wip k3s-cluster changes
This commit is contained in:
parent
258b9ef494
commit
bbae989b34
|
@ -13,18 +13,7 @@ in
|
||||||
{
|
{
|
||||||
|
|
||||||
options = with types; {
|
options = with types; {
|
||||||
services.k3s-cluster.secretNamespace = mkOption {
|
|
||||||
type = nullOr str;
|
|
||||||
description = ''
|
|
||||||
namespace used with deterministic-passwords to isolate the
|
|
||||||
secrets for this cluster. this should be the same for all
|
|
||||||
members of the cluster, agent or server, and different for all
|
|
||||||
other clusters.
|
|
||||||
'';
|
|
||||||
default = null;
|
|
||||||
};
|
|
||||||
services.k3s-cluster.enabled = mkEnableOption "k3s cluster";
|
services.k3s-cluster.enabled = mkEnableOption "k3s cluster";
|
||||||
|
|
||||||
services.k3s-cluster.leader = mkOption {
|
services.k3s-cluster.leader = mkOption {
|
||||||
default = null;
|
default = null;
|
||||||
type = nullOr str;
|
type = nullOr str;
|
||||||
|
@ -59,10 +48,24 @@ options = with types; {
|
||||||
type = str;
|
type = str;
|
||||||
description = "server or agent, passed on to k3s";
|
description = "server or agent, passed on to k3s";
|
||||||
};
|
};
|
||||||
|
system.build.k3s-cluster-inject-token = mkOption {
|
||||||
|
type = lines;
|
||||||
|
description = ''
|
||||||
|
commands to run to inject the token and restart the k3s node
|
||||||
|
'';
|
||||||
|
default = ''
|
||||||
|
DIDIP=no
|
||||||
|
if [ x"$AGENT_TOKEN" != x ];then echo "$AGENT_TOKEN" > ${shq services.k3s-cluster.agentTokenFile}; DIDIP=yes; fi
|
||||||
|
if [ x"$SERVER_TOKEN" != x ];then echo "$SERVER_TOKEN" > ${shq services.k3s-cluster.serverTokenFile}; DIDIP=yes; fi
|
||||||
|
[ DIDIP=yes ] && (systemctl stop k3s ; systemctl start k3s)
|
||||||
|
'';
|
||||||
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
|
|
||||||
config = { services.k3s = mkIf cfg.enabled (
|
config = {
|
||||||
|
|
||||||
|
services.k3s = mkIf cfg.enabled (
|
||||||
if (cfg.role == "server") then {
|
if (cfg.role == "server") then {
|
||||||
extraFlags = mkForce "--cluster-init ${serverArg} ${agentTokenFileArg} ${serverTokenFileArg}";
|
extraFlags = mkForce "--cluster-init ${serverArg} ${agentTokenFileArg} ${serverTokenFileArg}";
|
||||||
enable = mkForce true;
|
enable = mkForce true;
|
||||||
|
@ -75,45 +78,28 @@ config = { services.k3s = mkIf cfg.enabled (
|
||||||
}
|
}
|
||||||
);
|
);
|
||||||
|
|
||||||
systemd = mkIf (cfg.enabled && cfg.leader == null && cfg.role == "server") {
|
# systemd = mkIf (cfg.enabled && cfg.leader == null && cfg.role == "server") {
|
||||||
sockets = {
|
# sockets = {
|
||||||
tokenCAHash = {
|
# tokenCAHash = {
|
||||||
listenStreams = [ "0.0.0.0:65479" ];
|
# listenStreams = [ "0.0.0.0:65479" ];
|
||||||
wantedBy = [ "multi-user.target" ];
|
# wantedBy = [ "multi-user.target" ];
|
||||||
socketConfig.Accept = "yes";
|
# socketConfig.Accept = "yes";
|
||||||
};
|
# };
|
||||||
};
|
# };
|
||||||
services = {
|
# services = {
|
||||||
"tokenCAHash@" = {
|
# "tokenCAHash@" = {
|
||||||
script = ''
|
# script = ''
|
||||||
cat /var/lib/rancher/k3s/server/agent-token|cut -d: -f 1
|
# cat /var/lib/rancher/k3s/server/agent-token|cut -d: -f 1
|
||||||
'';
|
# '';
|
||||||
startLimitIntervalSec = 0;
|
# startLimitIntervalSec = 0;
|
||||||
serviceConfig.Type = "oneshot";
|
# serviceConfig.Type = "oneshot";
|
||||||
serviceConfig.StandardInput = "socket";
|
# serviceConfig.StandardInput = "socket";
|
||||||
};
|
# };
|
||||||
};
|
# };
|
||||||
};
|
# };
|
||||||
|
|
||||||
networking.firewall.allowedTCPPorts = mkIf cfg.enabled [ 6443 53 65479 ];
|
networking.firewall.allowedTCPPorts = mkIf cfg.enabled [ 6443 53 65479 ];
|
||||||
networking.firewall.allowedUDPPorts = mkIf cfg.enabled [ 53 ];
|
networking.firewall.allowedUDPPorts = mkIf cfg.enabled [ 53 ];
|
||||||
|
|
||||||
environment.deterministic-passwords.secrets = mkIf (cfg.enabled) {
|
|
||||||
"k3s-agent-token" = {
|
|
||||||
namespace = cfg.secretNamespace;
|
|
||||||
destination = agentTokenFilename;
|
|
||||||
before = ["k3s.service"];
|
|
||||||
writer = ''
|
|
||||||
echo "$(nc ${if cfg.leader == null then "localhost" else cfg.leader} 65479 < /dev/null)::server:$secret" > "$destination"
|
|
||||||
'';
|
|
||||||
};
|
};
|
||||||
"k3s-server-token" = mkIf (cfg.role == "server") {
|
|
||||||
namespace = cfg.secretNamespace;
|
|
||||||
destination = serverTokenFilename;
|
|
||||||
before = ["k3s.service"];
|
|
||||||
writer = ''
|
|
||||||
echo "$(nc ${if cfg.leader == null then "localhost" else cfg.leader} 65479 < /dev/null)::server:$secret" > "$destination"
|
|
||||||
'';
|
|
||||||
};
|
|
||||||
};};
|
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in New Issue
Block a user