wip k3s-cluster changes

This commit is contained in:
James Andariese 2022-10-19 16:54:38 -05:00
parent 258b9ef494
commit bbae989b34

View File

@ -13,18 +13,7 @@ in
{
options = with types; {
services.k3s-cluster.secretNamespace = mkOption {
type = nullOr str;
description = ''
namespace used with deterministic-passwords to isolate the
secrets for this cluster. this should be the same for all
members of the cluster, agent or server, and different for all
other clusters.
'';
default = null;
};
services.k3s-cluster.enabled = mkEnableOption "k3s cluster";
services.k3s-cluster.leader = mkOption {
default = null;
type = nullOr str;
@ -59,10 +48,24 @@ options = with types; {
type = str;
description = "server or agent, passed on to k3s";
};
system.build.k3s-cluster-inject-token = mkOption {
type = lines;
description = ''
commands to run to inject the token and restart the k3s node
'';
default = ''
DIDIP=no
if [ x"$AGENT_TOKEN" != x ];then echo "$AGENT_TOKEN" > ${shq services.k3s-cluster.agentTokenFile}; DIDIP=yes; fi
if [ x"$SERVER_TOKEN" != x ];then echo "$SERVER_TOKEN" > ${shq services.k3s-cluster.serverTokenFile}; DIDIP=yes; fi
[ DIDIP=yes ] && (systemctl stop k3s ; systemctl start k3s)
'';
};
};
config = { services.k3s = mkIf cfg.enabled (
config = {
services.k3s = mkIf cfg.enabled (
if (cfg.role == "server") then {
extraFlags = mkForce "--cluster-init ${serverArg} ${agentTokenFileArg} ${serverTokenFileArg}";
enable = mkForce true;
@ -75,45 +78,28 @@ config = { services.k3s = mkIf cfg.enabled (
}
);
systemd = mkIf (cfg.enabled && cfg.leader == null && cfg.role == "server") {
sockets = {
tokenCAHash = {
listenStreams = [ "0.0.0.0:65479" ];
wantedBy = [ "multi-user.target" ];
socketConfig.Accept = "yes";
};
};
services = {
"tokenCAHash@" = {
script = ''
cat /var/lib/rancher/k3s/server/agent-token|cut -d: -f 1
'';
startLimitIntervalSec = 0;
serviceConfig.Type = "oneshot";
serviceConfig.StandardInput = "socket";
};
};
};
# systemd = mkIf (cfg.enabled && cfg.leader == null && cfg.role == "server") {
# sockets = {
# tokenCAHash = {
# listenStreams = [ "0.0.0.0:65479" ];
# wantedBy = [ "multi-user.target" ];
# socketConfig.Accept = "yes";
# };
# };
# services = {
# "tokenCAHash@" = {
# script = ''
# cat /var/lib/rancher/k3s/server/agent-token|cut -d: -f 1
# '';
# startLimitIntervalSec = 0;
# serviceConfig.Type = "oneshot";
# serviceConfig.StandardInput = "socket";
# };
# };
# };
networking.firewall.allowedTCPPorts = mkIf cfg.enabled [ 6443 53 65479 ];
networking.firewall.allowedUDPPorts = mkIf cfg.enabled [ 53 ];
environment.deterministic-passwords.secrets = mkIf (cfg.enabled) {
"k3s-agent-token" = {
namespace = cfg.secretNamespace;
destination = agentTokenFilename;
before = ["k3s.service"];
writer = ''
echo "$(nc ${if cfg.leader == null then "localhost" else cfg.leader} 65479 < /dev/null)::server:$secret" > "$destination"
'';
};
"k3s-server-token" = mkIf (cfg.role == "server") {
namespace = cfg.secretNamespace;
destination = serverTokenFilename;
before = ["k3s.service"];
writer = ''
echo "$(nc ${if cfg.leader == null then "localhost" else cfg.leader} 65479 < /dev/null)::server:$secret" > "$destination"
'';
};
};};
}