chore: switch kubernetes over to public domain

README.md

@@ -474,7 +474,7 @@ step certificate create cluster-admin cluster-admin.pem cluster-admin-key.pem \
   --set organization=system:masters
 # Construct the kubeconfig file
 # Here we're embedding certificates to avoid breaking stuff if we move or remove cert files
-kubectl config set-cluster home --server https://fat-controller.local:6443 --certificate-authority ca.pem --embed-certs=true
+kubectl config set-cluster home --server https://fat-controller.systems.richtman.au:6443 --certificate-authority ca.pem --embed-certs=true
 kubectl config set-credentials home-admin --client-certificate cluster-admin.pem --client-key cluster-admin-key.pem --embed-certs=true
 kubectl config set-context --user home-admin --cluster home home-admin
 ```
@@ -641,7 +641,7 @@ some _very_ wip notes about the desktop.
 Some diagnostic tests for mDNS:
 
 ```
-export HOST_NAME=fat-controller.local.
+export HOST_NAME=fat-controller.systems.richtman.au.
 # This is our bedrock of truth. It works consistently and can be easily viewed
 avahi-resolve-host-name $HOST_NAME
 tcpdump udp port 5353 # Optionally -Qin

certificates/control-node-certs.sh

@@ -7,7 +7,7 @@ export NODE_DNS_NAME="${1}"
 # etcd TLS
 step certificate create etcd etcd-tls.pem etcd-tls-key.pem --ca etcd.pem --ca-key etcd-key.pem \
   --insecure --no-password --template granular-dn-leaf.tpl --set-file dn-defaults.json --not-after 8760h --bundle \
-  --san "${NODE_DNS_NAME}" --san "${NODE_DNS_NAME}.internal" --san "${NODE_DNS_NAME}.local" --san localhost --san 127.0.0.1 --san ::1
+  --san "${NODE_DNS_NAME}" --san "${NODE_DNS_NAME}.internal" --san "${NODE_DNS_NAME}.systems.richtman.au" --san localhost --san 127.0.0.1 --san ::1
 
 # apiserver client to etcd
 step certificate create kube-apiserver-etcd-client kube-apiserver-etcd-client.pem kube-apiserver-etcd-client-key.pem \
@@ -18,9 +18,9 @@ step certificate create kube-apiserver-etcd-client kube-apiserver-etcd-client.pe
 # Note that your local domain and private IP for in-cluster may vary
 step certificate create kube-apiserver kube-apiserver-tls.pem kube-apiserver-tls-key.pem --ca ca.pem --ca-key ca-key.pem \
   --insecure --no-password --template granular-dn-leaf.tpl --set-file dn-defaults.json --not-after 8760h --bundle \
-  --san "${NODE_DNS_NAME}" --san "${NODE_DNS_NAME}.local" --san "${NODE_DNS_NAME}.internal" --san localhost --san 127.0.0.1 --san ::1 --san 10.0.0.1 \
+  --san "${NODE_DNS_NAME}" --san "${NODE_DNS_NAME}.systems.richtman.au" --san "${NODE_DNS_NAME}.internal" --san localhost --san 127.0.0.1 --san ::1 --san 10.0.0.1 \
   --san kubernetes --san kubernetes.default --san kubernetes.default.svc \
-  --san kubernetes.default.svc.cluster --san kubernetes.default.svc.cluster.local
+  --san kubernetes.default.svc.cluster --san kubernetes.default.svc.cluster.systems.richtman.au
 
 # service account token signing
 openssl req -new -x509 -days 365 -newkey rsa:4096 -keyout service-account-key.pem -sha256 \
@@ -35,7 +35,7 @@ step certificate create system:kube-controller-manager controllermanager-apiserv
 # Controller manager TLS
 step certificate create kube-controllermanager controllermanager-tls-cert-file.pem controllermanager-tls-private-key-file.pem --ca ca.pem --ca-key ca-key.pem \
   --insecure --no-password --template granular-dn-leaf.tpl --set-file dn-defaults.json --not-after 8760h --bundle \
-  --san "${NODE_DNS_NAME}" --san "${NODE_DNS_NAME}.local" --san "${NODE_DNS_NAME}.internal" --san localhost --san 127.0.0.1 --san ::1
+  --san "${NODE_DNS_NAME}" --san "${NODE_DNS_NAME}.systems.richtman.au" --san "${NODE_DNS_NAME}.internal" --san localhost --san 127.0.0.1 --san ::1
 
 # Scheduler apiserver client
 step certificate create system:kube-scheduler scheduler-apiserver-client.pem scheduler-apiserver-client-key.pem \
@@ -45,29 +45,29 @@ step certificate create system:kube-scheduler scheduler-apiserver-client.pem sch
 # Scheduler TLS
 step certificate create scheduler scheduler-tls-cert-file.pem scheduler-tls-private-key-file.pem --ca ca.pem --ca-key ca-key.pem \
   --insecure --no-password --template granular-dn-leaf.tpl --set-file dn-defaults.json --not-after 8760h --bundle \
-  --san "${NODE_DNS_NAME}" --san "${NODE_DNS_NAME}.local" --san "${NODE_DNS_NAME}.internal" --san localhost --san 127.0.0.1 --san ::1
+  --san "${NODE_DNS_NAME}" --san "${NODE_DNS_NAME}.systems.richtman.au" --san "${NODE_DNS_NAME}.internal" --san localhost --san 127.0.0.1 --san ::1
 
 # APIserver client to kubelet
 step certificate create "system:node:${NODE_DNS_NAME}" kubelet-apiserver-client.pem kubelet-apiserver-client-key.pem \
   --ca ca.pem --ca-key ca-key.pem --insecure --no-password --template granular-dn-leaf.tpl --set-file dn-defaults.json \
   --not-after 8760h --set organization=system:nodes
 
 # Copy everything over, using ~ so we don't hit permissions issues
-rsync service-account*.pem "${NODE_DNS_NAME}.local:/home/nixos/secrets"
-rsync scheduler*.pem "${NODE_DNS_NAME}.local:/home/nixos/secrets"
-rsync etcd*.pem "${NODE_DNS_NAME}.local:/home/nixos/secrets"
-rsync controller*.pem "${NODE_DNS_NAME}.local:/home/nixos/secrets"
-rsync kube*.pem "${NODE_DNS_NAME}.local:/home/nixos/secrets"
-rsync ca*.pem "${NODE_DNS_NAME}.local:/home/nixos/secrets"
+rsync service-account*.pem "${NODE_DNS_NAME}.systems.richtman.au:/home/nixos/secrets"
+rsync scheduler*.pem "${NODE_DNS_NAME}.systems.richtman.au:/home/nixos/secrets"
+rsync etcd*.pem "${NODE_DNS_NAME}.systems.richtman.au:/home/nixos/secrets"
+rsync controller*.pem "${NODE_DNS_NAME}.systems.richtman.au:/home/nixos/secrets"
+rsync kube*.pem "${NODE_DNS_NAME}.systems.richtman.au:/home/nixos/secrets"
+rsync ca*.pem "${NODE_DNS_NAME}.systems.richtman.au:/home/nixos/secrets"
 
 # Remove any existing secrets so it's just this run
-ssh "${NODE_DNS_NAME}.local" sudo rm -fr /var/lib/kubernetes/secrets
+ssh "${NODE_DNS_NAME}.systems.richtman.au" sudo rm -fr /var/lib/kubernetes/secrets
 # Shift our stuff into the protected location
-ssh "${NODE_DNS_NAME}.local" sudo mv --force "~/secrets" /var/lib/kubernetes/
+ssh "${NODE_DNS_NAME}.systems.richtman.au" sudo mv --force "~/secrets" /var/lib/kubernetes/
 # Everything owned by the kube service user
-ssh "${NODE_DNS_NAME}.local" sudo chown kubernetes: "/var/lib/kubernetes/secrets/*.pem"
+ssh "${NODE_DNS_NAME}.systems.richtman.au" sudo chown kubernetes: "/var/lib/kubernetes/secrets/*.pem"
 # Lock permissions a bit
-ssh "${NODE_DNS_NAME}.local" sudo chmod 444 "/var/lib/kubernetes/secrets/*.pem"
-ssh "${NODE_DNS_NAME}.local" sudo chmod 400 "/var/lib/kubernetes/secrets/*key*.pem"
+ssh "${NODE_DNS_NAME}.systems.richtman.au" sudo chmod 444 "/var/lib/kubernetes/secrets/*.pem"
+ssh "${NODE_DNS_NAME}.systems.richtman.au" sudo chmod 400 "/var/lib/kubernetes/secrets/*key*.pem"
 # Set ownership of etcd stuff specifically
-ssh "${NODE_DNS_NAME}.local" sudo chown etcd: "/var/lib/kubernetes/secrets/etcd*.pem"
+ssh "${NODE_DNS_NAME}.systems.richtman.au" sudo chown etcd: "/var/lib/kubernetes/secrets/etcd*.pem"

certificates/worker-node-certs.sh

@@ -12,7 +12,7 @@ step certificate create kubelet-kubeconfig-client-certificate kubelet-kubeconfig
 # kubelet TLS
 step certificate create kubelet kubelet-tls-cert-file.pem kubelet-tls-private-key-file.pem --ca ca.pem --ca-key ca-key.pem \
   --insecure --no-password --template granular-dn-leaf.tpl --set-file dn-defaults.json --not-after 8760h --bundle \
-  --san "${NODE_DNS_NAME}" --san "${NODE_DNS_NAME}.local" --san "${NODE_DNS_NAME}.internal" --san localhost --san 127.0.0.1 --san ::1
+  --san "${NODE_DNS_NAME}" --san "${NODE_DNS_NAME}.systems.richtman.au" --san "${NODE_DNS_NAME}.internal" --san localhost --san 127.0.0.1 --san ::1
 # # For client authentication to the proxy services
 # step certificate create kube-apiserver-proxy-client kube-apiserver-proxy-client.pem kube-apiserver-proxy-client-key.pem \
 #   --ca ca.pem --ca-key ca-key.pem --insecure --no-password --template granular-dn-leaf.tpl --set-file dn-defaults.json \
@@ -22,14 +22,14 @@ step certificate create kubelet kubelet-tls-cert-file.pem kubelet-tls-private-ke
 #   --ca ca.pem --ca-key ca-key.pem --insecure --no-password --template granular-dn-leaf.tpl --set-file dn-defaults.json \
 #   --not-after 8760h --set organization=system:node-proxier
 
-# rsync proxy-*.pem "${NODE_DNS_NAME}.local:/home/nixos/secrets"
+# rsync proxy-*.pem "${NODE_DNS_NAME}.systems.richtman.au:/home/nixos/secrets"
 
-rsync kubelet*.pem "${NODE_DNS_NAME}.local:/home/nixos/secrets"
-rsync ca.pem "${NODE_DNS_NAME}.local:/home/nixos/secrets"
+rsync kubelet*.pem "${NODE_DNS_NAME}.systems.richtman.au:/home/nixos/secrets"
+rsync ca.pem "${NODE_DNS_NAME}.systems.richtman.au:/home/nixos/secrets"
 
 # Kubelet needs to run as root so the specific files that it accesses should be owned by it.
-ssh "${NODE_DNS_NAME}.local" sudo rm -fr /var/lib/kubelet/secrets/
-ssh "${NODE_DNS_NAME}.local" sudo mv --force "~/secrets" /var/lib/kubelet/
-ssh "${NODE_DNS_NAME}.local" sudo chown root: "/var/lib/kubelet/secrets/*.pem"
-ssh "${NODE_DNS_NAME}.local" sudo chmod 444 "/var/lib/kubelet/secrets/*.pem"
-ssh "${NODE_DNS_NAME}.local" sudo chmod 400 "/var/lib/kubelet/secrets/*key*.pem"
+ssh "${NODE_DNS_NAME}.systems.richtman.au" sudo rm -fr /var/lib/kubelet/secrets/
+ssh "${NODE_DNS_NAME}.systems.richtman.au" sudo mv --force "~/secrets" /var/lib/kubelet/
+ssh "${NODE_DNS_NAME}.systems.richtman.au" sudo chown root: "/var/lib/kubelet/secrets/*.pem"
+ssh "${NODE_DNS_NAME}.systems.richtman.au" sudo chmod 444 "/var/lib/kubelet/secrets/*.pem"
+ssh "${NODE_DNS_NAME}.systems.richtman.au" sudo chmod 400 "/var/lib/kubelet/secrets/*key*.pem"

cilium.yaml

@@ -3,7 +3,7 @@ kubeProxyReplacement: true
 # Enables healthz endpoint
 kubeProxyReplacementHealthzBindAddr: "[::]:10256"
 # Required to bypass the non-working default APIserver service without kube-proxy
-k8sServiceHost: fat-controller.local
+k8sServiceHost: fat-controller.systems.richtman.au
 k8sServicePort: 6443
 # Set our networking stack
 ipv4:

label.sh

@@ -1,18 +1,18 @@
 #!/bin/env bash
 
-kubectl label no/fat-controller.local node-role.kubernetes.io/master=master
-kubectl label no/fat-controller.local kubernetes.richtman.au/ephemeral=false
+kubectl label no/fat-controller.systems.richtman.au node-role.kubernetes.io/master=master
+kubectl label no/fat-controller.systems.richtman.au kubernetes.richtman.au/ephemeral=false
 
-kubectl label no/mum.local node-role.kubernetes.io/worker=worker
-kubectl label no/mum.local kubernetes.richtman.au/ephemeral=false
+kubectl label no/mum.systems.richtman.au node-role.kubernetes.io/worker=worker
+kubectl label no/mum.systems.richtman.au kubernetes.richtman.au/ephemeral=false
 
-kubectl label no/patient-zero.local node-role.kubernetes.io/worker=worker
-kubectl label no/patient-zero.local kubernetes.richtman.au/ephemeral=true
-kubectl label no/dr-singh.local node-role.kubernetes.io/worker=worker
-kubectl label no/dr-singh.local kubernetes.richtman.au/ephemeral=true
-kubectl label no/smol-bat.local node-role.kubernetes.io/worker=worker
-kubectl label no/smol-bat.local kubernetes.richtman.au/ephemeral=true
-kubectl label no/tweedledee.local node-role.kubernetes.io/worker=worker
-kubectl label no/tweedledee.local kubernetes.richtman.au/ephemeral=true
-kubectl label no/tweedledum.local node-role.kubernetes.io/worker=worker
-kubectl label no/tweedledum.local kubernetes.richtman.au/ephemeral=true
+kubectl label no/patient-zero.systems.richtman.au node-role.kubernetes.io/worker=worker
+kubectl label no/patient-zero.systems.richtman.au kubernetes.richtman.au/ephemeral=true
+kubectl label no/dr-singh.systems.richtman.au node-role.kubernetes.io/worker=worker
+kubectl label no/dr-singh.systems.richtman.au kubernetes.richtman.au/ephemeral=true
+kubectl label no/smol-bat.systems.richtman.au node-role.kubernetes.io/worker=worker
+kubectl label no/smol-bat.systems.richtman.au kubernetes.richtman.au/ephemeral=true
+kubectl label no/tweedledee.systems.richtman.au node-role.kubernetes.io/worker=worker
+kubectl label no/tweedledee.systems.richtman.au kubernetes.richtman.au/ephemeral=true
+kubectl label no/tweedledum.systems.richtman.au node-role.kubernetes.io/worker=worker
+kubectl label no/tweedledum.systems.richtman.au kubernetes.richtman.au/ephemeral=true

modules/home/personal-machine/default.nix

@@ -25,6 +25,9 @@ in
         "*.local" = {
           user = "nixos";
         };
+        "*.systems.richtman.au" = {
+          user = "nixos";
+        };
         github = {
           hostname = "github.com";
           user = "git";

modules/nixos/control-node/monitoring.nix

@@ -14,7 +14,7 @@
           "localhost:${builtins.toString port}"
         ];
         labels = {
-          instance = "fat-controller.local";
+          instance = "fat-controller.systems.richtman.au";
         };
       }
     ];
@@ -26,7 +26,7 @@
       source_labels = ["__address__"];
       regex = ".*localhost.*";
       target_label = "instance";
-      replacement = "fat-controller.local";
+      replacement = "fat-controller.systems.richtman.au";
     }
     # Remove port numbers
     {
@@ -136,18 +136,19 @@ in {
                 "localhost:9100"
               ];
               labels = {
-                instance = "fat-controller.local";
+                instance = "fat-controller.systems.richtman.au";
               };
             }
             {
               targets = [
                 "opnsense.internal:9100"
                 "proxmox.internal:9100"
-                "patient-zero.local:9100"
-                "dr-singh.local:9100"
-                "smol-bat.local:9100"
-                "tweedledee.local:9100"
-                "tweedledum.local:9100"
+                "mum.systems.richtman.au:9100"
+                "patient-zero.systems.richtman.au:9100"
+                "dr-singh.systems.richtman.au:9100"
+                "smol-bat.systems.richtman.au:9100"
+                "tweedledee.systems.richtman.au:9100"
+                "tweedledum.systems.richtman.au:9100"
               ];
             }
           ];

modules/nixos/k8s/apiserver.nix

@@ -61,8 +61,8 @@
     "${cfg.secretsPath}/service-account-key.pem"
     # TODO: Revisit
     "--service-cluster-ip-range"
-    "2001:db8:1234:5678:8:3::/112"
-    # "2403:580a:e4b1::/108"
+    # "2001:db8:1234:5678:8:3::/112"
+    "2403:580a:e4b1::/108"
     # Can't mix public and private
     # "10.100.100.0/24,2403:580a:e4b1:fffd::/64"
     "--tls-cert-file"

modules/nixos/k8s/controller.nix

@@ -23,7 +23,7 @@
         name = "default";
         cluster = {
           certificate-authority = "${topConfig.secretsPath}/ca.pem";
-          server = "https://fat-controller.local:6443";
+          server = "https://fat-controller.systems.richtman.au:6443";
         };
       }
     ];
@@ -56,14 +56,14 @@
     if (builtins.substring 0 2 x) == "--"
     then "${x}="
     else "${x} ") [
-    "--allocate-node-cidrs"
-    "true"
-    "--service-cluster-ip-range"
-    "2001:db8:1234:5678:8:3::/112"
+    # "--allocate-node-cidrs"
+    # "true"
+    # "--service-cluster-ip-range"
+    # "2001:db8:1234:5678:8:3::/112"
     "--node-cidr-mask-size"
     "120"
-    "--cluster-cidr"
-    "2001:db8:1234:5678:8:2::/104"
+    # "--cluster-cidr"
+    # "2001:db8:1234:5678:8:2::/104"
     "--authorization-kubeconfig"
     controllerKubeconfigFile
     # "--authentication-kubeconfig"