diff --git a/nixos/modules/services/cluster/k3s/default.nix b/nixos/modules/services/cluster/k3s/default.nix index 2925745c9e0945..e80abcbf127088 100644 --- a/nixos/modules/services/cluster/k3s/default.nix +++ b/nixos/modules/services/cluster/k3s/default.nix @@ -434,6 +434,20 @@ in for further information. ''; }; + + extraKubeProxyConfig = lib.mkOption { + type = with lib.types; attrsOf anything; + default = { }; + example = { + mode = "nftables"; + }; + description = '' + Extra configuration to add to the kube-proxy's configuration file. The subset of the kube-proxy's + configuration that can be configured via a file is defined by the + [KubeProxyConfiguration](https://kubernetes.io/docs/reference/config-api/kube-proxy-config.v1alpha1/) + struct. + ''; + }; }; # implementation @@ -486,6 +500,14 @@ in } // kubeletParams ); + + kubeProxyConfig = (pkgs.formats.yaml {}).generate "k3s-kubeProxy-config" ( + { + apiVersion = "kubeproxy.config.k8s.io/v1alpha1"; + kind = "KubeProxyConfiguration"; + } + // cfg.extraKubeProxyConfig + ); in { description = "k3s service"; @@ -498,7 +520,9 @@ in "network-online.target" ]; wantedBy = [ "multi-user.target" ]; - path = lib.optional config.boot.zfs.enabled config.boot.zfs.package; + path = + (lib.optional config.boot.zfs.enabled config.boot.zfs.package) ++ + (lib.optional (cfg.extraKubeProxyConfig.mode == "nftables") pkgs.nftables); serviceConfig = { # See: https://github.com/rancher/k3s/blob/dddbd16305284ae4bd14c0aade892412310d7edc/install.sh#L197 Type = if cfg.role == "agent" then "exec" else "notify"; @@ -521,6 +545,7 @@ in ++ (lib.optional (cfg.tokenFile != null) "--token-file ${cfg.tokenFile}") ++ (lib.optional (cfg.configPath != null) "--config ${cfg.configPath}") ++ (lib.optional (kubeletParams != { }) "--kubelet-arg=config=${kubeletConfig}") + ++ (lib.optional (cfg.extraKubeProxyConfig != { }) "--kube-proxy-arg=config=${kubeProxyConfig}") ++ (lib.flatten cfg.extraFlags) ); };