diff --git a/common/k3s-cluster.nix b/common/k3s-cluster.nix
index f39c4e5..7dc2dbe 100644
--- a/common/k3s-cluster.nix
+++ b/common/k3s-cluster.nix
@@ -13,18 +13,7 @@ in
 {
 
 options = with types; {
-    services.k3s-cluster.secretNamespace = mkOption {
-            type = nullOr str;
-            description = ''
-        	namespace used with deterministic-passwords to isolate the
-        	secrets for this cluster.  this should be the same for all
-        	members of the cluster, agent or server, and different for all
-        	other clusters.
-            '';
-	    default = null;
-        };
     services.k3s-cluster.enabled = mkEnableOption "k3s cluster";
-        
     services.k3s-cluster.leader = mkOption {
             default = null;
             type = nullOr str;
@@ -59,10 +48,24 @@ options = with types; {
             type = str;
             description = "server or agent, passed on to k3s";
         };
+    system.build.k3s-cluster-inject-token = mkOption {
+            type = lines;
+	    description = ''
+	        commands to run to inject the token and restart the k3s node
+	    '';
+	    default = ''
+	        DIDIP=no
+	        if [ x"$AGENT_TOKEN" != x ];then echo "$AGENT_TOKEN" > ${shq services.k3s-cluster.agentTokenFile}; DIDIP=yes; fi
+	        if [ x"$SERVER_TOKEN" != x ];then echo "$SERVER_TOKEN" > ${shq services.k3s-cluster.serverTokenFile}; DIDIP=yes; fi
+	        [ DIDIP=yes ] && (systemctl stop k3s ; systemctl start k3s)
+	    '';
+        };
 };
 
 
-config = { services.k3s = mkIf cfg.enabled (
+config = {
+
+services.k3s = mkIf cfg.enabled (
     if (cfg.role == "server") then {
         extraFlags = mkForce "--cluster-init ${serverArg} ${agentTokenFileArg} ${serverTokenFileArg}";
         enable = mkForce true;
@@ -75,45 +78,28 @@ config = { services.k3s = mkIf cfg.enabled (
     }
 );
 
-systemd = mkIf (cfg.enabled && cfg.leader == null && cfg.role == "server") {
-  sockets = {
-    tokenCAHash = {
-      listenStreams = [ "0.0.0.0:65479" ];
-      wantedBy = [ "multi-user.target" ];
-      socketConfig.Accept = "yes";
-    };
-  };
-  services = {
-    "tokenCAHash@" = {
-      script = ''
-        cat /var/lib/rancher/k3s/server/agent-token|cut -d: -f 1
-      '';
-      startLimitIntervalSec = 0;
-      serviceConfig.Type = "oneshot";
-      serviceConfig.StandardInput = "socket";
-    };
-  };
-};
+# systemd = mkIf (cfg.enabled && cfg.leader == null && cfg.role == "server") {
+#   sockets = {
+#     tokenCAHash = {
+#       listenStreams = [ "0.0.0.0:65479" ];
+#       wantedBy = [ "multi-user.target" ];
+#       socketConfig.Accept = "yes";
+#     };
+#   };
+#   services = {
+#     "tokenCAHash@" = {
+#       script = ''
+#         cat /var/lib/rancher/k3s/server/agent-token|cut -d: -f 1
+#       '';
+#       startLimitIntervalSec = 0;
+#       serviceConfig.Type = "oneshot";
+#       serviceConfig.StandardInput = "socket";
+#     };
+#   };
+# };
 
 networking.firewall.allowedTCPPorts = mkIf cfg.enabled [ 6443 53 65479 ];
 networking.firewall.allowedUDPPorts = mkIf cfg.enabled [ 53 ];
 
-environment.deterministic-passwords.secrets = mkIf (cfg.enabled) {
-    "k3s-agent-token" = {
-        namespace = cfg.secretNamespace;
-        destination = agentTokenFilename;
-        before = ["k3s.service"];
-	writer = ''
-	  echo "$(nc ${if cfg.leader == null then "localhost" else cfg.leader} 65479 < /dev/null)::server:$secret" > "$destination"
-	'';
-    };
-    "k3s-server-token" = mkIf (cfg.role == "server") {
-        namespace = cfg.secretNamespace;
-        destination = serverTokenFilename;
-        before = ["k3s.service"];
-	writer = ''
-	  echo "$(nc ${if cfg.leader == null then "localhost" else cfg.leader} 65479 < /dev/null)::server:$secret" > "$destination"
-	'';
-    };
-};};
+};
 }