Configure private Docker registry.

k8s.nix

@@ -3,7 +3,6 @@ let
   pkgs = import <nixpkgs> {};
 
   etcdServers = [ "etcd0" "etcd1" "etcd2" ];
-  # etcdServers = [ "k8s0-0" "k8s0-1" "k8s0-2" ];
   etcdEndpoints = builtins.map (x: "https://${x}:2379") etcdServers;
   etcdCluster =  builtins.map (x: "${x}=https://${x}:2380") etcdServers;
 
@@ -32,6 +31,7 @@ let
   };
 
   kubeConfig = {
+    systemd.services.kubelet.path = [ pkgs.socat ];
     services.flannel = {
       enable = true;
       network = "10.10.0.0/16";
@@ -83,6 +83,7 @@ let
         extraCommands = ''iptables -m comment --comment "pod external access" -t nat -A POSTROUTING ! -d 10.10.0.0/16 -m addrtype ! --dst-type LOCAL -j MASQUERADE'';
       };
     };
+    virtualisation.docker.extraOptions = "--insecure-registry 10.0.0.0/8";
   };
 
   kubeMaster = {
@@ -156,6 +157,10 @@ in
       services.dockerRegistry = {
         enable = true;
         listenAddress = "0.0.0.0";
+        extraConfig = {
+          REGISTRY_HTTP_TLS_CERTIFICATE = "${apiserver_cert}";
+          REGISTRY_HTTP_TLS_KEY = "${apiserver_key}";
+        };
       };
     };