From 3ee32f0ea903ae0fc88f0173b733d7e02534c97c Mon Sep 17 00:00:00 2001
From: Alexandru Scvortov <code@scvalex.net>
Date: Mon, 28 Jun 2021 20:33:17 +0100
Subject: [PATCH 1/2] kubernetes: fix conntrack-tools package name, missing
 dir, and tests

(cherry picked from commit ab1567e8121dfcdb4f7a395b39a3a345f41c7474)
---
 nixos/modules/services/cluster/kubernetes/pki.nix   | 1 +
 nixos/modules/services/cluster/kubernetes/proxy.nix | 2 +-
 nixos/tests/kubernetes/base.nix                     | 9 ++++++++-
 3 files changed, 10 insertions(+), 2 deletions(-)

diff --git a/nixos/modules/services/cluster/kubernetes/pki.nix b/nixos/modules/services/cluster/kubernetes/pki.nix
index 8de6a3ba0d8..d9311d3e3a0 100644
--- a/nixos/modules/services/cluster/kubernetes/pki.nix
+++ b/nixos/modules/services/cluster/kubernetes/pki.nix
@@ -189,6 +189,7 @@ in
         # manually paste it in place. Just symlink.
         # otherwise, create the target file, ready for users to insert the token
 
+        mkdir -p $(dirname ${certmgrAPITokenPath})
         if [ -f "${cfsslAPITokenPath}" ]; then
           ln -fs "${cfsslAPITokenPath}" "${certmgrAPITokenPath}"
         else
diff --git a/nixos/modules/services/cluster/kubernetes/proxy.nix b/nixos/modules/services/cluster/kubernetes/proxy.nix
index 7aa449f9aa2..42729f54643 100644
--- a/nixos/modules/services/cluster/kubernetes/proxy.nix
+++ b/nixos/modules/services/cluster/kubernetes/proxy.nix
@@ -59,7 +59,7 @@ in
       description = "Kubernetes Proxy Service";
       wantedBy = [ "kubernetes.target" ];
       after = [ "kube-apiserver.service" ];
-      path = with pkgs; [ iptables conntrack_tools ];
+      path = with pkgs; [ iptables conntrack-tools ];
       serviceConfig = {
         Slice = "kubernetes.slice";
         ExecStart = ''${top.package}/bin/kube-proxy \
diff --git a/nixos/tests/kubernetes/base.nix b/nixos/tests/kubernetes/base.nix
index 8cfac10b6dc..1f23ca55fb2 100644
--- a/nixos/tests/kubernetes/base.nix
+++ b/nixos/tests/kubernetes/base.nix
@@ -40,7 +40,7 @@ let
                   allowedTCPPorts = [
                     10250 # kubelet
                   ];
-                  trustedInterfaces = ["docker0"];
+                  trustedInterfaces = ["mynet"];
 
                   extraCommands = concatMapStrings  (node: ''
                     iptables -A INPUT -s ${node.config.networking.primaryIPAddress} -j ACCEPT
@@ -61,6 +61,13 @@ let
                   advertiseAddress = master.ip;
                 };
                 masterAddress = "${masterName}.${config.networking.domain}";
+                # workaround for:
+                #   https://github.com/kubernetes/kubernetes/issues/102676
+                #   (workaround from) https://github.com/kubernetes/kubernetes/issues/95488
+                kubelet.extraOpts = ''\
+                  --cgroups-per-qos=false \
+                  --enforce-node-allocatable="" \
+                '';
               };
             }
             (optionalAttrs (any (role: role == "master") machine.roles) {

From 5ea98b810c0c28e86403ca28319fd355c0339f18 Mon Sep 17 00:00:00 2001
From: Luke Granger-Brown <git@lukegb.com>
Date: Sat, 3 Jul 2021 10:41:13 +0000
Subject: [PATCH 2/2] mercurial: fix patch links again

The conclusion is that Phabricator does not, in fact, generate stable
patch links. In any case, these have landed, so we can just use the
patches from Mercurial's hgweb instance instead, which should be more
stable.

(cherry picked from commit 67444f8a393846b1431cfeb936e83a9f24725e2d)
---
 .../applications/version-management/mercurial/default.nix | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/pkgs/applications/version-management/mercurial/default.nix b/pkgs/applications/version-management/mercurial/default.nix
index 3caf499d31a..492f8e46ebe 100644
--- a/pkgs/applications/version-management/mercurial/default.nix
+++ b/pkgs/applications/version-management/mercurial/default.nix
@@ -20,13 +20,13 @@ in python3Packages.buildPythonApplication rec {
   patches = [
     # https://phab.mercurial-scm.org/D10638, needed for below patch to apply
     (fetchpatch {
-      url = "https://phab.mercurial-scm.org/file/data/oymk4awh2dd7q6cwjbzu/PHID-FILE-bfcr7qrp5spg42wspxpd/D10638.diff";
-      sha256 = "0mfi324is02l7cnd3j0gbmg5rpyyqn3afg3f73flnfwmz5njqa5f";
+      url = "https://www.mercurial-scm.org/repo/hg/raw-rev/c365850b611490a5fdb235eb1cea310a542c2f84";
+      sha256 = "1gn3xvahbjdhbglffqpmj559w1bkqqsk70wqcanwv7nh972aqy9g";
     })
     # https://phab.mercurial-scm.org/D10639, fixes https://bz.mercurial-scm.org/show_bug.cgi?id=6514
     (fetchpatch {
-      url = "https://phab.mercurial-scm.org/file/data/re4uqdhtknjiacx2ogwu/PHID-FILE-4m26id65dno5gzix2ngh/D10639.diff";
-      sha256 = "0h5ilrd2x1789fr6sf4k1mcvxdh0xdyr94yawdacw87v3x12c8cb";
+      url = "https://www.mercurial-scm.org/repo/hg/raw-rev/c8f62920f07a40af3403ba9aefa1dac8a97d53ea";
+      sha256 = "1kw0xjg2c4jby0ncarjvpa5qafsyl1wzbk6jxls4hnxlxdl53nmn";
     })
   ];