Security exposure related to the token (#356)

* Security exposure related to the token

The installation playbook saves the token into the systemd unit
configuration file /etc/systemd/system/k3s.service. The problem is that
according to K3s' documentation "the server token should be guarded
carefully" (https://docs.k3s.io/cli/token), yet the configuration file
is readable by anybody. A better solution is to save the token into its
corresponding environment file /etc/systemd/system/k3s.service.env which
is readable by the super user only. This is what the standard K3s'
installation script (https://get.k3s.io) does.

Signed-off-by: Marko Vukovic <8951449+anon-software@users.noreply.github.com>

* Restore the server URL into systemd configuration file

There aren't any security implications in keeping it there.

Signed-off-by: Marko Vukovic <8951449+anon-software@users.noreply.github.com>

---------

Signed-off-by: Marko Vukovic <8951449+anon-software@users.noreply.github.com>

roles/k3s_server/tasks/main.yml

@@ -86,6 +86,13 @@
         line: "{{ item }}"
       with_items: "{{ extra_service_envs }}"
 
+    # Add the token to the environment.
+    - name: Add token as an environment variable
+      no_log: true # avoid logging the server token
+      ansible.builtin.lineinfile:
+        path: "{{ systemd_dir }}/k3s.service.env"
+        line: "K3S_TOKEN={{ token }}"
+
     - name: Restart K3s service
       when:
         - ansible_facts.services['k3s.service'] is defined
@@ -174,6 +181,14 @@
     - (groups[server_group] | length) > 1
     - inventory_hostname != groups[server_group][0]
   block:
+    - name: Add the token for joining the cluster to the environment
+      no_log: true # avoid logging the server token
+      ansible.builtin.lineinfile:
+        path: "{{ systemd_dir }}/k3s.service.env"
+        line: "{{ item }}"
+      with_items:
+        - "K3S_TOKEN={{ token }}"
+
     - name: Copy K3s service file [HA]
       when: not use_external_database
       ansible.builtin.template: