs.version}";
license = lib.licenses.asl20;
maintainers = with lib.maintainers; [
rorosen
zimbatm
zygot
];
mainProgram = "rke2";
platforms = lib.platforms.linux;
};
})

41
pkgs/applications/networking/cluster/rke2/default.nix Normal file
View File

@@ -0,0 +1,41 @@
{ lib, callPackage, ... }@args:
let
common = opts: callPackage (import ./builder.nix lib opts);
extraArgs = removeAttrs args [ "callPackage" ];
in
rec {
rke2_1_30 = common (
(import ./1_30/versions.nix)
// {
updateScript = [
./update-script.sh
"30"
];
}
) extraArgs;
rke2_1_31 = common (
(import ./1_31/versions.nix)
// {
updateScript = [
./update-script.sh
"31"
];
}
) extraArgs;
rke2_1_32 = common (
(import ./1_32/versions.nix)
// {
updateScript = [
./update-script.sh
"32"
];
}
) extraArgs;
# Automatically set by update script
rke2_stable = rke2_1_31;
rke2_latest = rke2_1_32;
}

104
pkgs/applications/networking/cluster/rke2/update-script.sh Executable file
View File

@@ -0,0 +1,104 @@
#!/usr/bin/env nix-shell
#!nix-shell -i bash -p curl git gnugrep gnused yq-go nurl go
SHELL_FLAGS=$(set +o)
set -x -eu -o pipefail
MINOR_VERSION="${1:?Must provide a minor version number, like '26', as the only argument}"
WORKDIR=$(cd $(dirname ${BASH_SOURCE[0]}) && pwd -P)
mkdir --parents --verbose "${WORKDIR}/1_${MINOR_VERSION}"
NIXPKGS_ROOT="$(git rev-parse --show-toplevel)/"
OLD_VERSION="$(nix-instantiate --eval -E "(import $NIXPKGS_ROOT. {}).rke2_1_${MINOR_VERSION}.version or \"0\"" | tr -d '"')"
RELEASE_CHANNEL_DATA=$(curl -sS --fail https://update.rke2.io/v1-release/channels | yq ".data[]")
LATEST_TAG_NAME=$(yq -p=json "select(.id == \"v1.$MINOR_VERSION\") | .latest" <<< "$RELEASE_CHANNEL_DATA")
LATEST_RELEASE_VERSION=$(yq -p=json 'select(.id == "latest") | .latest' <<< "$RELEASE_CHANNEL_DATA")
STABLE_RELEASE_VERSION=$(yq -p=json 'select(.id == "stable") | .latest' <<< "$RELEASE_CHANNEL_DATA")
RKE2_VERSION=${LATEST_TAG_NAME/v/}
RKE2_COMMIT=$(curl -sS --fail "https://api.github.com/repos/rancher/rke2/git/refs/tags/${LATEST_TAG_NAME}" | yq '.object.sha')
PREFETCH_META=$(nix-prefetch-url --unpack --print-path "https://github.com/rancher/rke2/archive/refs/tags/${LATEST_TAG_NAME}.tar.gz")
STORE_HASH="$(nix --extra-experimental-features nix-command hash to-sri --type sha256 ${PREFETCH_META%%$'\n'*})"
STORE_PATH="${PREFETCH_META##*$'\n'}"
cd ${STORE_PATH}
# Used in scripts/version.sh
GITHUB_ACTION_TAG=${LATEST_TAG_NAME}
DRONE_COMMIT=${RKE2_COMMIT}
set +u
source scripts/version.sh
set -u
ETCD_BUILD=$(grep "images.DefaultEtcdImage" scripts/build-binary | sed 's/.*-\(build[0-9]*\)$/\1/')
ETCD_VERSION="${ETCD_VERSION}-${ETCD_BUILD}"
cd ${WORKDIR}
FAKE_HASH="sha256-AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA="
# Get sha256sums for amd64 and arm64
SHA256_AMD64=$(curl -L "https://github.com/rancher/rke2/releases/download/v${RKE2_VERSION}/sha256sum-amd64.txt")
SHA256_ARM64=$(curl -L "https://github.com/rancher/rke2/releases/download/v${RKE2_VERSION}/sha256sum-arm64.txt")
# Merge both sha256sums in a single variable, one entry per line
SHA256_SUMS="$SHA256_AMD64\n$SHA256_ARM64"
# Get a list of images archives that are assets of this release, one entry (name and download_url) per line
IMAGES_ARCHIVES=$(curl "https://api.github.com/repos/rancher/rke2/releases/tags/v${RKE2_VERSION}" | \
# Filter the assets by name, discard .txt files and legacy image archives (e.g. rke2-images.linux-arm64.tar.gz)
jq -r '.assets[] | select(.name | test("^rke2-images-.*\\.tar\\.")) | "\(.name) \(.browser_download_url)"')
# Iterate over all lines of IMAGES_ARCHIVES, pick the appropriate sha256, and create a JSON file
# that can be imported by builder.nix
while read -r name url; do
sha256=$(grep "$name" <<< "$SHA256_SUMS" | cut -d ' ' -f 1)
# Remove the rke2 prefix and replace all dots in $name with hyphens
clean_name=$(sed -e "s/^rke2-//" -e "s/\./-/g" <<< "$name")
jq --null-input --arg name "$clean_name" \
--arg url "$url" \
--arg sha256 "$sha256" \
'{$name: {"url": $url, "sha256": $sha256}}'
done <<<"${IMAGES_ARCHIVES}" | jq --slurp 'reduce .[] as $item ({}; . * $item)' > "${WORKDIR}/1_${MINOR_VERSION}/images-versions.json"
cat << EOF > "${WORKDIR}/1_${MINOR_VERSION}/versions.nix"
{
rke2Version = "${RKE2_VERSION}";
rke2Commit = "${RKE2_COMMIT}";
rke2TarballHash = "${STORE_HASH}";
rke2VendorHash = "${FAKE_HASH}";
k8sImageTag = "${KUBERNETES_IMAGE_TAG}";
etcdVersion = "${ETCD_VERSION}";
pauseVersion = "${PAUSE_VERSION}";
ccmVersion = "${CCM_VERSION}";
dockerizedVersion = "${DOCKERIZED_VERSION}";
imagesVersions = with builtins; fromJSON (readFile ./images-versions.json);
}
EOF
RKE2_VENDOR_HASH=$(nurl -e "(import $NIXPKGS_ROOT. {}).rke2_1_${MINOR_VERSION}.goModules")
if [ -n "${RKE2_VENDOR_HASH:-}" ]; then
sed -i "s#${FAKE_HASH}#${RKE2_VENDOR_HASH}#g" ${WORKDIR}/1_${MINOR_VERSION}/versions.nix
else
echo "Update failed. 'RKE2_VENDOR_HASH' is empty."
exit 1
fi
FILES_CHANGED=("${WORKDIR}/1_${MINOR_VERSION}/versions.nix")
if [ "$LATEST_TAG_NAME" == "$LATEST_RELEASE_VERSION" ]; then
sed -ri "s#^(\s*)rke2_latest = .*;\$#\1rke2_latest = rke2_1_${MINOR_VERSION};#" "${WORKDIR}/default.nix"
FILES_CHANGED+=("${WORKDIR}/default.nix")
elif [ "$LATEST_TAG_NAME" == "$STABLE_RELEASE_VERSION" ]; then
sed -ri "s#^(\s*)rke2_stable = .*;\$#\1rke2_stable = rke2_1_${MINOR_VERSION};#" "${WORKDIR}/default.nix"
FILES_CHANGED+=("${WORKDIR}/default.nix")
fi
# Implement commit
# See: https://nixos.org/manual/nixpkgs/stable/#var-passthru-updateScript-commit
attr_path="rke2_1_${MINOR_VERSION}" \
old_version="${OLD_VERSION}" \
new_version="${RKE2_VERSION}" \
files=[$(printf '"%s",' "${FILES_CHANGED[@]}")] \
yq --null-input -o=json '[{"attrPath": strenv(attr_path), "oldVersion": strenv(old_version), "newVersion": strenv(new_version), "files": env(files)}]'
set +x
eval "$SHELL_FLAGS"

109
pkgs/applications/networking/cluster/spark/default.nix Normal file
View File

@@ -0,0 +1,109 @@
{
lib,
stdenv,
fetchzip,
makeWrapper,
python3,
hadoop,
RSupport ? true,
R,
nixosTests,
}:
let
spark =
{
pname,
version,
hash,
extraMeta ? { },
pysparkPython ? python3,
}:
stdenv.mkDerivation (finalAttrs: {
inherit
pname
version
hash
hadoop
R
pysparkPython
;
inherit (finalAttrs.hadoop) jdk;
src = fetchzip {
url =
"mirror://apache/spark/${pname}-${version}/${pname}-${version}-bin-without-hadoop.tgz";
inherit (finalAttrs) hash;
};
nativeBuildInputs = [ makeWrapper ];
buildInputs =
with finalAttrs;
[
jdk
pysparkPython
]
++ lib.optional RSupport finalAttrs.R;
installPhase = ''
mkdir -p "$out/opt"
mv * $out/
for n in $(find $out/bin -type f -executable ! -name "find-spark-home"); do
wrapProgram "$n" --set JAVA_HOME "${finalAttrs.jdk}" \
--run "[ -z $SPARK_DIST_CLASSPATH ] && export SPARK_DIST_CLASSPATH=$(${finalAttrs.hadoop}/bin/hadoop classpath)" \
${lib.optionalString RSupport ''--set SPARKR_R_SHELL "${finalAttrs.R}/bin/R"''} \
--prefix PATH : "${
lib.makeBinPath ([ finalAttrs.pysparkPython ] ++ (lib.optionals RSupport [ finalAttrs.R ]))
}"
done
ln -s ${finalAttrs.hadoop} "$out/opt/hadoop"
${lib.optionalString RSupport ''ln -s ${finalAttrs.R} "$out/opt/R"''}
'';
passthru = {
tests = nixosTests.spark.default.passthru.override {
sparkPackage = finalAttrs.finalPackage;
};
# Add python packages to PYSPARK_PYTHON
withPythonPackages =
f:
finalAttrs.finalPackage.overrideAttrs (old: {
pysparkPython = old.pysparkPython.withPackages f;
});
};
meta = {
description = "Apache Spark is a fast and general engine for large-scale data processing";
homepage = "https://spark.apache.org/";
sourceProvenance = with lib.sourceTypes; [ binaryBytecode ];
license = lib.licenses.asl20;
platforms = lib.platforms.all;
maintainers = with lib.maintainers; [
thoughtpolice
offline
kamilchm
illustris
];
}
// extraMeta;
});
in
{
# A note on EOL and removing old versions:
# According to spark's versioning policy (https://spark.apache.org/versioning-policy.html),
# minor releases are generally maintained with bugfixes for 18 months. But it doesn't
# make sense to remove a given minor version the moment it crosses this threshold.
# For example, spark 3.3.0 was released on 2022-06-09. It would have to be removed on 2023-12-09 if
# we strictly adhere to the EOL timeline, despite 3.3.4 being released one day before (2023-12-08).
# A better policy is to keep these versions around, and clean up EOL versions just before
# a new NixOS release.
spark_3_5 = spark {
pname = "spark";
version = "3.5.5";
hash = "sha256-vzcWgIfHPhN3nyrxdk3f0p4fW3MpQ+FuEPnWPw0xNPg=";
};
spark_3_4 = spark {
pname = "spark";
version = "3.4.4";
hash = "sha256-GItHmthLhG7y0XSF3QINCyE7wYFb0+lPZmYLUuMa4Ww=";
};
}

132
pkgs/applications/networking/cluster/terraform-providers/default.nix Normal file
View File

@@ -0,0 +1,132 @@
{
lib,
stdenv,
buildGoModule,
fetchFromGitHub,
fetchFromGitLab,
callPackage,
config,
writeShellScript,
cdrtools, # libvirt
}:
let
# Our generic constructor to build new providers.
#
# Is designed to combine with the terraform.withPlugins implementation.
mkProvider = lib.makeOverridable (
{
owner,
repo,
rev,
spdx ? "UNSET",
version ? lib.removePrefix "v" rev,
hash,
vendorHash,
deleteVendor ? false,
proxyVendor ? false,
mkProviderFetcher ? fetchFromGitHub,
mkProviderGoModule ? buildGoModule,
# "https://registry.terraform.io/providers/vancluever/acme"
homepage ? "",
# "registry.terraform.io/vancluever/acme"
provider-source-address ?
lib.replaceStrings [ "https://registry" ".io/providers" ] [ "registry" ".io" ]
homepage,
...
}@attrs:
assert lib.stringLength provider-source-address > 0;
mkProviderGoModule {
pname = repo;
inherit
vendorHash
version
deleteVendor
proxyVendor
;
subPackages = [ "." ];
doCheck = false;
# https://github.com/hashicorp/terraform-provider-scaffolding/blob/a8ac8375a7082befe55b71c8cbb048493dd220c2/.goreleaser.yml
# goreleaser (used for builds distributed via terraform registry) requires that CGO is disabled
env.CGO_ENABLED = 0;
ldflags = [
"-s"
"-w"
"-X main.version=${version}"
"-X main.commit=${rev}"
];
src = mkProviderFetcher {
name = "source-${rev}";
inherit
owner
repo
rev
hash
;
};
meta = {
inherit homepage;
license = lib.getLicenseFromSpdxId spdx;
};
# Move the provider to libexec
postInstall = ''
dir=$out/libexec/terraform-providers/${provider-source-address}/${version}/''${GOOS}_''${GOARCH}
mkdir -p "$dir"
mv $out/bin/* "$dir/terraform-provider-$(basename ${provider-source-address})_${version}"
rmdir $out/bin
'';
# Keep the attributes around for later consumption
passthru = attrs // {
inherit provider-source-address;
updateScript = writeShellScript "update" ''
provider="$(basename ${provider-source-address})"
./pkgs/applications/networking/cluster/terraform-providers/update-provider "$provider"
'';
};
}
);
list = lib.importJSON ./providers.json;
# These providers are managed with the ./update-all script
automated-providers = lib.mapAttrs (_: attrs: mkProvider attrs) list;
# These are the providers that don't fall in line with the default model
special-providers = {
# github api seems to be broken, doesn't just fail to recognize the license, it's ignored entirely.
checkly = automated-providers.checkly.override { spdx = "MIT"; };
gitlab = automated-providers.gitlab.override {
mkProviderFetcher = fetchFromGitLab;
owner = "gitlab-org";
};
# mkisofs needed to create ISOs holding cloud-init data and wrapped to terraform via deecb4c1aab780047d79978c636eeb879dd68630
libvirt = automated-providers.libvirt.overrideAttrs (_: {
propagatedBuildInputs = [ cdrtools ];
});
minio = automated-providers.minio.override { spdx = "AGPL-3.0-only"; };
};
# Put all the providers we not longer support in this list.
removed-providers =
let
archived =
name: date: throw "the ${name} terraform provider has been archived by upstream on ${date}";
removed = name: date: throw "the ${name} terraform provider removed from nixpkgs on ${date}";
in
lib.optionalAttrs config.allowAliases {
_assert = archived "_assert" "2025/10";
azurestack = archived "azurestack" "2025/10";
googleworkspace = archived "googleworkspace" "2025/10";
huaweicloudstack = archived "huaweicloudstack" "2025/10";
metal = archived "metal" "2025/10";
stackpath = archived "stackpath" "2025/10";
vra7 = archived "vra7" "2025/10";
};
# excluding aliases, used by terraform-full
actualProviders = automated-providers // special-providers;
in
actualProviders // removed-providers // { inherit actualProviders mkProvider; }

1482
pkgs/applications/networking/cluster/terraform-providers/providers.json Normal file
View File

File diff suppressed because it is too large Load Diff

25
pkgs/applications/networking/cluster/terraform-providers/update-all-providers Executable file
View File

@@ -0,0 +1,25 @@
#!/usr/bin/env nix-shell
#! nix-shell -i bash -p jq
# shellcheck shell=bash
# Update all providers which have specified provider source address
set -euo pipefail
readarray -t providers < <(
jq -r 'to_entries
| map_values(.value + { alias: .key })
| .[]
| select(."homepage"?)
| .alias' providers.json
)
cat <<EOF
Will update ${#providers[@]} providers:
${providers[*]}
EOF
for provider in "${providers[@]}"; do
./update-provider --no-spdx "$@" "${provider}"
done

178
pkgs/applications/networking/cluster/terraform-providers/update-provider Executable file
View File

@@ -0,0 +1,178 @@
#!/usr/bin/env nix-shell
#! nix-shell -i bash -p coreutils curl git jq moreutils nix nurl
# shellcheck shell=bash
# vim: ft=sh
#
# Update a terraform provider to the latest version advertised at the
# provider source address.
#
set -euo pipefail
shopt -s inherit_errexit
set -x
show_usage() {
cat <<DOC
Usage: ./update-provider [--force] [--no-build] [<owner>/]<provider>
Update a single provider in the providers.json inventory file.
For example to update 'terraform-providers.aws' run:
./update-provider aws
If the provider is not in the list already, use the form '<owner>/<provider>'
to add the provider to the list:
./update-provider hetznercloud/hcloud
Options:
* --force: Force the update even if the version matches.
* --no-build: Don't build provider
DOC
}
build=1
force=
provider=
spdx=1
while [[ $# -gt 0 ]]; do
case "$1" in
-h | --help)
show_usage
exit
;;
--force)
force=1
shift
;;
--no-build)
build=0
shift
;;
--no-spdx)
spdx=0
shift
;;
*)
if [[ -n ${provider} ]]; then
echo "ERROR: provider name was passed two times: '${provider}' and '$1'"
echo "Use --help for more info"
exit 1
fi
provider=$1
shift
;;
esac
done
if [[ -z ${provider} ]]; then
echo "ERROR: No providers specified!"
echo
show_usage
exit 1
fi
# Usage: read_attr <key>
read_attr() {
jq -r ".\"${provider}\".\"$1\"" providers.json
}
# Usage: update_attr <key> <value>
update_attr() {
if [[ $2 == "null" ]]; then
jq -S ".\"${provider}\".\"$1\" = null" providers.json | sponge providers.json
else
jq -S ".\"${provider}\".\"$1\" = \"$2\"" providers.json | sponge providers.json
fi
}
repo_root=$(git rev-parse --show-toplevel)
generate_hash() {
nurl --expr "(import ${repo_root} {}).terraform-providers.${provider}.$1"
}
echo_provider() {
echo "== terraform-providers.${provider}: $* =="
}
is_stable_version() {
[[ $1 =~ ^v[0-9]+\.[0-9]+\.[0-9]+$ ]]
}
pushd "$(dirname "$0")" >/dev/null
if [[ ${provider} =~ ^[^/]+/[^/]+$ ]]; then
homepage="https://registry.terraform.io/providers/${provider}"
provider=$(basename "${provider}")
echo_provider "init"
update_attr homepage "${homepage}"
# create empty stings so nix-prefetch works
update_attr hash ""
update_attr vendorHash ""
update_attr spdx ""
fi
homepage="$(read_attr homepage)"
old_rev="$(read_attr rev)"
registry_response_unstable=$(curl -s "${homepage//providers/v1/providers}")
if is_stable_version "${old_rev}"; then
version_stable=$(jq -r '.versions | map(select(test("^[0-9]+\\.[0-9]+\\.[0-9]+$"))) | last' <<<${registry_response_unstable})
registry_response_stable=$(curl -s "${homepage//providers/v1/providers}/${version_stable}")
rev="$(jq -r '.tag' <<<${registry_response_stable})"
registry_response=$registry_response_stable
else
rev="$(jq -r '.tag' <<<${registry_response_unstable})"
registry_response=$registry_response_unstable
fi
if [[ ${force} != 1 ]]; then
if [[ ${old_rev} == "${rev}" ]]; then
echo_provider "already at version ${rev}"
exit
fi
if [[ ${rev//v/} =~ [[:alpha:]] ]]; then
echo_provider "not updating to unstable version ${rev}"
exit
fi
fi
echo_provider "updating from ${old_rev} to ${rev}"
update_attr rev "${rev}"
provider_source_url="$(jq -r '.source' <<<"${registry_response}")"
org="$(echo "${provider_source_url}" | cut -d '/' -f 4)"
update_attr owner "${org}"
repo="$(echo "${provider_source_url}" | cut -d '/' -f 5)"
update_attr repo "${repo}"
if [[ ${spdx} == 1 ]]; then
old_spdx="$(read_attr spdx)"
if [[ ${old_spdx} != null ]]; then
spdx="$(curl -L -s ${GITHUB_TOKEN:+-u ":${GITHUB_TOKEN}"} "https://api.github.com/repos/${org}/${repo}/license" | jq -r '.license.spdx_id')"
update_attr spdx "${spdx}"
fi
fi
echo_provider "calculating hash"
hash=$(generate_hash src)
update_attr hash "${hash}"
old_vendor_hash="$(read_attr vendorHash)"
if [[ ${old_vendor_hash} != null ]]; then
echo_provider "calculating vendorHash"
vendorHash=$(generate_hash goModules)
update_attr vendorHash "${vendorHash}"
fi
# Check that the provider builds
if [[ ${build} == 1 ]]; then
echo_provider "building"
nix-build --no-out-link "${repo_root}" -A "terraform-providers.${provider}"
fi
popd >/dev/null

228
pkgs/applications/networking/cluster/terraform/default.nix Normal file
View File

@@ -0,0 +1,228 @@
{
stdenv,
lib,
buildGoModule,
fetchFromGitHub,
makeWrapper,
coreutils,
runCommand,
runtimeShell,
writeText,
terraform-providers,
installShellFiles,
}:
let
generic =
{
version,
hash,
vendorHash ? null,
...
}@attrs:
let
attrs' = removeAttrs attrs [
"version"
"hash"
"vendorHash"
];
in
buildGoModule (
{
pname = "terraform";
inherit version vendorHash;
src = fetchFromGitHub {
owner = "hashicorp";
repo = "terraform";
rev = "v${version}";
inherit hash;
};
ldflags = [
"-s"
"-w"
"-X 'github.com/hashicorp/terraform/version.dev=no'"
];
postPatch = ''
# Between go 1.23 and 1.24 the following GODEBUG setting was removed, and a new
# similar one was added.
# https://github.com/golang/go/issues/72111
# The setting is configured upstream due to the following timeouts caused by
# the TLS handshake using post-quantum crypto with servers that don't support it
# https://tldr.fail/
substituteInPlace go.mod \
--replace-quiet 'godebug tlskyber=0' 'godebug tlsmlkem=0'
'';
postConfigure = ''
# speakeasy hardcodes /bin/stty https://github.com/bgentry/speakeasy/issues/22
substituteInPlace vendor/github.com/bgentry/speakeasy/speakeasy_unix.go \
--replace-fail "/bin/stty" "${coreutils}/bin/stty"
'';
nativeBuildInputs = [ installShellFiles ];
postInstall = ''
# https://github.com/posener/complete/blob/9a4745ac49b29530e07dc2581745a218b646b7a3/cmd/install/bash.go#L8
installShellCompletion --bash --name terraform <(echo complete -C terraform terraform)
'';
preCheck = ''
export HOME=$TMPDIR
export TF_SKIP_REMOTE_TESTS=1
'';
subPackages = [ "." ];
meta = {
description = "Tool for building, changing, and versioning infrastructure";
homepage = "https://www.terraform.io/";
changelog = "https://github.com/hashicorp/terraform/blob/v${version}/CHANGELOG.md";
license = lib.licenses.bsl11;
maintainers = with lib.maintainers; [
Chili-Man
kalbasit
timstott
zimbatm
zowoq
techknowlogick
qjoly
];
mainProgram = "terraform";
};
}
// attrs'
);
pluggable =
terraform:
let
withPlugins =
plugins:
let
actualPlugins = plugins terraform.plugins;
# Wrap PATH of plugins propagatedBuildInputs, plugins may have runtime dependencies on external binaries
wrapperInputs = lib.unique (
lib.flatten (lib.catAttrs "propagatedBuildInputs" (builtins.filter (x: x != null) actualPlugins))
);
passthru = {
withPlugins = newplugins: withPlugins (x: newplugins x ++ actualPlugins);
full = withPlugins (p: lib.filter lib.isDerivation (lib.attrValues p.actualProviders));
# Expose wrappers around the override* functions of the terraform
# derivation.
#
# Note that this does not behave as anyone would expect if plugins
# are specified. The overrides are not on the user-visible wrapper
# derivation but instead on the function application that eventually
# generates the wrapper. This means:
#
# 1. When using overrideAttrs, only `passthru` attributes will
# become visible on the wrapper derivation. Other overrides that
# modify the derivation *may* still have an effect, but it can be
# difficult to follow.
#
# 2. Other overrides may work if they modify the terraform
# derivation, or they may have no effect, depending on what
# exactly is being changed.
#
# 3. Specifying overrides on the wrapper is unsupported.
#
# See nixpkgs#158620 for details.
overrideDerivation = f: (pluggable (terraform.overrideDerivation f)).withPlugins plugins;
overrideAttrs = f: (pluggable (terraform.overrideAttrs f)).withPlugins plugins;
override = x: (pluggable (terraform.override x)).withPlugins plugins;
};
in
# Don't bother wrapping unless we actually have plugins, since the wrapper will stop automatic downloading
# of plugins, which might be counterintuitive if someone just wants a vanilla Terraform.
if actualPlugins == [ ] then
terraform.overrideAttrs (orig: {
passthru = orig.passthru // passthru;
})
else
lib.appendToName "with-plugins" (
stdenv.mkDerivation {
inherit (terraform) meta pname version;
nativeBuildInputs = [ makeWrapper ];
# Expose the passthru set with the override functions
# defined above, as well as any passthru values already
# set on `terraform` at this point (relevant in case a
# user overrides attributes).
passthru = terraform.passthru // passthru;
buildCommand = ''
# Create wrappers for terraform plugins because Terraform only
# walks inside of a tree of files.
for providerDir in ${toString actualPlugins}
do
for file in $(find $providerDir/libexec/terraform-providers -type f)
do
relFile=''${file#$providerDir/}
mkdir -p $out/$(dirname $relFile)
cat <<WRAPPER > $out/$relFile
#!${runtimeShell}
exec "$file" "$@"
WRAPPER
chmod +x $out/$relFile
done
done
# Create a wrapper for terraform to point it to the plugins dir.
mkdir -p $out/bin/
makeWrapper "${terraform}/bin/terraform" "$out/bin/terraform" \
--set NIX_TERRAFORM_PLUGIN_DIR $out/libexec/terraform-providers \
--prefix PATH : "${lib.makeBinPath wrapperInputs}"
'';
}
);
in
withPlugins (_: [ ]);
plugins = removeAttrs terraform-providers [
"override"
"overrideDerivation"
"recurseForDerivations"
];
in
rec {
# Constructor for other terraform versions
mkTerraform = attrs: pluggable (generic attrs);
terraform_1 = mkTerraform {
version = "1.13.3";
hash = "sha256-8C6OxeTjitDMi3J2KIfI6Q+w4FASS6zxjZHfSo7eZko=";
vendorHash = "sha256-UcsB5cTae55meJ945fvgowch4EBdaTET2+t5KWvpPQ8=";
patches = [ ./provider-path-0_15.patch ];
passthru = {
inherit plugins;
tests = { inherit terraform_plugins_test; };
};
};
# Tests that the plugins are being used. Terraform looks at the specific
# file pattern and if the plugin is not found it will try to download it
# from the Internet. With sandboxing enable this test will fail if that is
# the case.
terraform_plugins_test =
let
mainTf = writeText "main.tf" ''
resource "random_id" "test" {}
'';
terraform = terraform_1.withPlugins (p: [ p.random ]);
test = runCommand "terraform-plugin-test" { buildInputs = [ terraform ]; } ''
set -e
# make it fail outside of sandbox
export HTTP_PROXY=http://127.0.0.1:0 HTTPS_PROXY=https://127.0.0.1:0
cp ${mainTf} main.tf
terraform init
touch $out
'';
in
test;
}

23
pkgs/applications/networking/cluster/terraform/provider-path-0_15.patch Normal file
View File

@@ -0,0 +1,23 @@
diff -Naur terraform.old/internal/command/init.go terraform.new/internal/command/init.go
--- terraform.old/internal/command/init.go
+++ terraform.new/internal/command/init.go
@@ -7,6 +7,7 @@
"context"
"errors"
"fmt"
+ "os"
"log"
"reflect"
"sort"
@@ -79,6 +80,11 @@
c.migrateState = true
}
+ val, ok := os.LookupEnv("NIX_TERRAFORM_PLUGIN_DIR")
+ if ok {
+ initArgs.PluginPath = append(initArgs.PluginPath, val)
+ }
+
if len(initArgs.PluginPath) > 0 {
c.pluginPath = initArgs.PluginPath
}