wip k3s-cluster changes

2022-10-19 16:54:38 -05:00 · 2022-10-19 16:54:38 -05:00 · bbae989b34
commit bbae989b34
parent 258b9ef494
1 changed files with 35 additions and 49 deletions
--- a/common/k3s-cluster.nix
+++ b/common/k3s-cluster.nix
@ -13,18 +13,7 @@ in
 {
 options = with types; {
    services.k3s-cluster.secretNamespace = mkOption {
            type = nullOr str;
            description = ''
        	namespace used with deterministic-passwords to isolate the
        	secrets for this cluster.  this should be the same for all
        	members of the cluster, agent or server, and different for all
        	other clusters.
            '';
 	    default = null;
        };
    services.k3s-cluster.enabled = mkEnableOption "k3s cluster";
    services.k3s-cluster.leader = mkOption {
            default = null;
            type = nullOr str;
@ -59,10 +48,24 @@ options = with types; {
            type = str;
            description = "server or agent, passed on to k3s";
        };
    system.build.k3s-cluster-inject-token = mkOption {
            type = lines;
 	    description = ''
 	        commands to run to inject the token and restart the k3s node
 	    '';
 	    default = ''
 	        DIDIP=no
 	        if [ x"$AGENT_TOKEN" != x ];then echo "$AGENT_TOKEN" > ${shq services.k3s-cluster.agentTokenFile}; DIDIP=yes; fi
 	        if [ x"$SERVER_TOKEN" != x ];then echo "$SERVER_TOKEN" > ${shq services.k3s-cluster.serverTokenFile}; DIDIP=yes; fi
 	        [ DIDIP=yes ] && (systemctl stop k3s ; systemctl start k3s)
 	    '';
        };
 };
-config = { services.k3s = mkIf cfg.enabled (
+config = {
 services.k3s = mkIf cfg.enabled (
    if (cfg.role == "server") then {
        extraFlags = mkForce "--cluster-init ${serverArg} ${agentTokenFileArg} ${serverTokenFileArg}";
        enable = mkForce true;
@ -75,45 +78,28 @@ config = { services.k3s = mkIf cfg.enabled (
    }
 );
-systemd = mkIf (cfg.enabled && cfg.leader == null && cfg.role == "server") {
+# systemd = mkIf (cfg.enabled && cfg.leader == null && cfg.role == "server") {
-  sockets = {
+#   sockets = {
-    tokenCAHash = {
+#     tokenCAHash = {
-      listenStreams = [ "0.0.0.0:65479" ];
+#       listenStreams = [ "0.0.0.0:65479" ];
-      wantedBy = [ "multi-user.target" ];
+#       wantedBy = [ "multi-user.target" ];
-      socketConfig.Accept = "yes";
+#       socketConfig.Accept = "yes";
-    };
+#     };
-  };
+#   };
-  services = {
+#   services = {
-    "tokenCAHash@" = {
+#     "tokenCAHash@" = {
-      script = ''
+#       script = ''
-        cat /var/lib/rancher/k3s/server/agent-token|cut -d: -f 1
+#         cat /var/lib/rancher/k3s/server/agent-token|cut -d: -f 1
-      '';
+#       '';
-      startLimitIntervalSec = 0;
+#       startLimitIntervalSec = 0;
-      serviceConfig.Type = "oneshot";
+#       serviceConfig.Type = "oneshot";
-      serviceConfig.StandardInput = "socket";
+#       serviceConfig.StandardInput = "socket";
-    };
+#     };
-  };
+#   };
-};
+# };
 networking.firewall.allowedTCPPorts = mkIf cfg.enabled [ 6443 53 65479 ];
 networking.firewall.allowedUDPPorts = mkIf cfg.enabled [ 53 ];
-environment.deterministic-passwords.secrets = mkIf (cfg.enabled) {
+};
    "k3s-agent-token" = {
        namespace = cfg.secretNamespace;
        destination = agentTokenFilename;
        before = ["k3s.service"];
 	writer = ''
 	  echo "$(nc ${if cfg.leader == null then "localhost" else cfg.leader} 65479 < /dev/null)::server:$secret" > "$destination"
 	'';
    };
    "k3s-server-token" = mkIf (cfg.role == "server") {
        namespace = cfg.secretNamespace;
        destination = serverTokenFilename;
        before = ["k3s.service"];
 	writer = ''
 	  echo "$(nc ${if cfg.leader == null then "localhost" else cfg.leader} 65479 < /dev/null)::server:$secret" > "$destination"
 	'';
    };
 };};
 }