This updates k3s.
This one's done by hand rather than via the update bot since the
upstream repo ended up in a state where `go mod download` didn't work,
and we had `proxyVendor` set (which causes a `go mod download`).
Deleting `proxyVendor` works now though, and I didn't actually fully
understand why it was needed before, so I've removed that. Which
unblocks the update.
The actual update was done via `./update.sh` after removing
`proxyVendor` and the `k3sServerVendorSha256` variables.
This PR also reworks the packaging of k3s significantly.
Notably, it makes the following changes:
1. buildGoModule instead of buildGoPackage + mkDerivation (for the final one)
2. Merges the final two derivations (k3s user binary + wrapper script stuff) into one
3. Reduces the amount of patching & usage of upstream packaging scripts
And of course updates to 1.23
I'm not really sure yet if this is significantly better than the
previous packaging model, but it at least seems a little nicer I guess?
buildGoModule is nice, even if we have to hack around it quite a bit to
get a 'go generate' in there.
Notably, this includes support for unified cgroups in k3s, which is
especially convenient given nixos has moved to them.
Fixes (at least partly) #111835
Fixes#101734
Prior to this change, the k3s binary included a tarball containing
binaries like 'kubectl', but didn't keep a runtime reference to those
runtime dependencies in plaintext (since they were gzipped inside the
single combined k3s binary).
In order for nix's automatic runtime dependency detection to work, we
need to have a reference to them somewhere in $out.
propagatedBuildInputs seems to do the right thing for us here.
Running `nix-store -q --tree /nix/store/path/to/k3s` produces a
different output after this change which includes the `libseccomp`
reference I expect.
Otherwise we get warnings like 'level=warning msg="failed to start
br_netfilter module"' in k3s's logs.
Adding modprobe to k3s's PATH fixes the warning at least. I'm not
certain if it fixes any real issue or not.
The upstream project already builds and releases for aarch64. This makes
the couple small tweaks that I found necessary for k3s to cross-compile
for aarch64.
I also ran it through nixpkgs-fmt.
This packages k3s as a single self-contained binary (as upstream k3s
does), but without having to download any impure already-built binaries.
The upstream packaging scripts are used. Due to k3s's rather complicated
packaging arrangement, this ends up being a rather long derivation.