From f9123510dbe9a2168d8140697ae7e931498dfd6e Mon Sep 17 00:00:00 2001
From: Alexandru Scvortov <code@scvalex.net>
Date: Sat, 2 Dec 2023 09:42:51 +0000
Subject: kubernetes: don't always open flannel fw ports

---
 nixos/modules/services/cluster/kubernetes/flannel.nix | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

(limited to 'nixos')

diff --git a/nixos/modules/services/cluster/kubernetes/flannel.nix b/nixos/modules/services/cluster/kubernetes/flannel.nix
index 11c5adc6a8859..dca8996df0831 100644
--- a/nixos/modules/services/cluster/kubernetes/flannel.nix
+++ b/nixos/modules/services/cluster/kubernetes/flannel.nix
@@ -13,6 +13,13 @@ in
   ###### interface
   options.services.kubernetes.flannel = {
     enable = mkEnableOption (lib.mdDoc "flannel networking");
+
+    openFirewallPorts = mkOption {
+      description = lib.mdDoc ''
+        Whether to open the Flannel UDP ports in the firewall on all interfaces.'';
+      type = types.bool;
+      default = true;
+    };
   };
 
   ###### implementation
@@ -38,7 +45,7 @@ in
     };
 
     networking = {
-      firewall.allowedUDPPorts = [
+      firewall.allowedUDPPorts = mkIf cfg.openFirewallPorts [
         8285  # flannel udp
         8472  # flannel vxlan
       ];
-- 
cgit 1.4.1