host

func ConfigureNFTables ¶

func ConfigureNFTables(log *slog.Logger) phases.Task

ConfigureNFTables returns a task that installs a oneshot systemd unit which flushes all nftables rules to a clean state before kubelet starts. This ensures stale rules (e.g. left behind by Docker) do not interfere with Kubernetes networking.

func ConfigureOS ¶

func ConfigureOS(log *slog.Logger) phases.Task

ConfigureOS returns a task that writes host-level OS configuration (e.g. sysctl tunables) that must be in place before any nspawn machine starts so that kubelet inside the container sees the correct kernel parameter values.

func DisableDocker ¶

func DisableDocker(log *slog.Logger) phases.Task

DisableDocker returns a task that disables the Docker service and configures the Docker daemon with "iptables": false. This prevents Docker from manipulating iptables rules, which would conflict with Kubernetes networking.

func DisableSwap ¶

func DisableSwap(log *slog.Logger) phases.Task

DisableSwap returns a task that disables swap on the host. Kubernetes requires swap to be off so the kubelet memory management and pod QoS guarantees work correctly. The task runs swapoff -a and comments out any swap entries in /etc/fstab so swap stays disabled across reboots.

func HardenAPT ¶

func HardenAPT(log *slog.Logger) phases.Task

HardenAPT returns a task that writes drop-ins which prevent unattended-upgrades and needrestart from restarting systemd-machined (and thereby killing the running nspawn container). Idempotent.

func InstallPackages ¶

func InstallPackages(log *slog.Logger) phases.Task

InstallPackages returns a task that installs the required OS packages on the host.

TODO: support package managers beyond apt (e.g. dnf, zypper) for non-Debian distros.