init k3s config

not finished but a pointer in the right direction

configurations/nixos/kube-main-tofu/default.nix

@@ -0,0 +1,28 @@
+{
+  flake,
+  config,
+  ...
+}:
+
+let
+  inherit (flake) inputs;
+  inherit (inputs) self;
+in
+{
+  imports = [
+    self.nixosModules.default
+  ];
+  deploy = {
+    enable = false;
+  };
+  kub = {
+    enable = true;
+    role = "server";
+  };
+  networking = {
+    hostName = "kube-main-tofu";
+  };
+  environment.systemPackages = [
+  ];
+  system.stateVersion = "25.05";
+}

modules/nixos/common/k3s.nix

@@ -0,0 +1,45 @@
+{
+  lib,
+  config,
+  pkgs,
+  ...
+}:
+let
+  inherit (lib)
+    types
+    mkIf
+    mkOption
+    mkEnableOption
+    ;
+  cfg = config.kub;
+in
+{
+  options.kub = {
+    enable = mkEnableOption "enable k3s";
+    role = mkOption {
+      type = types.enum [
+        "server"
+        "agent"
+      ];
+      default = "agent";
+    };
+    leaderAddress = mkOption {
+      type = types.nullOr types.str;
+      default = null;
+    };
+    tokenFile = lib.mkOption {
+      type = lib.types.nullOr lib.types.path;
+      description = "File path containing k3s token to use when connecting to the server.";
+      default = config.sops.secrets.k3s-token.path or null;
+    };
+  };
+  config = mkIf cfg.enable {
+    sops.secrets.k3s-token = { };
+    services = {
+      k3s = {
+        enable = true;
+        clusterInit = mkIf (cfg.role == "server") true;
+      };
+    };
+  };
+}

secrets.yaml

@@ -3,6 +3,7 @@ forgejo-runners-token: ENC[AES256_GCM,data:y6m9JciySpqJ8QOtHGoUG5McPXyZSODqRHCLV
 forgejo-nix-key: ENC[AES256_GCM,data:LKC8t2KSrILh0nc5xlSgQ9OuhQcc3m84fE9UJeVi1lXsv0mn+MddQw083WaDxMdlZKjbH0QclDfIkJCbHpJ/wEWVXzkVGErCJmdWeH1YEgElj5FuaFrDmbKNn8rhV7t3FYn04ni8iypLV/wPBqvVI/Yt,iv:r/SHHXjA2raRIKs/fZxJodVgMunp+RmL1SjVZOGli+E=,tag:MmBhUHCZRgSW2uhBd4o72A==,type:str]
 graylog: ENC[AES256_GCM,data:KmQ4yisUXCrexpK9v7irhSsF1pAm0pMZ/mh91iEuf7jR14u6d2prPF7Uv6Z48Otx7WyPJ+ec+hIRmuLTNHbGxTDIOQnXui32No5H/Hnj06pMqW2Jsir/Bfr8eCRZxJKMTKhl4f0KVSKGKAbbV1saJPHtcybqfX65i8NQCeDFB+m/ViyLslMJKrYga8laoxTBYa4Kdi/0LiEuvi6uGQ8JwhDWzK/6EQkc/z0VNXdSYcz0kd8z26iuDhe/B3sesk8wgKDNkfjmTH2jgN8I+o700l9s/2Ob9QbIoA==,iv:P4AMWPnYNUUuy1CRip6yKbjRRkcLdCLWW9oiuxskhbY=,tag:L+TJmmSbImk2MnDeun2zNQ==,type:str]
 linode-caddy-key: ENC[AES256_GCM,data:509GFunslzwOpHyzniMVPoa1xRgEqYV+lTxziPuqovQMvzksXSeBMy2eHm9UzNulgotwtjuQdwt3L8myMWQddg==,iv:vP+iSLsTfeq3pBzqSE0uz1YL7iT8xrn/tdY49SqYfX0=,tag:ld15wy+D7rj9topFEfswyg==,type:str]
+k3s-token: ENC[AES256_GCM,data:jvXZqiCnPxgYitDVApfLfz+7BDY0Dy7y5+WEIDZrMMkjlmzGRttNDnSQP71yNlw=,iv:77g6kcGmpPXVGQy5GbswrDVBKVYOYM8ggZEr6ELMkvY=,tag:+3mmYY5Sh69Gfzo+Ahu5bQ==,type:str]
 sops:
     age:
         - recipient: age1ja6zky2xlptgmu04ghp30z9gcyw240p4p8jpqeznt9msmmrwjdjshl6rx3
@@ -50,7 +51,7 @@ sops:
             NGV1T1NlaE43dTF4M1VlVWtIbEIvYUkKZ0JmNRKvbrF6qziZI1WUIuAkz4Xad0xP
             l39Dg3IRC8+UtwjKbhCGZSJbBDsO1srpk4LOYiYD4R1hsvn/OagNUw==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2025-06-29T01:23:00Z"
+    lastmodified: "2025-07-07T21:18:10Z"
-    mac: ENC[AES256_GCM,data:XqyWXYlcZoDnHMTIISa2hUQgbtwUopZeEzTizoTM6Nnu7Yfh8hKgVSG2LVhXasjNw6/u/SPevr/pq/pBzVyQwvud/ILmvg8aLm7/mMxcrblKXCdr69lpqQ1bJ1ZDtTU6DMjXcRaEgzU+7vlLD9BiyRmk/Ncy5MWiQ1EkosM5/EI=,iv:qbUc4I4J4xpPZ/tS4kxXdquLnZ6Pp15A6Z19pgn8YS4=,tag:H6K/Sqh4rCn9SmVtbRqVJQ==,type:str]
+    mac: ENC[AES256_GCM,data:T6h96IyW1tB0BYgeIj2HEG9hJcoeEQgvCSPMdJJ3w++/bk7RT2368iO5A5CfvjOw8mphojIh0iMbvLylQBHJCR63kVWEASbGQBWi1FLnB8K9rXtTKgXmIiIPJsoorm9JpjFcIhjEzuaT7XjYgXhbkI1BYMyqcoTi1oBWv4uvucM=,iv:y8RR0Kdr4qm+V2Ez1rfgfDh3qhZXcgqmloQzPYfvD9s=,tag:P+vZNjIX4d7DM4CKRfrEpA==,type:str]
     unencrypted_suffix: _unencrypted
     version: 3.10.2