k3s-io · dereknola · Feb 27, 2026 · Feb 27, 2026
diff --git a/roles/k3s_upgrade/tasks/main.yml b/roles/k3s_upgrade/tasks/main.yml
@@ -36,6 +36,7 @@
         name: "{{ (server_group in group_names) | ternary('k3s', 'k3s-agent') }}"
 
     # We only save the token if the user did not provide one, leading to an auto-generated token on first install.
+    # If you want the actual token value, you need to use the k3s_upgrade_old_token.stdout
     - name: Save the existing K3s token if needed
       when:
         - token is not defined
@@ -44,6 +45,80 @@
       register: k3s_upgrade_old_token
       changed_when: false
 
+    - name: Construct Server config
+      when: server_group in group_names
+      block:
+        # Start with an empty config
+        - name: Set empty server config
+          ansible.builtin.set_fact:
+            k3s_server_config: {}
+
+        # If token is provided, add it to the config
+        - name: Add token to server config
+          when: token is defined
+          ansible.builtin.set_fact:
+            k3s_server_config: "{{ k3s_server_config | combine({'token': token}) }}"
+
+        # If token is not defined, use the old token
+        - name: Add old token to server config
+          when: token is not defined
+          ansible.builtin.set_fact:
+            k3s_server_config: "{{ k3s_server_config | combine({'token': k3s_upgrade_old_token.stdout}) }}"
+
+        - name: Determine if tls-san is already in config or args
+          # noqa var-naming[no-role-prefix]
+          ansible.builtin.set_fact:
+            _api_endpoint_in_config: >-
+              {% if server_config_yaml is defined and api_endpoint is defined and server_config_yaml | regex_search('tls-san:.*' + api_endpoint | regex_escape(), ignorecase=True) %}
+              true
+              {% else %}
+              false
+              {% endif %}
+            _api_endpoint_in_args: >-
+              {% if api_endpoint is defined and extra_server_args | regex_search('--tls-san[=\s]+' + api_endpoint | regex_escape(), ignorecase=True) %}
+              true
+              {% else %}
+              false
+              {% endif %}
+
+        - name: Add TLS SAN to config if needed
+          when:
+            - api_endpoint is defined
+            - api_endpoint != ansible_hostname
+            - not (_api_endpoint_in_config | trim | bool)
+            - not (_api_endpoint_in_args | trim | bool)
+          ansible.builtin.set_fact:
+            k3s_server_config: "{{ k3s_server_config | combine({'tls-san': api_endpoint}) }}"
+
+        - name: Add cluster-init to server config for first server in HA-IC setup
+          when:
+            - (groups[server_group] | length) > 1
+            - inventory_hostname == groups[server_group][0] or ansible_host == groups[server_group][0]
+            - not use_external_database
+          ansible.builtin.set_fact:
+            k3s_server_config: "{{ k3s_server_config | combine({'cluster-init': true}) }}"
+
+        # If not the first server in an HA-IC setup, setup the server: URL for joining the cluster
+        # server: https://{{ api_endpoint }}:{{ api_port }}
+        - name: Add server URL to server config for joining servers in HA-IC setup
+          when: (groups[server_group] | length) > 1 and inventory_hostname != groups[server_group][0] and not use_external_database
+          ansible.builtin.set_fact:
+            k3s_server_config: "{{ k3s_server_config | combine({'server': 'https://' + api_endpoint + ':' + api_port | string}) }}"
+
+        # If the user has provided additional server config, merge it with the generated config
+        - name: Merge user server config with generated server config
+          when: server_config_yaml is defined
+          ansible.builtin.set_fact:
+            k3s_server_config: "{{ k3s_server_config | combine(server_config_yaml | from_yaml) }}"
+
+        - name: Convert server config to YAML and write to file
+          when: not ansible_check_mode
+          ansible.builtin.copy:
+            content: "{{ k3s_server_config | to_nice_yaml }}"
+            dest: "/etc/rancher/k3s/config.yaml"
+            mode: "0644"
+          register: k3s_server_config_result
+
     - name: Install new K3s Version [server]
       # For some reason, ansible-lint thinks using enviroment with command is an error
       # even though its valid https://ansible.readthedocs.io/projects/lint/rules/inline-env-var/#correct-code
@@ -64,8 +139,11 @@
 
     - name: Get the token from the first server
       # noqa var-naming[no-role-prefix]
+      when:
+        - agent_group in group_names
+        - token is not defined
       ansible.builtin.set_fact:
-        k3s_server_upgrade_old_token: "{{ hostvars[groups[server_group][0]].k3s_upgrade_old_token }}"
+        k3s_upgrade_old_server_token: "{{ hostvars[groups[server_group][0]].k3s_upgrade_old_token }}"
 
     - name: Install new K3s Version [agent]
       # For some reason, ansible-lint thinks using enviroment with command is an error
@@ -85,88 +163,22 @@
           INSTALL_K3S_SYSTEMD_DIR: "{{ systemd_dir }}"
           INSTALL_K3S_VERSION: "{{ k3s_version }}"
           INSTALL_K3S_EXEC: "agent --server https://{{ api_endpoint }}:{{ api_port }} {{ extra_agent_args }}"
-          K3S_TOKEN: "{{ token if token is defined else k3s_server_upgrade_old_token.stdout }}"
+          K3S_TOKEN: "{{ token if token is defined else k3s_upgrade_old_server_token.stdout }}"
         # We overrides the extra_install_envs with required keys from _base_envs on purpose
         _install_envs: "{{ extra_install_envs | default({}) | combine(_base_envs) }}"
       changed_when: true
 
-    - name: Regenerate K3s service file [server]
-      when: server_group in group_names
-      block:
-        - name: Determine if tls-san is already in config or args
-          # noqa var-naming[no-role-prefix]
-          ansible.builtin.set_fact:
-            _api_endpoint_in_args: >-
-              {% if api_endpoint is defined and extra_server_args | default('') | regex_search('--tls-san[=\s]+' + api_endpoint | regex_escape(), ignorecase=True) %}
-              true
-              {% else %}
-              false
-              {% endif %}
-
-        - name: Add TLS SAN to arguments if needed
-          when:
-            - api_endpoint is defined
-            - api_endpoint != ansible_hostname
-            - not (_api_endpoint_in_args | trim | bool)
-          # noqa var-naming[no-role-prefix]
-          ansible.builtin.set_fact:
-            opt_tls_san: "--tls-san={{ api_endpoint }}"
-
-        - name: Copy K3s service file [Single/External DB]
-          when: groups[server_group] | length == 1 or use_external_database | default(false)
-          ansible.builtin.template:
-            src: "k3s.service.j2"
-            dest: "{{ systemd_dir }}/k3s.service"
-            owner: root
-            group: root
-            mode: "0644"
-          vars:
-            cluster_init: false
-            join: false
-
-        - name: Copy K3s service file [HA - first server]
-          when:
-            - groups[server_group] | length > 1
-            - not use_external_database | default(false)
-            - inventory_hostname == groups[server_group][0] or ansible_host == groups[server_group][0]
-          ansible.builtin.template:
-            src: "k3s.service.j2"
-            dest: "{{ systemd_dir }}/k3s.service"
-            owner: root
-            group: root
-            mode: "0644"
-          vars:
-            cluster_init: true
-            join: false
-
-        - name: Copy K3s service file [HA - joining server]
-          when:
-            - groups[server_group] | length > 1
-            - not use_external_database | default(false)
-            - inventory_hostname != groups[server_group][0] and ansible_host != groups[server_group][0]
-          ansible.builtin.template:
-            src: "k3s.service.j2"
-            dest: "{{ systemd_dir }}/k3s.service"
-            owner: root
-            group: root
-            mode: "0644"
-          vars:
-            cluster_init: false
-            join: true
-
-    - name: Add token to the environment [server]
-      when: server_group in group_names
-      no_log: true # avoid logging the server token
-      ansible.builtin.lineinfile:
-        path: "{{ systemd_dir }}/k3s.service.env"
-        regexp: '^K3S_TOKEN='
-        line: "K3S_TOKEN={{ token is defined | ternary(token, k3s_upgrade_old_token.stdout) }}"
+    - name: Reload systemd daemon
+      when:
+        - not ansible_check_mode
+        - ansible_facts['service_mgr'] == 'systemd'
+      ansible.builtin.systemd:
+        daemon_reload: true
 
     - name: Restart K3s service [server]
       when: server_group in group_names
-      ansible.builtin.systemd:
+      ansible.builtin.service:
         state: restarted
-        daemon_reload: true
         name: k3s
 
     - name: Restart K3s service [agent]

diff --git a/roles/k3s_upgrade/templates/k3s.service.j2 b/roles/k3s_upgrade/templates/k3s.service.j2