Skip to content

Instantly share code, notes, and snippets.

@Lillecarl

Lillecarl/gist:c013f2c86040777900fb392dbfd16e1a

Last active November 19, 2025 22:10
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save Lillecarl/c013f2c86040777900fb392dbfd16e1a to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save Lillecarl/c013f2c86040777900fb392dbfd16e1a to your computer and use it in GitHub Desktop.
Download ZIP
Raw
gistfile1.txt
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: nix-csi
namespace: nix-csi
rules:
- apiGroups:
- ""
resources:
- nodes
- pods
verbs:
- get
- list
- watch
- apiGroups:
- ""
resources:
- secrets
verbs:
- get
- list
- create
- patch
- apiGroups:
- ""
resources:
- configmaps
verbs:
- get
- list
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: nix-csi
namespace: nix-csi
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: nix-csi
subjects:
- kind: ServiceAccount
name: nix-csi
namespace: nix-csi
---
apiVersion: v1
data:
authorized_keys: |
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAHZ3pA0vIXiKQuwfM1ks8TipeOxfDT9fgo4xMi9iiWr [email protected]
kind: ConfigMap
metadata:
name: authorized-keys
namespace: nix-csi
---
apiVersion: v1
data:
nix.conf: |
# Use nix daemon for builds
store = daemon
# Users who can do supernixxy things
trusted-users = root nix
# Allow everyone to Nix!
allowed-users = *
# Auto allocare uids so we don't have to create lots of users in containers
auto-allocate-uids = true
# This supposedly helps with the sticky cache issue
fallback = true
# Enable common features
experimental-features = nix-command flakes auto-allocate-uids fetch-closure pipe-operator
# let builders sub
builders-use-substitutes = true
# Fuck purity
warn-dirty = false
# Features?
system-features = nixos-test benchmark big-parallel uid-range
max-jobs = 0
kind: ConfigMap
metadata:
name: nix-cache-config
namespace: nix-csi
---
apiVersion: v1
data:
nix-path.nix: |
let
paths = {
nixpkgs = builtins.fetchTree {
type = "github";
owner = "nixos";
repo = "nixpkgs";
ref = "nixos-25.05";
};
nixos-unstable = builtins.fetchTree {
type = "github";
owner = "nixos";
repo = "nixpkgs";
ref = "nixos-unstable";
};
home-manager = builtins.fetchTree {
type = "github";
owner = "nix-community";
repo = "home-manager";
ref = "release-25.05";
};
home-manager-unstable = builtins.fetchTree {
type = "github";
owner = "nix-community";
repo = "home-manager";
ref = "master";
};
dinix = builtins.fetchTree {
type = "github";
owner = "lillecarl";
repo = "dinix";
ref = "main";
};
flake-compatish = builtins.fetchTree {
type = "github";
owner = "lillecarl";
repo = "flake-compatish";
ref = "main";
};
};
pkgs = import paths.nixpkgs { };
inherit (pkgs) lib;
in
lib.pipe paths [
(lib.mapAttrsToList (name: value: "${name}=${value}"))
(lib.concatStringsSep ":")
(pkgs.writeText "NIX_PATH")
]
nix.conf: |2
# Use nix daemon for builds
store = daemon
# Users who can do supernixxy things
trusted-users = root nix
# Allow everyone to Nix!
allowed-users = *
# Auto allocare uids so we don't have to create lots of users in containers
auto-allocate-uids = true
# This supposedly helps with the sticky cache issue
fallback = true
# Enable common features
experimental-features = nix-command flakes auto-allocate-uids fetch-closure pipe-operator
# let builders sub
builders-use-substitutes = true
# Fuck purity
warn-dirty = false
# Features?
system-features = nixos-test benchmark big-parallel uid-range
# substituters
extra-substituters = ssh-ng://nix@nix-cache?trusted=1&priority=20
max-jobs = auto
kind: ConfigMap
metadata:
name: nix-csi-config
namespace: nix-csi
---
apiVersion: apps/v1
kind: DaemonSet
metadata:
name: nix-csi-node
namespace: nix-csi
spec:
selector:
matchLabels:
app: nix-csi-node
template:
metadata:
annotations:
configHash: bdb8e57bc4ea71ac0ea981d31736a2b7
kubectl.kubernetes.io/default-container: nix-csi-node
labels:
app: nix-csi-node
spec:
containers:
- args:
- --v=5
- --csi-address=/csi/csi.sock
- --kubelet-registration-path=/var/lib/kubelet/plugins/nix.csi.store/csi.sock
env:
- name: KUBE_NODE_NAME
valueFrom:
fieldRef:
fieldPath: spec.nodeName
image: registry.k8s.io/sig-storage/csi-node-driver-registrar:v2.15.0
name: csi-node-driver-registrar
volumeMounts:
- mountPath: /csi
name: csi-socket
- mountPath: /var/lib/kubelet
name: kubelet
- mountPath: /registration
name: registration
- args:
- --csi-address=/csi/csi.sock
image: registry.k8s.io/sig-storage/livenessprobe:v2.17.0
name: livenessprobe
volumeMounts:
- mountPath: /csi
name: csi-socket
- mountPath: /registration
name: registration
- command:
- dinit
- csi
env:
- name: CSI_ENDPOINT
value: unix:///csi/csi.sock
- name: HOME
value: /nix/var/nix-csi/root
- name: KUBE_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
- name: KUBE_NODE_NAME
valueFrom:
fieldRef:
fieldPath: spec.nodeName
- name: KUBE_POD_IP
valueFrom:
fieldRef:
fieldPath: status.podIP
- name: USER
value: root
image: quay.io/nix-csi/scratch:1.0.1
name: nix-csi-node
securityContext:
privileged: true
volumeMounts:
- mountPath: /csi
name: csi-socket
- mountPath: /var/lib/kubelet
mountPropagation: Bidirectional
name: kubelet
- mountPath: /etc/nix-mount
name: nix-config
- mountPath: /nix
mountPropagation: Bidirectional
name: nix-store
subPath: nix
- mountPath: /registration
name: registration
- mountPath: /etc/ssh-mount
name: ssh
initContainers:
- command:
- initcopy
image: quay.io/nix-csi/nix-csi:jgyd310l9ndf5vqszqbzvlpbf6gwqasi
name: initcopy
volumeMounts:
- mountPath: /etc/nix
name: nix-config
- mountPath: /nix-volume
name: nix-store
serviceAccountName: nix-csi
subdomain: nix-builders
volumes:
- hostPath:
path: /var/lib/kubelet/plugins/nix.csi.store/
type: DirectoryOrCreate
name: csi-socket
- hostPath:
path: /var/lib/kubelet
type: Directory
name: kubelet
- configMap:
name: nix-csi-config
name: nix-config
- hostPath:
path: /var/lib/nix-csi
type: DirectoryOrCreate
name: nix-store
- hostPath:
path: /var/lib/kubelet/plugins_registry
name: registration
- name: ssh
secret:
defaultMode: 384
secretName: ssh
updateStrategy:
rollingUpdate:
maxUnavailable: 1
type: RollingUpdate
---
apiVersion: v1
kind: Service
metadata:
name: nix-builders
namespace: nix-csi
spec:
clusterIP: None
ports:
- name: ssh
port: 22
selector:
app: nix-csi-node
---
apiVersion: v1
kind: Service
metadata:
name: nix-cache
namespace: nix-csi
spec:
ports:
- name: ssh
port: 22
targetPort: 22
selector:
app: nix-cache
type: ClusterIP
---
apiVersion: v1
kind: Service
metadata:
name: nix-cache-lb
namespace: nix-csi
spec:
ports:
- name: ssh
port: 2222
targetPort: 22
selector:
app: nix-cache
type: LoadBalancer
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: nix-csi
namespace: nix-csi
---
apiVersion: apps/v1
kind: StatefulSet
metadata:
name: nix-cache
namespace: nix-csi
spec:
replicas: 1
selector:
matchLabels:
app: nix-cache
serviceName: nix-cache
template:
metadata:
annotations:
configHash: bdb8e57bc4ea71ac0ea981d31736a2b7
exprHash: 985611598c891cebb13a37f3209a4c8c
labels:
app: nix-cache
spec:
containers:
- command:
- dinit
- --log-file
- /var/log/dinit.log
- --quiet
- cache
env:
- name: BUILDERS_SERVICE_NAME
value: nix-builders
- name: HOME
value: /nix/var/nix-csi/root
- name: KUBE_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
image: quay.io/nix-csi/scratch:1.0.1
name: cache
ports:
- containerPort: 80
name: http
volumeMounts:
- mountPath: /etc/nix-mount
name: nix-config
- mountPath: /nix
name: nix-store
subPath: nix
- mountPath: /etc/ssh-mount
name: ssh
initContainers:
- command:
- initcopy
image: quay.io/nix-csi/nix-csi:jgyd310l9ndf5vqszqbzvlpbf6gwqasi
name: initcopy
volumeMounts:
- mountPath: /etc/nix
name: nix-config
- mountPath: /nix-volume
name: nix-store
serviceAccountName: nix-csi
volumes:
- configMap:
name: nix-cache-config
name: nix-config
- name: ssh
secret:
defaultMode: 384
optional: true
secretName: ssh
volumeClaimTemplates:
- metadata:
name: nix-store
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 10Gi
storageClassName: local-path
---
apiVersion: storage.k8s.io/v1
kind: CSIDriver
metadata:
name: nix.csi.store
spec:
attachRequired: false
fsGroupPolicy: File
podInfoOnMount: false
requiresRepublish: false
storageCapacity: false
volumeLifecycleModes:
- Ephemeral
---
apiVersion: v1
kind: Namespace
metadata:
name: nix-csi
---
allowVolumeExpansion: false
apiVersion: storage.k8s.io/v1
kind: StorageClass
metadata:
name: nix-csi
provisioner: nix.csi.store
reclaimPolicy: Delete
volumeBindingMode: WaitForFirstConsumer
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment