eblume/blumeops
1
1
Fork 0
Code Issues Pull requests Projects Releases 83 Packages Wiki Activity Actions

Add k3s, 1Password Connect, and systemd nix-container-builder to ringtail #209

Merged
eblume merged 7 commits from feature/k3s-ringtail-runner into main 2026-02-18 21:15:31 -08:00
Conversation 0 Commits 7 Files changed 16 +64
2 changed files with 64 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files
Showing only changes of commit 382dcd1e71 - Show all commits

Add k3s-ringtail kubectl config task and services-check entries

Prev Next 
New mise task ensure-k3s-ringtail-kubectl-config fetches certs from
ringtail and writes a kubeconfig to ~/.kube/k3s-ringtail/config.yml.
services-check now verifies k3s, k3s API reachability, and the
forgejo-runner systemd service on ringtail.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Erich Blume 2026-02-18 20:58:31 -08:00
commit 382dcd1e71

61
mise-tasks/ensure-k3s-ringtail-kubectl-config Executable file
View file

@ -0,0 +1,61 @@
#!/usr/bin/env bash
#MISE description="Ensure kubectl config for k3s-ringtail is set up on this workstation"
set -euo pipefail
CONFIG_DIR="$HOME/.kube/k3s-ringtail"
CONFIG_FILE="$CONFIG_DIR/config.yml"
echo "Ensuring k3s-ringtail kubectl config..."
# Create directory if needed
mkdir -p "$CONFIG_DIR"
# Fetch kubeconfig from ringtail and extract the CA cert
echo "Fetching kubeconfig from ringtail..."
RAW_CONFIG=$(ssh ringtail 'sudo cat /etc/rancher/k3s/k3s.yaml')
# Extract and decode the CA certificate
echo "$RAW_CONFIG" | grep certificate-authority-data | awk '{print $2}' | base64 -d > "$CONFIG_DIR/ca.crt"
# Extract and decode the client certificate
echo "$RAW_CONFIG" | grep client-certificate-data | awk '{print $2}' | base64 -d > "$CONFIG_DIR/client.crt"
# Extract and decode the client key
echo "$RAW_CONFIG" | grep client-key-data | awk '{print $2}' | base64 -d > "$CONFIG_DIR/client.key"
chmod 600 "$CONFIG_DIR/client.key"
# Write kubeconfig with file-based certs and tailscale hostname
cat > "$CONFIG_FILE" << EOF
apiVersion: v1
kind: Config
clusters:
- cluster:
certificate-authority: $CONFIG_DIR/ca.crt
server: https://ringtail.tail8d86e.ts.net:6443
name: k3s-ringtail
contexts:
- context:
cluster: k3s-ringtail
user: k3s-ringtail
name: k3s-ringtail
current-context: k3s-ringtail
users:
- name: k3s-ringtail
user:
client-certificate: $CONFIG_DIR/client.crt
client-key: $CONFIG_DIR/client.key
EOF
echo "Config written to $CONFIG_FILE"
# Warn if KUBECONFIG doesn't include this file
if [[ -z "${KUBECONFIG:-}" ]] || [[ ":$KUBECONFIG:" != *":$CONFIG_FILE:"* ]]; then
echo ""
echo "WARNING: KUBECONFIG does not include $CONFIG_FILE"
echo "Add this to your shell config:"
echo " export KUBECONFIG=\"\$KUBECONFIG:$CONFIG_FILE\""
fi
echo ""
echo "Test with: kubectl --context=k3s-ringtail get nodes"

3
mise-tasks/services-check
View file

@ -87,6 +87,9 @@ echo ""
echo "Ringtail (NixOS):" echo "Ringtail (NixOS):"
check_service "ssh" "ssh -o ConnectTimeout=5 ringtail true" check_service "ssh" "ssh -o ConnectTimeout=5 ringtail true"
check_service "tailscale" "ssh ringtail 'tailscale status --self --json' | jq -e '.Self.Online' > /dev/null" check_service "tailscale" "ssh ringtail 'tailscale status --self --json' | jq -e '.Self.Online' > /dev/null"
check_service "k3s" "ssh ringtail 'k3s kubectl get nodes --no-headers | grep -q Ready'"
check_service "k3s-apiserver (remote)" "kubectl --context=k3s-ringtail get --raw /healthz"
check_service "forgejo-runner" "ssh ringtail 'systemctl is-active gitea-runner-nix_container_builder.service'"
echo "" echo ""
echo "Public services (via Fly.io):" echo "Public services (via Fly.io):"