k3s: add tokenFile option

To avoid having secrets in the nix store.

nixos/modules/services/cluster/k3s/default.nix

@@ -35,10 +35,20 @@ in
 
     token = mkOption {
       type = types.str;
-      description = "The k3s token to use when connecting to the server. This option only makes sense for an agent.";
+      description = ''
+        The k3s token to use when connecting to the server. This option only makes sense for an agent.
+        WARNING: This option will expose store your token unencrypted world-readable in the nix store.
+        If this is undesired use the tokenFile option instead.
+      '';
       default = "";
     };
 
+    tokenFile = mkOption {
+      type = types.nullOr types.path;
+      description = "File path containing k3s token to use when connecting to the server. This option only makes sense for an agent.";
+      default = null;
+    };
+
     docker = mkOption {
       type = types.bool;
       default = false;
@@ -68,8 +78,8 @@ in
         message = "serverAddr should be set if role is 'agent'";
       }
       {
-        assertion = cfg.role == "agent" -> cfg.token != "";
-        message = "token should be set if role is 'agent'";
+        assertion = cfg.role == "agent" -> cfg.token != "" || cfg.tokenFile != null;
+        message = "token or tokenFile should be set if role is 'agent'";
       }
     ];
 
@@ -104,7 +114,12 @@ in
             "${cfg.package}/bin/k3s ${cfg.role}"
           ] ++ (optional cfg.docker "--docker")
           ++ (optional cfg.disableAgent "--disable-agent")
-          ++ (optional (cfg.role == "agent") "--server ${cfg.serverAddr} --token ${cfg.token}")
+          ++ (optional (cfg.role == "agent") "--server ${cfg.serverAddr} ${
+            if cfg.tokenFile != null then
+              "--token-file ${cfg.tokenFile}"
+            else
+              "--token ${cfg.token}"
+          }")
           ++ [ cfg.extraFlags ]
         );
       };