wip k3s-cluster changes
This commit is contained in:
parent
258b9ef494
commit
bbae989b34
|
|
@ -13,18 +13,7 @@ in
|
|||
{
|
||||
|
||||
options = with types; {
|
||||
services.k3s-cluster.secretNamespace = mkOption {
|
||||
type = nullOr str;
|
||||
description = ''
|
||||
namespace used with deterministic-passwords to isolate the
|
||||
secrets for this cluster. this should be the same for all
|
||||
members of the cluster, agent or server, and different for all
|
||||
other clusters.
|
||||
'';
|
||||
default = null;
|
||||
};
|
||||
services.k3s-cluster.enabled = mkEnableOption "k3s cluster";
|
||||
|
||||
services.k3s-cluster.leader = mkOption {
|
||||
default = null;
|
||||
type = nullOr str;
|
||||
|
|
@ -59,10 +48,24 @@ options = with types; {
|
|||
type = str;
|
||||
description = "server or agent, passed on to k3s";
|
||||
};
|
||||
system.build.k3s-cluster-inject-token = mkOption {
|
||||
type = lines;
|
||||
description = ''
|
||||
commands to run to inject the token and restart the k3s node
|
||||
'';
|
||||
default = ''
|
||||
DIDIP=no
|
||||
if [ x"$AGENT_TOKEN" != x ];then echo "$AGENT_TOKEN" > ${shq services.k3s-cluster.agentTokenFile}; DIDIP=yes; fi
|
||||
if [ x"$SERVER_TOKEN" != x ];then echo "$SERVER_TOKEN" > ${shq services.k3s-cluster.serverTokenFile}; DIDIP=yes; fi
|
||||
[ DIDIP=yes ] && (systemctl stop k3s ; systemctl start k3s)
|
||||
'';
|
||||
};
|
||||
};
|
||||
|
||||
|
||||
config = { services.k3s = mkIf cfg.enabled (
|
||||
config = {
|
||||
|
||||
services.k3s = mkIf cfg.enabled (
|
||||
if (cfg.role == "server") then {
|
||||
extraFlags = mkForce "--cluster-init ${serverArg} ${agentTokenFileArg} ${serverTokenFileArg}";
|
||||
enable = mkForce true;
|
||||
|
|
@ -75,45 +78,28 @@ config = { services.k3s = mkIf cfg.enabled (
|
|||
}
|
||||
);
|
||||
|
||||
systemd = mkIf (cfg.enabled && cfg.leader == null && cfg.role == "server") {
|
||||
sockets = {
|
||||
tokenCAHash = {
|
||||
listenStreams = [ "0.0.0.0:65479" ];
|
||||
wantedBy = [ "multi-user.target" ];
|
||||
socketConfig.Accept = "yes";
|
||||
};
|
||||
};
|
||||
services = {
|
||||
"tokenCAHash@" = {
|
||||
script = ''
|
||||
cat /var/lib/rancher/k3s/server/agent-token|cut -d: -f 1
|
||||
'';
|
||||
startLimitIntervalSec = 0;
|
||||
serviceConfig.Type = "oneshot";
|
||||
serviceConfig.StandardInput = "socket";
|
||||
};
|
||||
};
|
||||
};
|
||||
# systemd = mkIf (cfg.enabled && cfg.leader == null && cfg.role == "server") {
|
||||
# sockets = {
|
||||
# tokenCAHash = {
|
||||
# listenStreams = [ "0.0.0.0:65479" ];
|
||||
# wantedBy = [ "multi-user.target" ];
|
||||
# socketConfig.Accept = "yes";
|
||||
# };
|
||||
# };
|
||||
# services = {
|
||||
# "tokenCAHash@" = {
|
||||
# script = ''
|
||||
# cat /var/lib/rancher/k3s/server/agent-token|cut -d: -f 1
|
||||
# '';
|
||||
# startLimitIntervalSec = 0;
|
||||
# serviceConfig.Type = "oneshot";
|
||||
# serviceConfig.StandardInput = "socket";
|
||||
# };
|
||||
# };
|
||||
# };
|
||||
|
||||
networking.firewall.allowedTCPPorts = mkIf cfg.enabled [ 6443 53 65479 ];
|
||||
networking.firewall.allowedUDPPorts = mkIf cfg.enabled [ 53 ];
|
||||
|
||||
environment.deterministic-passwords.secrets = mkIf (cfg.enabled) {
|
||||
"k3s-agent-token" = {
|
||||
namespace = cfg.secretNamespace;
|
||||
destination = agentTokenFilename;
|
||||
before = ["k3s.service"];
|
||||
writer = ''
|
||||
echo "$(nc ${if cfg.leader == null then "localhost" else cfg.leader} 65479 < /dev/null)::server:$secret" > "$destination"
|
||||
'';
|
||||
};
|
||||
"k3s-server-token" = mkIf (cfg.role == "server") {
|
||||
namespace = cfg.secretNamespace;
|
||||
destination = serverTokenFilename;
|
||||
before = ["k3s.service"];
|
||||
writer = ''
|
||||
echo "$(nc ${if cfg.leader == null then "localhost" else cfg.leader} 65479 < /dev/null)::server:$secret" > "$destination"
|
||||
'';
|
||||
};
|
||||
};};
|
||||
}
|
||||
|
|
|
|||
Loading…
Reference in New Issue
Block a user