feat(profiles): turn on audit log for k3s (#94)

tillycode · Aug 21, 2024 · 098abbd · 098abbd
1 parent 6742d47
commit 098abbd
Show file tree

Hide file tree

Showing 2 changed files with 36 additions and 7 deletions.
diff --git a/nixos/profiles/services/cluster/k3s-server.nix b/nixos/profiles/services/cluster/k3s-server.nix
@@ -1,9 +1,37 @@
+{ lib, pkgs, ... }:
+let
+  audit-yaml = pkgs.writeText "audit.yaml" ''
+    apiVersion: audit.k8s.io/v1
+    kind: Policy
+    rules:
+    - level: Metadata
+  '';
+in
 {
-  services.k3s = {
-    role = "server";
-    extraFlags = [
-      "--node-label"
-      "svccontroller.k3s.cattle.io/enablelb=true"
-    ];
-  };
+  config = lib.mkMerge [
+    {
+      services.k3s = {
+        role = "server";
+        extraFlags = [
+          "--node-label"
+          "svccontroller.k3s.cattle.io/enablelb=true"
+        ];
+      };
+
+    }
+    # audit log
+    {
+      services.k3s.extraFlags = [
+        "--kube-apiserver-arg=audit-log-path=/var/lib/rancher/k3s/server/logs/audit.log"
+        "--kube-apiserver-arg=audit-policy-file=/var/lib/rancher/k3s/server/audit.yaml"
+      ];
+      systemd.tmpfiles.rules = [
+        "d /var/lib/rancher/k3s/server/logs 0700 root root -"
+        "L+ /var/lib/rancher/k3s/server/audit.yaml 0600 root root - ${audit-yaml}"
+      ];
+      systemd.services.k3s = {
+        after = [ "systemd-tmpfiles-setup.service" ];
+      };
+    }
+  ];
 }
diff --git a/nixos/profiles/users/_sunHome.nix b/nixos/profiles/users/_sunHome.nix
@@ -61,6 +61,7 @@
 
   home.packages = with pkgs; [
     k3s
+    k9s
     kubernetes-helm
     zed-editor
   ];