implement k8s

flake.nix

@@ -1,6 +1,18 @@
 {
   description = "Black Start essential infrastructure for cloud operations";
 
+  nixConfig = {
+    substituters = [
+      "https://nix-cache.dubyatp.xyz/duby"
+      "https://cache.nixos.org/"
+    ];
+
+    trusted-public-keys = [
+      "duby:IUVsFbQu499JOaHmUpi/mwhZEVQK7soFn7H6lD2/2T4="
+      "cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY="
+    ];
+  };
+
   inputs = {
     nixpkgs.url = "github:NixOS/nixpkgs/nixos-25.11";
 
@@ -27,6 +39,7 @@
           ./security/security.nix
           ./disko/uefi-nosecure.nix
           ./users/users.nix
+          ./kubernetes/kubernetes.nix
           {
             config.boot = {
               loader = {
@@ -72,5 +85,7 @@
         };
       };
     };
+
+    packages.x86_64-linux.attic = nixpkgs.legacyPackages.x86_64-linux.attic-client;
   };
 }

kubernetes/kubernetes.nix

@@ -0,0 +1,30 @@
+{ config, pkgs, ... }:
+let
+  kubeMasterIP = "10.105.6.198";
+  kubeMasterHostname = "api.kube";
+  kubeMasterAPIServerPort = 6443;
+in
+{
+  networking.extraHosts = "${kubeMasterIP} ${kubeMasterHostname}";
+
+  environment.systemPackages = with pkgs; [
+    kompose
+    kubectl
+    kubernetes
+  ];
+
+  services.kubernetes = {
+    roles = ["master" "node"];
+    masterAddress = kubeMasterHostname;
+    apiserverAddress = "https://${kubeMasterHostname}:${toString kubeMasterAPIServerPort}";
+    easyCerts = true;
+    apiserver = {
+      securePort = kubeMasterAPIServerPort;
+      advertiseAddress = kubeMasterIP;
+    };
+
+    addons.dns.enable = true;
+
+    kubelet.extraOpts = "--fail-swap-on=false";
+  };
+}