CASCADE/common/k3s-cluster.nix

{pkgs, config, ...}:

with pkgs.lib;

let
  cfg = config.services.k3s-cluster;
  agentTokenFilename = cfg.agentTokenFile;
  agentTokenFileArg = ''--agent-token-file ${escapeShellArg agentTokenFilename}'';
  serverTokenFilename = "/etc/k3s-server-token.txt";
  serverTokenFileArg = "--token-file ${escapeShellArg serverTokenFilename}";
  serverArg = if (cfg.leader != null) then "--server https://${escapeShellArg cfg.leader}:6443" else "";
in
{

options = with types; {
    services.k3s-cluster.enabled = mkEnableOption "k3s cluster";
    services.k3s-cluster.leader = mkOption {
            default = null;
            type = nullOr str;
            description = ''
        	hostname or IP of cluster leader
                
        	This should be set to null (the default) for a cluster leader.
                
        	For a member server, this should be set to an address which may
        	be used to reach the cluster leader from this host.
                
        	After completion of cluster formation, this may be set to any
        	member server.  This is a viable path forward when the original
        	leader dies.

		This string will be wrapped in https://...:6443
            '';
        };

    services.k3s-cluster.agentTokenFile = mkOption {
            default = "/etc/k3s-agent-token.txt";
            type = str;
            description = "agent token file path for agents and servers";
        };
    services.k3s-cluster.serverTokenFile = mkOption {
            default = "/etc/k3s-server-token.txt";
            type = str;
            description = "server token file path for servers";
        };
    services.k3s-cluster.role = mkOption {
            default = "server";
            type = str;
            description = "server or agent, passed on to k3s";
        };
    system.build.k3s-cluster-inject-token = mkOption {
            type = lines;
	    description = ''
	        commands to run to inject the token and restart the k3s node
	    '';
	    default = ''
	        DIDIP=no
	        if [ x"$AGENT_TOKEN" != x ];then echo "$AGENT_TOKEN" > ${shq services.k3s-cluster.agentTokenFile}; DIDIP=yes; fi
	        if [ x"$SERVER_TOKEN" != x ];then echo "$SERVER_TOKEN" > ${shq services.k3s-cluster.serverTokenFile}; DIDIP=yes; fi
	        [ DIDIP=yes ] && (systemctl stop k3s ; systemctl start k3s)
	    '';
        };
};


config = {

services.k3s = mkIf cfg.enabled (
    if (cfg.role == "server") then {
        extraFlags = mkForce "--cluster-init ${serverArg} ${agentTokenFileArg} ${serverTokenFileArg}";
        enable = mkForce true;
        role = mkForce "server";
    } else {
        extraFlags = mkForce "${agentTokenFileArg}";
        role = "agent";
        serverAddr = "https://${cfg.leader}:6443";
        enable = mkForce true;
    }
);

# systemd = mkIf (cfg.enabled && cfg.leader == null && cfg.role == "server") {
#   sockets = {
#     tokenCAHash = {
#       listenStreams = [ "0.0.0.0:65479" ];
#       wantedBy = [ "multi-user.target" ];
#       socketConfig.Accept = "yes";
#     };
#   };
#   services = {
#     "tokenCAHash@" = {
#       script = ''
#         cat /var/lib/rancher/k3s/server/agent-token|cut -d: -f 1
#       '';
#       startLimitIntervalSec = 0;
#       serviceConfig.Type = "oneshot";
#       serviceConfig.StandardInput = "socket";
#     };
#   };
# };

networking.firewall.allowedTCPPorts = mkIf cfg.enabled [ 6443 53 65479 ];
networking.firewall.allowedUDPPorts = mkIf cfg.enabled [ 53 ];

};
}