From 0c37ff997f97ad84997c18ee998609418c1c11ee Mon Sep 17 00:00:00 2001
From: Lilian Schall <lilian.schall@epita.fr>
Date: Wed, 31 Dec 2025 16:33:31 +0100
Subject: [PATCH 1/6] feat: added a base config for k3s

---
 modules/networking/default.nix |  5 ++-
 modules/services/default.nix   |  1 +
 modules/services/k3s.nix       | 56 ++++++++++++++++++++++++++++++++++
 3 files changed, 61 insertions(+), 1 deletion(-)
 create mode 100644 modules/services/k3s.nix

diff --git a/modules/networking/default.nix b/modules/networking/default.nix
index 7b85d37..de9102e 100644
--- a/modules/networking/default.nix
+++ b/modules/networking/default.nix
@@ -76,7 +76,10 @@ with lib;
               25 993 995 
             ] ++ optionals (config.fndx.services.netauth.enable) [
               749 464 88 389 636
-            ] ++ cfg.extraAllowedPorts;
+            ] ++ optionals (config.fndx.services.k3s.enable) [
+				6443 # k3s: required so that pods can reach the API server (running on port 6443 by default)
+				8472 # k3s, flannel: required if using multi-node for inter-node networking
+			] ++ cfg.extraAllowedPorts;
             in
             {
                 enable = true;
diff --git a/modules/services/default.nix b/modules/services/default.nix
index 6813375..af5729e 100644
--- a/modules/services/default.nix
+++ b/modules/services/default.nix
@@ -4,6 +4,7 @@
         ./ddclient.nix
         ./docker.nix
         ./jupyterhub.nix
+        ./k3s.nix
         ./keycloak.nix
         ./mailserver.nix
         ./netauth.nix
diff --git a/modules/services/k3s.nix b/modules/services/k3s.nix
new file mode 100644
index 0000000..e56110f
--- /dev/null
+++ b/modules/services/k3s.nix
@@ -0,0 +1,56 @@
+{config, lib, pkgs, ...}:
+let
+  cfg = config.fndx.services.k3s;
+in
+with lib;
+{
+    options = {
+        fndx.services.k3s = {
+            enable = mkEnableOption "k3s for ctOS";
+            token = mkOption {
+                example = ["super private token"];
+                type = types.str;
+				description = mdDoc ''
+					The token used for authentication.
+					You can generate this token with the following command:
+					```sh
+					pwgen -s -n 16 | head -n1
+					```
+				'';
+            };
+			headNode = mkEnableOption "head node of the cluster";
+			headAddress = mkOption {
+                example = ["http://head-node:6443"];
+				default = "";
+                type = types.str;
+				description = mdDoc ''
+					Set the address towards the head-node of the cluster.
+					Warning: Set this attribute only for nodes that are not the head-node. 
+				'';
+			};
+        };
+    };
+
+    config = mkIf cfg.enable {
+		assertions = [ 
+			{
+				assertion = (cfg.headNode != (cfg.headAddress == "") );
+				message = "The headNode and headAddress attributes have been set together.";
+			}
+		];
+
+        services.k3s = {
+            enable = true;
+			role = "server";
+			token = cfg.token;
+			clusterInit = cfg.headNode;
+			serverAddr = mkIf (!cfg.headNode) cfg.headAddress;
+			extraFlags = [ 
+				"--write-kubeconfig-mode \"0644\""
+				"--disable servicelb"
+				"--disable traefik"
+				"--disable localstorage"
+			];
+        };
+    };
+}

From 301f314862860fdf75357211e9dfc8b876edd939 Mon Sep 17 00:00:00 2001
From: Lilian Schall <lilian.schall@epita.fr>
Date: Wed, 31 Dec 2025 21:37:22 +0100
Subject: [PATCH 2/6] fix: fixed assertion

---
 modules/services/k3s.nix | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/modules/services/k3s.nix b/modules/services/k3s.nix
index e56110f..93462df 100644
--- a/modules/services/k3s.nix
+++ b/modules/services/k3s.nix
@@ -34,7 +34,7 @@ with lib;
     config = mkIf cfg.enable {
 		assertions = [ 
 			{
-				assertion = (cfg.headNode != (cfg.headAddress == "") );
+				assertion = (cfg.headNode == (cfg.headAddress == "") );
 				message = "The headNode and headAddress attributes have been set together.";
 			}
 		];

From 24c11c3f86ee9daa2b5304825f6ef139c916a3bc Mon Sep 17 00:00:00 2001
From: Lilian Schall <lilian.schall@epita.fr>
Date: Wed, 31 Dec 2025 21:52:42 +0100
Subject: [PATCH 3/6] fix: open the correct ports

---
 modules/networking/default.nix | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/modules/networking/default.nix b/modules/networking/default.nix
index de9102e..287f2ca 100644
--- a/modules/networking/default.nix
+++ b/modules/networking/default.nix
@@ -77,6 +77,8 @@ with lib;
             ] ++ optionals (config.fndx.services.netauth.enable) [
               749 464 88 389 636
             ] ++ optionals (config.fndx.services.k3s.enable) [
+				2379
+				2380
 				6443 # k3s: required so that pods can reach the API server (running on port 6443 by default)
 				8472 # k3s, flannel: required if using multi-node for inter-node networking
 			] ++ cfg.extraAllowedPorts;

From cedb9da134e874586810bd489f8ec2eff47f6a05 Mon Sep 17 00:00:00 2001
From: Lilian Schall <lilian.schall@epita.fr>
Date: Wed, 31 Dec 2025 22:28:19 +0100
Subject: [PATCH 4/6] feat: added longhorn support

---
 modules/services/k3s.nix | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/modules/services/k3s.nix b/modules/services/k3s.nix
index 93462df..8a33221 100644
--- a/modules/services/k3s.nix
+++ b/modules/services/k3s.nix
@@ -52,5 +52,17 @@ with lib;
 				"--disable localstorage"
 			];
         };
+
+		# for longhorn
+		systemd.tmpfiles.rules = [
+			"L+ /usr/local/bin - - - - /run/current-system/sw/bin"
+		];
+		virtualisation.docker.logDriver = "json-file";
+
+		environment.systemPackages = [ pkgs.nfs-utils ];
+		services.openiscsi = {
+			enable = true;
+			name = "${config.networking.hostName}-initiatorhost";
+		};
     };
 }

From c49819f41d21bbb08645fddd1eef383d8f3baca8 Mon Sep 17 00:00:00 2001
From: Lilian Schall <lilian.schall@epita.fr>
Date: Fri, 2 Jan 2026 15:30:51 +0100
Subject: [PATCH 5/6] feat: enabled again traefik

---
 modules/services/k3s.nix | 1 -
 1 file changed, 1 deletion(-)

diff --git a/modules/services/k3s.nix b/modules/services/k3s.nix
index 8a33221..2548eeb 100644
--- a/modules/services/k3s.nix
+++ b/modules/services/k3s.nix
@@ -48,7 +48,6 @@ with lib;
 			extraFlags = [ 
 				"--write-kubeconfig-mode \"0644\""
 				"--disable servicelb"
-				"--disable traefik"
 				"--disable localstorage"
 			];
         };

From bc668ac605d87dc731de0b91d94c40f089028328 Mon Sep 17 00:00:00 2001
From: Lilian Schall <lilian.schall@epita.fr>
Date: Tue, 13 Jan 2026 16:59:07 +0100
Subject: [PATCH 6/6] feat: updated home-manager in installer

---
 installer/installation.nix | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/installer/installation.nix b/installer/installation.nix
index a5b66a7..2e1aa29 100644
--- a/installer/installation.nix
+++ b/installer/installation.nix
@@ -28,7 +28,7 @@ with lib;
                 echo "Test passed!";
     
                 echo "Adding home-manager channel...";
-                nix-channel --add https://github.com/nix-community/home-manager/archive/release-24.11.tar.gz home-manager;
+                nix-channel --add https://github.com/nix-community/home-manager/archive/release-25.11.tar.gz home-manager;
                 nix-channel --update;
     
                 echo "Creating partitions...";