treewide: Format all Nix files

Format all Nix files using the officially approved formatter, making the CI check introduced in the previous commit succeed: nix-build ci -A fmt.check This is the next step of the of the [implementation](https://github.com/NixOS/nixfmt/issues/153) of the accepted [RFC 166](https://github.com/NixOS/rfcs/pull/166). This commit will lead to merge conflicts for a number of PRs, up to an estimated ~1100 (~33%) among the PRs with activity in the past 2 months, but that should be lower than what it would be without the previous [partial treewide format](https://github.com/NixOS/nixpkgs/pull/322537). Merge conflicts caused by this commit can now automatically be resolved while rebasing using the [auto-rebase script](8616af08d9/maintainers/scripts/auto-rebase). If you run into any problems regarding any of this, please reach out to the [formatting team](https://nixos.org/community/teams/formatting/) by pinging @NixOS/nix-formatting.
2025-04-01 20:10:43 +02:00
parent 2140bf39e4
commit 374e6bcc40
1523 changed files with 986047 additions and 513621 deletions
--- a/nixos/modules/services/cluster/kubernetes/addons/dns.nix
+++ b/nixos/modules/services/cluster/kubernetes/addons/dns.nix
@@ -1,4 +1,10 @@
-{ config, options, pkgs, lib, ... }:
+{
+  config,
+  options,
+  pkgs,
+  lib,
+  ...
+}:
 let
  version = "1.10.1";
  cfg = config.services.kubernetes.addons.dns;
@@ -7,7 +13,8 @@ let
    health = 10054;
    metrics = 10055;
  };
-in {
+in
+{
  options.services.kubernetes.addons.dns = {
    enable = lib.mkEnableOption "kubernetes dns addon";

@@ -15,11 +22,11 @@ in {
      description = "Dns addon clusterIP";

      # this default is also what kubernetes users
-      default = (
-        lib.concatStringsSep "." (
-          lib.take 3 (lib.splitString "." config.services.kubernetes.apiserver.serviceClusterIpRange
+      default =
+        (lib.concatStringsSep "." (
+          lib.take 3 (lib.splitString "." config.services.kubernetes.apiserver.serviceClusterIpRange)
        ))
-      ) + ".254";
+        + ".254";
      defaultText = lib.literalMD ''
        The `x.y.z.254` IP of
        `config.${options.services.kubernetes.apiserver.serviceClusterIpRange}`.
@@ -48,7 +55,10 @@ in {
        See: <https://github.com/kubernetes/kubernetes/blob/master/cluster/addons/addon-manager/README.md>.
      '';
      default = "Reconcile";
-      type = lib.types.enum [ "Reconcile" "EnsureExists" ];
+      type = lib.types.enum [
+        "Reconcile"
+        "EnsureExists"
+      ];
    };

    coredns = lib.mkOption {
@@ -106,8 +116,9 @@ in {
  };

  config = lib.mkIf cfg.enable {
-    services.kubernetes.kubelet.seedDockerImages =
-      lib.singleton (pkgs.dockerTools.pullImage cfg.coredns);
+    services.kubernetes.kubelet.seedDockerImages = lib.singleton (
+      pkgs.dockerTools.pullImage cfg.coredns
+    );

    services.kubernetes.addonManager.bootstrapAddons = {
      coredns-cr = {
@@ -125,8 +136,16 @@ in {
        rules = [
          {
            apiGroups = [ "" ];
-            resources = [ "endpoints" "services" "pods" "namespaces" ];
-            verbs = [ "list" "watch" ];
+            resources = [
+              "endpoints"
+              "services"
+              "pods"
+              "namespaces"
+            ];
+            verbs = [
+              "list"
+              "watch"
+            ];
          }
          {
            apiGroups = [ "" ];
@@ -136,7 +155,10 @@ in {
          {
            apiGroups = [ "discovery.k8s.io" ];
            resources = [ "endpointslices" ];
-            verbs = [ "list" "watch" ];
+            verbs = [
+              "list"
+              "watch"
+            ];
          }
        ];
      };
@@ -219,10 +241,14 @@ in {
        spec = {
          replicas = cfg.replicas;
          selector = {
-            matchLabels = { k8s-app = "kube-dns"; };
+            matchLabels = {
+              k8s-app = "kube-dns";
+            };
          };
          strategy = {
-            rollingUpdate = { maxUnavailable = 1; };
+            rollingUpdate = {
+              maxUnavailable = 1;
+            };
            type = "RollingUpdate";
          };
          template = {
@@ -234,7 +260,10 @@ in {
            spec = {
              containers = [
                {
-                  args = [ "-conf" "/etc/coredns/Corefile" ];
+                  args = [
+                    "-conf"
+                    "/etc/coredns/Corefile"
+                  ];
                  image = with cfg.coredns; "${imageName}:${finalImageTag}";
                  imagePullPolicy = "Never";
                  livenessProbe = {
@@ -358,7 +387,9 @@ in {
              protocol = "TCP";
            }
          ];
-          selector = { k8s-app = "kube-dns"; };
+          selector = {
+            k8s-app = "kube-dns";
+          };
        };
      };
    };
--- a/nixos/modules/services/cluster/kubernetes/apiserver.nix
+++ b/nixos/modules/services/cluster/kubernetes/apiserver.nix
@@ -1,4 +1,10 @@
-  { config, lib, options, pkgs, ... }:
+{
+  config,
+  lib,
+  options,
+  pkgs,
+  ...
+}:
 let
  top = config.services.kubernetes;
  otop = options.services.kubernetes;
@@ -6,22 +12,40 @@ let

  isRBACEnabled = lib.elem "RBAC" cfg.authorizationMode;

-  apiserverServiceIP = (lib.concatStringsSep "." (
-    lib.take 3 (lib.splitString "." cfg.serviceClusterIpRange
-  )) + ".1");
+  apiserverServiceIP = (
+    lib.concatStringsSep "." (lib.take 3 (lib.splitString "." cfg.serviceClusterIpRange)) + ".1"
+  );
 in
 {

  imports = [
-    (lib.mkRenamedOptionModule [ "services" "kubernetes" "apiserver" "admissionControl" ] [ "services" "kubernetes" "apiserver" "enableAdmissionPlugins" ])
-    (lib.mkRenamedOptionModule [ "services" "kubernetes" "apiserver" "address" ] ["services" "kubernetes" "apiserver" "bindAddress"])
+    (lib.mkRenamedOptionModule
+      [ "services" "kubernetes" "apiserver" "admissionControl" ]
+      [ "services" "kubernetes" "apiserver" "enableAdmissionPlugins" ]
+    )
+    (lib.mkRenamedOptionModule
+      [ "services" "kubernetes" "apiserver" "address" ]
+      [ "services" "kubernetes" "apiserver" "bindAddress" ]
+    )
    (lib.mkRemovedOptionModule [ "services" "kubernetes" "apiserver" "insecureBindAddress" ] "")
    (lib.mkRemovedOptionModule [ "services" "kubernetes" "apiserver" "insecurePort" ] "")
    (lib.mkRemovedOptionModule [ "services" "kubernetes" "apiserver" "publicAddress" ] "")
-    (lib.mkRenamedOptionModule [ "services" "kubernetes" "etcd" "servers" ] [ "services" "kubernetes" "apiserver" "etcd" "servers" ])
-    (lib.mkRenamedOptionModule [ "services" "kubernetes" "etcd" "keyFile" ] [ "services" "kubernetes" "apiserver" "etcd" "keyFile" ])
-    (lib.mkRenamedOptionModule [ "services" "kubernetes" "etcd" "certFile" ] [ "services" "kubernetes" "apiserver" "etcd" "certFile" ])
-    (lib.mkRenamedOptionModule [ "services" "kubernetes" "etcd" "caFile" ] [ "services" "kubernetes" "apiserver" "etcd" "caFile" ])
+    (lib.mkRenamedOptionModule
+      [ "services" "kubernetes" "etcd" "servers" ]
+      [ "services" "kubernetes" "apiserver" "etcd" "servers" ]
+    )
+    (lib.mkRenamedOptionModule
+      [ "services" "kubernetes" "etcd" "keyFile" ]
+      [ "services" "kubernetes" "apiserver" "etcd" "keyFile" ]
+    )
+    (lib.mkRenamedOptionModule
+      [ "services" "kubernetes" "etcd" "certFile" ]
+      [ "services" "kubernetes" "apiserver" "etcd" "certFile" ]
+    )
+    (lib.mkRenamedOptionModule
+      [ "services" "kubernetes" "etcd" "caFile" ]
+      [ "services" "kubernetes" "apiserver" "etcd" "caFile" ]
+    )
  ];

  ###### interface
@@ -48,8 +72,18 @@ in
        Kubernetes apiserver authorization mode (AlwaysAllow/AlwaysDeny/ABAC/Webhook/RBAC/Node). See
        <https://kubernetes.io/docs/reference/access-authn-authz/authorization/>
      '';
-      default = ["RBAC" "Node"]; # Enabling RBAC by default, although kubernetes default is AllowAllow
-      type = listOf (enum ["AlwaysAllow" "AlwaysDeny" "ABAC" "Webhook" "RBAC" "Node"]);
+      default = [
+        "RBAC"
+        "Node"
+      ]; # Enabling RBAC by default, although kubernetes default is AllowAllow
+      type = listOf (enum [
+        "AlwaysAllow"
+        "AlwaysDeny"
+        "ABAC"
+        "Webhook"
+        "RBAC"
+        "Node"
+      ]);
    };

    authorizationPolicy = lib.mkOption {
@@ -57,7 +91,7 @@ in
        Kubernetes apiserver authorization policy file. See
        <https://kubernetes.io/docs/reference/access-authn-authz/authorization/>
      '';
-      default = [];
+      default = [ ];
      type = listOf attrs;
    };

@@ -92,7 +126,7 @@ in
        Kubernetes admission control plugins to disable. See
        <https://kubernetes.io/docs/admin/admission-controllers/>
      '';
-      default = [];
+      default = [ ];
      type = listOf str;
    };

@@ -104,14 +138,24 @@ in
        <https://kubernetes.io/docs/admin/admission-controllers/>
      '';
      default = [
-        "NamespaceLifecycle" "LimitRanger" "ServiceAccount"
-        "ResourceQuota" "DefaultStorageClass" "DefaultTolerationSeconds"
+        "NamespaceLifecycle"
+        "LimitRanger"
+        "ServiceAccount"
+        "ResourceQuota"
+        "DefaultStorageClass"
+        "DefaultTolerationSeconds"
        "NodeRestriction"
      ];
      example = [
-        "NamespaceLifecycle" "NamespaceExists" "LimitRanger"
-        "SecurityContextDeny" "ServiceAccount" "ResourceQuota"
-        "PodSecurityPolicy" "NodeRestriction" "DefaultStorageClass"
+        "NamespaceLifecycle"
+        "NamespaceExists"
+        "LimitRanger"
+        "SecurityContextDeny"
+        "ServiceAccount"
+        "ResourceQuota"
+        "PodSecurityPolicy"
+        "NodeRestriction"
+        "DefaultStorageClass"
      ];
      type = listOf str;
    };
@@ -119,7 +163,7 @@ in
    etcd = {
      servers = lib.mkOption {
        description = "List of etcd servers.";
-        default = ["http://127.0.0.1:2379"];
+        default = [ "http://127.0.0.1:2379" ];
        type = types.listOf types.str;
      };

@@ -151,7 +195,7 @@ in

    extraSANs = lib.mkOption {
      description = "Extra x509 Subject Alternative Names to be added to the kubernetes apiserver tls cert.";
-      default = [];
+      default = [ ];
      type = listOf str;
    };

@@ -214,7 +258,10 @@ in
        Kubernetes apiserver storage backend.
      '';
      default = "etcd3";
-      type = enum ["etcd2" "etcd3"];
+      type = enum [
+        "etcd2"
+        "etcd3"
+      ];
    };

    securePort = lib.mkOption {
@@ -309,135 +356,143 @@ in

  };

-
  ###### implementation
  config = lib.mkMerge [

    (lib.mkIf cfg.enable {
-        systemd.services.kube-apiserver = {
-          description = "Kubernetes APIServer Service";
-          wantedBy = [ "kubernetes.target" ];
-          after = [ "network.target" ];
-          serviceConfig = {
-            Slice = "kubernetes.slice";
-            ExecStart = ''
-              ${top.package}/bin/kube-apiserver \
-              --allow-privileged=${lib.boolToString cfg.allowPrivileged} \
-              --authorization-mode=${lib.concatStringsSep "," cfg.authorizationMode} \
-                ${lib.optionalString (lib.elem "ABAC" cfg.authorizationMode)
-                  "--authorization-policy-file=${
-                    pkgs.writeText "kube-auth-policy.jsonl"
-                    (lib.concatMapStringsSep "\n" (l: builtins.toJSON l) cfg.authorizationPolicy)
-                  }"
-                } \
-                ${lib.optionalString (lib.elem "Webhook" cfg.authorizationMode)
-                  "--authorization-webhook-config-file=${cfg.webhookConfig}"
-                } \
-              --bind-address=${cfg.bindAddress} \
-              ${lib.optionalString (cfg.advertiseAddress != null)
-                "--advertise-address=${cfg.advertiseAddress}"} \
-              ${lib.optionalString (cfg.clientCaFile != null)
-                "--client-ca-file=${cfg.clientCaFile}"} \
-              --disable-admission-plugins=${lib.concatStringsSep "," cfg.disableAdmissionPlugins} \
-              --enable-admission-plugins=${lib.concatStringsSep "," cfg.enableAdmissionPlugins} \
-              --etcd-servers=${lib.concatStringsSep "," cfg.etcd.servers} \
-              ${lib.optionalString (cfg.etcd.caFile != null)
-                "--etcd-cafile=${cfg.etcd.caFile}"} \
-              ${lib.optionalString (cfg.etcd.certFile != null)
-                "--etcd-certfile=${cfg.etcd.certFile}"} \
-              ${lib.optionalString (cfg.etcd.keyFile != null)
-                "--etcd-keyfile=${cfg.etcd.keyFile}"} \
-              ${lib.optionalString (cfg.featureGates != {})
-                "--feature-gates=${(lib.concatStringsSep "," (builtins.attrValues (lib.mapAttrs (n: v: "${n}=${lib.trivial.boolToString v}") cfg.featureGates)))}"} \
-              ${lib.optionalString (cfg.basicAuthFile != null)
-                "--basic-auth-file=${cfg.basicAuthFile}"} \
-              ${lib.optionalString (cfg.kubeletClientCaFile != null)
-                "--kubelet-certificate-authority=${cfg.kubeletClientCaFile}"} \
-              ${lib.optionalString (cfg.kubeletClientCertFile != null)
-                "--kubelet-client-certificate=${cfg.kubeletClientCertFile}"} \
-              ${lib.optionalString (cfg.kubeletClientKeyFile != null)
-                "--kubelet-client-key=${cfg.kubeletClientKeyFile}"} \
-              ${lib.optionalString (cfg.preferredAddressTypes != null)
-                "--kubelet-preferred-address-types=${cfg.preferredAddressTypes}"} \
-              ${lib.optionalString (cfg.proxyClientCertFile != null)
-                "--proxy-client-cert-file=${cfg.proxyClientCertFile}"} \
-              ${lib.optionalString (cfg.proxyClientKeyFile != null)
-                "--proxy-client-key-file=${cfg.proxyClientKeyFile}"} \
-              ${lib.optionalString (cfg.runtimeConfig != "")
-                "--runtime-config=${cfg.runtimeConfig}"} \
-              --secure-port=${toString cfg.securePort} \
-              --api-audiences=${toString cfg.apiAudiences} \
-              --service-account-issuer=${toString cfg.serviceAccountIssuer} \
-              --service-account-signing-key-file=${cfg.serviceAccountSigningKeyFile} \
-              --service-account-key-file=${cfg.serviceAccountKeyFile} \
-              --service-cluster-ip-range=${cfg.serviceClusterIpRange} \
-              --storage-backend=${cfg.storageBackend} \
-              ${lib.optionalString (cfg.tlsCertFile != null)
-                "--tls-cert-file=${cfg.tlsCertFile}"} \
-              ${lib.optionalString (cfg.tlsKeyFile != null)
-                "--tls-private-key-file=${cfg.tlsKeyFile}"} \
-              ${lib.optionalString (cfg.tokenAuthFile != null)
-                "--token-auth-file=${cfg.tokenAuthFile}"} \
-              ${lib.optionalString (cfg.verbosity != null) "--v=${toString cfg.verbosity}"} \
-              ${cfg.extraOpts}
-            '';
-            WorkingDirectory = top.dataDir;
-            User = "kubernetes";
-            Group = "kubernetes";
-            AmbientCapabilities = "cap_net_bind_service";
-            Restart = "on-failure";
-            RestartSec = 5;
-          };
-
-          unitConfig = {
-            StartLimitIntervalSec = 0;
-          };
+      systemd.services.kube-apiserver = {
+        description = "Kubernetes APIServer Service";
+        wantedBy = [ "kubernetes.target" ];
+        after = [ "network.target" ];
+        serviceConfig = {
+          Slice = "kubernetes.slice";
+          ExecStart = ''
+            ${top.package}/bin/kube-apiserver \
+            --allow-privileged=${lib.boolToString cfg.allowPrivileged} \
+            --authorization-mode=${lib.concatStringsSep "," cfg.authorizationMode} \
+              ${lib.optionalString (lib.elem "ABAC" cfg.authorizationMode) "--authorization-policy-file=${pkgs.writeText "kube-auth-policy.jsonl" (lib.concatMapStringsSep "\n" (l: builtins.toJSON l) cfg.authorizationPolicy)}"} \
+              ${lib.optionalString (lib.elem "Webhook" cfg.authorizationMode) "--authorization-webhook-config-file=${cfg.webhookConfig}"} \
+            --bind-address=${cfg.bindAddress} \
+            ${lib.optionalString (cfg.advertiseAddress != null) "--advertise-address=${cfg.advertiseAddress}"} \
+            ${lib.optionalString (cfg.clientCaFile != null) "--client-ca-file=${cfg.clientCaFile}"} \
+            --disable-admission-plugins=${lib.concatStringsSep "," cfg.disableAdmissionPlugins} \
+            --enable-admission-plugins=${lib.concatStringsSep "," cfg.enableAdmissionPlugins} \
+            --etcd-servers=${lib.concatStringsSep "," cfg.etcd.servers} \
+            ${lib.optionalString (cfg.etcd.caFile != null) "--etcd-cafile=${cfg.etcd.caFile}"} \
+            ${lib.optionalString (cfg.etcd.certFile != null) "--etcd-certfile=${cfg.etcd.certFile}"} \
+            ${lib.optionalString (cfg.etcd.keyFile != null) "--etcd-keyfile=${cfg.etcd.keyFile}"} \
+            ${
+              lib.optionalString (cfg.featureGates != { })
+                "--feature-gates=${
+                  (lib.concatStringsSep "," (
+                    builtins.attrValues (lib.mapAttrs (n: v: "${n}=${lib.trivial.boolToString v}") cfg.featureGates)
+                  ))
+                }"
+            } \
+            ${lib.optionalString (cfg.basicAuthFile != null) "--basic-auth-file=${cfg.basicAuthFile}"} \
+            ${
+              lib.optionalString (
+                cfg.kubeletClientCaFile != null
+              ) "--kubelet-certificate-authority=${cfg.kubeletClientCaFile}"
+            } \
+            ${
+              lib.optionalString (
+                cfg.kubeletClientCertFile != null
+              ) "--kubelet-client-certificate=${cfg.kubeletClientCertFile}"
+            } \
+            ${
+              lib.optionalString (
+                cfg.kubeletClientKeyFile != null
+              ) "--kubelet-client-key=${cfg.kubeletClientKeyFile}"
+            } \
+            ${
+              lib.optionalString (
+                cfg.preferredAddressTypes != null
+              ) "--kubelet-preferred-address-types=${cfg.preferredAddressTypes}"
+            } \
+            ${
+              lib.optionalString (
+                cfg.proxyClientCertFile != null
+              ) "--proxy-client-cert-file=${cfg.proxyClientCertFile}"
+            } \
+            ${
+              lib.optionalString (
+                cfg.proxyClientKeyFile != null
+              ) "--proxy-client-key-file=${cfg.proxyClientKeyFile}"
+            } \
+            ${lib.optionalString (cfg.runtimeConfig != "") "--runtime-config=${cfg.runtimeConfig}"} \
+            --secure-port=${toString cfg.securePort} \
+            --api-audiences=${toString cfg.apiAudiences} \
+            --service-account-issuer=${toString cfg.serviceAccountIssuer} \
+            --service-account-signing-key-file=${cfg.serviceAccountSigningKeyFile} \
+            --service-account-key-file=${cfg.serviceAccountKeyFile} \
+            --service-cluster-ip-range=${cfg.serviceClusterIpRange} \
+            --storage-backend=${cfg.storageBackend} \
+            ${lib.optionalString (cfg.tlsCertFile != null) "--tls-cert-file=${cfg.tlsCertFile}"} \
+            ${lib.optionalString (cfg.tlsKeyFile != null) "--tls-private-key-file=${cfg.tlsKeyFile}"} \
+            ${lib.optionalString (cfg.tokenAuthFile != null) "--token-auth-file=${cfg.tokenAuthFile}"} \
+            ${lib.optionalString (cfg.verbosity != null) "--v=${toString cfg.verbosity}"} \
+            ${cfg.extraOpts}
+          '';
+          WorkingDirectory = top.dataDir;
+          User = "kubernetes";
+          Group = "kubernetes";
+          AmbientCapabilities = "cap_net_bind_service";
+          Restart = "on-failure";
+          RestartSec = 5;
        };

-        services.etcd = {
-          clientCertAuth = lib.mkDefault true;
-          peerClientCertAuth = lib.mkDefault true;
-          listenClientUrls = lib.mkDefault ["https://0.0.0.0:2379"];
-          listenPeerUrls = lib.mkDefault ["https://0.0.0.0:2380"];
-          advertiseClientUrls = lib.mkDefault ["https://${top.masterAddress}:2379"];
-          initialCluster = lib.mkDefault ["${top.masterAddress}=https://${top.masterAddress}:2380"];
-          name = lib.mkDefault top.masterAddress;
-          initialAdvertisePeerUrls = lib.mkDefault ["https://${top.masterAddress}:2380"];
+        unitConfig = {
+          StartLimitIntervalSec = 0;
        };
+      };

-        services.kubernetes.addonManager.bootstrapAddons = lib.mkIf isRBACEnabled {
+      services.etcd = {
+        clientCertAuth = lib.mkDefault true;
+        peerClientCertAuth = lib.mkDefault true;
+        listenClientUrls = lib.mkDefault [ "https://0.0.0.0:2379" ];
+        listenPeerUrls = lib.mkDefault [ "https://0.0.0.0:2380" ];
+        advertiseClientUrls = lib.mkDefault [ "https://${top.masterAddress}:2379" ];
+        initialCluster = lib.mkDefault [ "${top.masterAddress}=https://${top.masterAddress}:2380" ];
+        name = lib.mkDefault top.masterAddress;
+        initialAdvertisePeerUrls = lib.mkDefault [ "https://${top.masterAddress}:2380" ];
+      };

-          apiserver-kubelet-api-admin-crb = {
-            apiVersion = "rbac.authorization.k8s.io/v1";
-            kind = "ClusterRoleBinding";
-            metadata = {
-              name = "system:kube-apiserver:kubelet-api-admin";
-            };
-            roleRef = {
-              apiGroup = "rbac.authorization.k8s.io";
-              kind = "ClusterRole";
-              name = "system:kubelet-api-admin";
-            };
-            subjects = [{
+      services.kubernetes.addonManager.bootstrapAddons = lib.mkIf isRBACEnabled {
+
+        apiserver-kubelet-api-admin-crb = {
+          apiVersion = "rbac.authorization.k8s.io/v1";
+          kind = "ClusterRoleBinding";
+          metadata = {
+            name = "system:kube-apiserver:kubelet-api-admin";
+          };
+          roleRef = {
+            apiGroup = "rbac.authorization.k8s.io";
+            kind = "ClusterRole";
+            name = "system:kubelet-api-admin";
+          };
+          subjects = [
+            {
              kind = "User";
              name = "system:kube-apiserver";
-            }];
-          };
-
+            }
+          ];
        };

+      };
+
      services.kubernetes.pki.certs = with top.lib; {
        apiServer = mkCert {
          name = "kube-apiserver";
          CN = "kubernetes";
          hosts = [
-                    "kubernetes.default.svc"
-                    "kubernetes.default.svc.${top.addons.dns.clusterDomain}"
-                    cfg.advertiseAddress
-                    top.masterAddress
-                    apiserverServiceIP
-                    "127.0.0.1"
-                  ] ++ cfg.extraSANs;
+            "kubernetes.default.svc"
+            "kubernetes.default.svc.${top.addons.dns.clusterDomain}"
+            cfg.advertiseAddress
+            top.masterAddress
+            apiserverServiceIP
+            "127.0.0.1"
+          ] ++ cfg.extraSANs;
          action = "systemctl restart kube-apiserver.service";
        };
        apiserverProxyClient = mkCert {
@@ -467,11 +522,11 @@ in
          name = "etcd";
          CN = top.masterAddress;
          hosts = [
-                    "etcd.local"
-                    "etcd.${top.addons.dns.clusterDomain}"
-                    top.masterAddress
-                    cfg.advertiseAddress
-                  ];
+            "etcd.local"
+            "etcd.${top.addons.dns.clusterDomain}"
+            top.masterAddress
+            cfg.advertiseAddress
+          ];
          privateKeyOwner = "etcd";
          action = "systemctl restart etcd.service";
        };
--- a/nixos/modules/services/cluster/kubernetes/proxy.nix
+++ b/nixos/modules/services/cluster/kubernetes/proxy.nix
@@ -1,4 +1,10 @@
-{ config, lib, options, pkgs, ... }:
+{
+  config,
+  lib,
+  options,
+  pkgs,
+  ...
+}:

 with lib;

@@ -9,7 +15,10 @@ let
 in
 {
  imports = [
-    (mkRenamedOptionModule [ "services" "kubernetes" "proxy" "address" ] ["services" "kubernetes" "proxy" "bindAddress"])
+    (mkRenamedOptionModule
+      [ "services" "kubernetes" "proxy" "address" ]
+      [ "services" "kubernetes" "proxy" "bindAddress" ]
+    )
  ];

  ###### interface
@@ -62,16 +71,24 @@ in
      description = "Kubernetes Proxy Service";
      wantedBy = [ "kubernetes.target" ];
      after = [ "kube-apiserver.service" ];
-      path = with pkgs; [ iptables conntrack-tools ];
+      path = with pkgs; [
+        iptables
+        conntrack-tools
+      ];
      serviceConfig = {
        Slice = "kubernetes.slice";
        ExecStart = ''
          ${top.package}/bin/kube-proxy \
          --bind-address=${cfg.bindAddress} \
-          ${optionalString (top.clusterCidr!=null)
-            "--cluster-cidr=${top.clusterCidr}"} \
-          ${optionalString (cfg.featureGates != {})
-            "--feature-gates=${concatStringsSep "," (builtins.attrValues (mapAttrs (n: v: "${n}=${trivial.boolToString v}") cfg.featureGates))}"} \
+          ${optionalString (top.clusterCidr != null) "--cluster-cidr=${top.clusterCidr}"} \
+          ${
+            optionalString (cfg.featureGates != { })
+              "--feature-gates=${
+                concatStringsSep "," (
+                  builtins.attrValues (mapAttrs (n: v: "${n}=${trivial.boolToString v}") cfg.featureGates)
+                )
+              }"
+          } \
          --hostname-override=${cfg.hostname} \
          --kubeconfig=${top.lib.mkKubeConfig "kube-proxy" cfg.kubeconfig} \
          ${optionalString (cfg.verbosity != null) "--v=${toString cfg.verbosity}"} \