Remove docker0 masquerading rule, and fix hostname-override.

The masq rule interfered with svc.spec.externalTrafficPolicy=Local.
The default hostname-override has a bug for kube-proxy in nix.

modules/k8s.nix

@@ -33,11 +33,12 @@ let
 
     cluster-scripts =
       let
+        first = builtins.head cfg.k8s.ingressNodes;
+        rest =  builtins.tail cfg.k8s.ingressNodes;
         ingressNodes = builtins.foldl' (a: x:
-          a + ",${x}") "${cfg.k8s.master.name}"
+          a + ",${x}") first rest;
-          cfg.k8s.extraIngressNodes;
         ingressReplicaCount =
-           builtins.toString (1 + builtins.length cfg.k8s.extraIngressNodes);
+           builtins.toString (builtins.length cfg.k8s.ingressNodes);
         show-kubernetes-charts-config = ''
             #!/usr/bin/env bash
             cat << EOF
@@ -280,6 +281,8 @@ let
       masterAddress = "${cfg.k8s.master.name}.${cfg.domain}";
       clusterCidr = cfg.k8s.cidr;
       # kubelet.clusterDomain = "${cfg.clusterName}.local";
+      kubelet.hostname = "${cfg.hostName}.${cfg.domain}";
+      proxy.hostname = "${cfg.hostName}.${cfg.domain}";
     };
 
     networking = {
@@ -287,7 +290,6 @@ let
         enable = true;
         allowedTCPPorts = [ 4194 10250 ];
         allowedUDPPorts = [ 53 ];
-        extraCommands = ''iptables -m comment --comment "pod external access" -t nat -A POSTROUTING ! -d 10.10.0.0/16 -m addrtype ! --dst-type LOCAL -j MASQUERADE'';
       };
     };
     virtualisation.docker.extraOptions = "--insecure-registry 10.0.0.0/8";
@@ -322,9 +324,9 @@ in {
       default = "10.0.0.0/16";
     };
 
-    extraIngressNodes = mkOption {
+    ingressNodes = mkOption {
       type = types.listOf types.str;
-      default = [];
+      default = null;
     };
 
     master = {