diff options
| author | Jörg Thalheim <joerg@thalheim.io> | 2021-04-09 11:50:03 +0200 |
|---|---|---|
| committer | github-actions[bot] <github-actions[bot]@users.noreply.github.com> | 2021-07-15 12:40:46 +0000 |
| commit | eacc0f7750ffd847584eca60f3f099b0da17850d (patch) | |
| tree | 1be0b4ffe8bbe151732198f30d8c82fc2b9599b0 | |
| parent | nixos/k3s: add to environment.systemPackages for adminstration (diff) | |
| download | nixpkgs-origin/backport-125205-to-release-21.05.tar.gz | |
k3s: add tokenFile optionorigin/backport-125205-to-release-21.05
To avoid having secrets in the nix store.
(cherry picked from commit 11a38f62f0bfcb655e339498897b0d25ac37fa97)
| -rw-r--r-- | nixos/modules/services/cluster/k3s/default.nix | 23 |
1 files changed, 19 insertions, 4 deletions
diff --git a/nixos/modules/services/cluster/k3s/default.nix b/nixos/modules/services/cluster/k3s/default.nix index b5506057db86..99e47e867b36 100644 --- a/nixos/modules/services/cluster/k3s/default.nix +++ b/nixos/modules/services/cluster/k3s/default.nix @@ -35,10 +35,20 @@ in token = mkOption { type = types.str; - description = "The k3s token to use when connecting to the server. This option only makes sense for an agent."; + description = '' + The k3s token to use when connecting to the server. This option only makes sense for an agent. + WARNING: This option will expose store your token unencrypted world-readable in the nix store. + If this is undesired use the tokenFile option instead. + ''; default = ""; }; + tokenFile = mkOption { + type = types.nullOr types.path; + description = "File path containing k3s token to use when connecting to the server. This option only makes sense for an agent."; + default = null; + }; + docker = mkOption { type = types.bool; default = false; @@ -68,8 +78,8 @@ in message = "serverAddr should be set if role is 'agent'"; } { - assertion = cfg.role == "agent" -> cfg.token != ""; - message = "token should be set if role is 'agent'"; + assertion = cfg.role == "agent" -> cfg.token != "" || cfg.tokenFile != null; + message = "token or tokenFile should be set if role is 'agent'"; } ]; @@ -104,7 +114,12 @@ in "${cfg.package}/bin/k3s ${cfg.role}" ] ++ (optional cfg.docker "--docker") ++ (optional cfg.disableAgent "--disable-agent") - ++ (optional (cfg.role == "agent") "--server ${cfg.serverAddr} --token ${cfg.token}") + ++ (optional (cfg.role == "agent") "--server ${cfg.serverAddr} ${ + if cfg.tokenFile != null then + "--token-file ${cfg.tokenFile}" + else + "--token ${cfg.token}" + }") ++ [ cfg.extraFlags ] ); }; |