machine_setup/nix/kubernetes/roles/firewall/default.nix

{
  config,
  lib,
  ...
}:

{
  imports = [ ];

  options.me = {
    firewall.enable = lib.mkOption {
      type = lib.types.bool;
      default = false;
      example = true;
      description = "Whether we want to install firewall.";
    };
  };

  config = lib.mkIf config.me.firewall.enable {
    # kernel modules and settings required by Kubernetes
    boot.kernelModules = [
      "overlay"
      "br_netfilter"
    ];
    boot.kernel.sysctl = {
      "net.bridge.bridge-nf-call-iptables" = 1;
      "net.bridge.bridge-nf-call-ip6tables" = 1;
      "net.ipv4.ip_forward" = 1;
    };

    networking.nftables.enable = true;
    # We want to filter forwarded traffic.
    # Also needed for `networking.firewall.extraForwardRules` to do anything.
    networking.firewall.filterForward = true;
  };
}
Add kube-proxy. 2025-12-16 21:07:39 -05:00			`{`
			`config,`
			`lib,`
			`...`
			`}:`

			`{`
			`imports = [ ];`

			`options.me = {`
			`firewall.enable = lib.mkOption {`
			`type = lib.types.bool;`
			`default = false;`
			`example = true;`
			`description = "Whether we want to install firewall.";`
			`};`
			`};`

			`config = lib.mkIf config.me.firewall.enable {`
			`# kernel modules and settings required by Kubernetes`
			`boot.kernelModules = [`
			`"overlay"`
			`"br_netfilter"`
			`];`
			`boot.kernel.sysctl = {`
			`"net.bridge.bridge-nf-call-iptables" = 1;`
			`"net.bridge.bridge-nf-call-ip6tables" = 1;`
			`"net.ipv4.ip_forward" = 1;`
			`};`

			`networking.nftables.enable = true;`
			`# We want to filter forwarded traffic.`
			# Also needed for `networking.firewall.extraForwardRules` to do anything.
			`networking.firewall.filterForward = true;`
			`};`
			`}`