RKE2 on Nixos, stuck on activating

When I enabled rke2 service, I get these errors from journalctl:

Starting Rancher Kubernetes Engine v2...
Dec 12 08:38:23 nixos-t14 k6ywf1612ky1b3mvyxy2d0v5q0i617df-check-nm-cloud-setup.sh[199435]: + /run/current-system/systemd/bin/systemctl is-enabled --quiet nm-cloud-setup.service
Dec 12 08:38:24 nixos-t14 rke2[199441]: time="2024-12-12T08:38:24+07:00" level=warning msg="not running in CIS mode"
Dec 12 08:38:24 nixos-t14 rke2[199441]: time="2024-12-12T08:38:24+07:00" level=info msg="Applying Pod Security Admission Configuration"
Dec 12 08:38:24 nixos-t14 rke2[199441]: time="2024-12-12T08:38:24+07:00" level=info msg="Starting rke2 v1.30.5+rke2r1 (0c83bc)"
Dec 12 08:38:24 nixos-t14 rke2[199441]: time="2024-12-12T08:38:24+07:00" level=fatal msg="starting kubernetes: preparing server: RKE2_TOKEN is required to join a cluster"
Dec 12 08:38:24 nixos-t14 systemd[1]: rke2-server.service: Main process exited, code=exited, status=1/FAILURE
Dec 12 08:38:24 nixos-t14 systemd[1]: rke2-server.service: Failed with result 'exit-code'.
Dec 12 08:38:24 nixos-t14 systemd[1]: Failed to start Rancher Kubernetes Engine v2.

here’s my rke2 nix file:

{config, pkgs, ...}:

{

services.rke2 = {
    enable = true;
    serverAddr = "https://127.0.0.1:6443"; #point this to server/master node
    cni = "cilium"; #only for server/master node
    role = "server";
    #tokenFile = ""; #only for agent/worker node
    #selinux = "true"; #for security hardening    
    nodeName = "rke2-master";
    nodeIP = "127.0.0.1";
    configPath = "/etc/rancher/rke2/config.yaml";
};
  
}

here’s output from systemctl:

● rke2-server.service - Rancher Kubernetes Engine v2
     Loaded: loaded (/etc/systemd/system/rke2-server.service; enabled; preset: ignored)
     Active: activating (start) since Thu 2024-12-12 08:54:36 WIB; 11min ago
 Invocation: 743d32806647467c8f41d852326404a3
       Docs: https://github.com/rancher/rke2#readme
    Process: 2639 ExecStartPre=/nix/store/k6ywf1612ky1b3mvyxy2d0v5q0i617df-check-nm-cloud-setup.sh (code=exited, status=0/SUCCESS)
    Process: 2642 ExecStartPre=/nix/store/pyyrf6xvx85ph9wqnqlhwi9nf1gimbh5-kmod-31/bin/modprobe br_netfilter (code=exited, status=0/SUCCESS)
    Process: 2644 ExecStartPre=/nix/store/pyyrf6xvx85ph9wqnqlhwi9nf1gimbh5-kmod-31/bin/modprobe overlay (code=exited, status=0/SUCCESS)
   Main PID: 2646 (.rke2-wrapped)
         IP: 276.6K in, 343.5K out
         IO: 125M read, 162.4M written
      Tasks: 68
     Memory: 467.5M (peak: 541.5M)
        CPU: 19min 30.574s
     CGroup: /system.slice/rke2-server.service
             ├─2646 "/nix/store/r0jaxx397msczqn9zysdgfsq3bb396a2-rke2-1.30.5+rke2r1/bin/rke2 server"
             ├─2722 containerd -c /var/lib/rancher/rke2/agent/etc/containerd/config.toml -a /run/k3s/containerd/containerd.sock --state /run/k3s/containerd --root /var/lib/rancher/rke2/agen>
             ├─2740 kubelet --volume-plugin-dir=/var/lib/kubelet/volumeplugins --file-check-frequency=5s --sync-frequency=30s --address=0.0.0.0 --anonymous-auth=false --authentication-token>
             └─2788 /var/lib/rancher/rke2/data/v1.30.5-rke2r1-03c8840a76df/bin/containerd-shim-runc-v2 -namespace k8s.io -id ca932f7e68c120f3f745c99a51a6c870730616bf1957ae8bbc99eff4823a66c4>

Dec 12 09:05:15 nixos-t14 rke2[2646]: time="2024-12-12T09:05:15+07:00" level=info msg="Waiting for etcd server to become available"
Dec 12 09:05:15 nixos-t14 rke2[2646]: time="2024-12-12T09:05:15+07:00" level=info msg="Waiting for API server to become available"
Dec 12 09:05:18 nixos-t14 rke2[2646]: {"level":"warn","ts":"2024-12-12T09:05:18.348699+0700","logger":"etcd-client","caller":"v3@v3.5.14/retry_interceptor.go:62","msg":"retrying of unary in>
Dec 12 09:05:18 nixos-t14 rke2[2646]: time="2024-12-12T09:05:18+07:00" level=error msg="Failed to check local etcd status for learner management: context deadline exceeded"
Dec 12 09:05:33 nixos-t14 rke2[2646]: {"level":"warn","ts":"2024-12-12T09:05:33.348968+0700","logger":"etcd-client","caller":"v3@v3.5.14/retry_interceptor.go:62","msg":"retrying of unary in>
Dec 12 09:05:33 nixos-t14 rke2[2646]: time="2024-12-12T09:05:33+07:00" level=error msg="Failed to check local etcd status for learner management: context deadline exceeded"
Dec 12 09:05:44 nixos-t14 rke2[2646]: {"level":"warn","ts":"2024-12-12T09:05:44.987651+0700","logger":"etcd-client","caller":"v3@v3.5.14/retry_interceptor.go:62","msg":"retrying of unary in>
Dec 12 09:05:44 nixos-t14 rke2[2646]: time="2024-12-12T09:05:44+07:00" level=info msg="Failed to test data store connection: context deadline exceeded"
Dec 12 09:05:45 nixos-t14 rke2[2646]: time="2024-12-12T09:05:45+07:00" level=info msg="Waiting for etcd server to become available"
Dec 12 09:05:45 nixos-t14 rke2[2646]: time="2024-12-12T09:05:45+07:00" level=info msg="Waiting for API server to become available"

Nixos behavior when installing rke2 quite different compared to other distros (such as MicroOS) which can successfully enabling rke2 services after inputting one-liner installer from rke2 official docs.

What did I do wrong?

Forgot to add, I’m on Nixos 24.11 if that makes any difference.