From 4ad1613d4503b192a4d734bd789667b56f70b9b0 Mon Sep 17 00:00:00 2001
From: David Crompton <davidcrompton@syzygial.cc>
Date: Fri, 18 Apr 2025 03:27:55 +0000
Subject: [PATCH] Pericyte: enable basic k3s

---
 machines/pericyte/configuration.nix |  1 +
 machines/pericyte/k3s.nix           | 19 +++++++++++++++++++
 2 files changed, 20 insertions(+)
 create mode 100644 machines/pericyte/k3s.nix

diff --git a/machines/pericyte/configuration.nix b/machines/pericyte/configuration.nix
index 721d6f6..c89a940 100644
--- a/machines/pericyte/configuration.nix
+++ b/machines/pericyte/configuration.nix
@@ -5,6 +5,7 @@
     "${inputs.nixpkgs}/nixos/modules/profiles/minimal.nix"
 
     ./microvm-configuration.nix
+    ./k3s.nix
   ];
 
   nix.settings.experimental-features = [ "nix-command" "flakes" ];
diff --git a/machines/pericyte/k3s.nix b/machines/pericyte/k3s.nix
new file mode 100644
index 0000000..e8e8508
--- /dev/null
+++ b/machines/pericyte/k3s.nix
@@ -0,0 +1,19 @@
+{ pkgs, ... }: {
+  networking.firewall = {
+    allowedTCPPorts = [
+      6443 # k3s: required so that pods can reach the API server (running on port 6443 by default)
+      # 2379 # k3s, etcd clients: required if using a "High Availability Embedded etcd" configuration
+      # 2380 # k3s, etcd peers: required if using a "High Availability Embedded etcd" configuration
+    ];
+    allowedUDPPorts = [
+      # 8472 # k3s, flannel: required if using multi-node for inter-node networking
+    ];
+  };
+  services.k3s = {
+    enable = true;
+    role = "server";
+    extraFlags = toString [
+      # "--debug" # Optionally add additional args to k3s
+    ];
+  };
+}