{ pkgs, lib, config, kubenix, ... }:
let cfg = config.lab.k3s;
in {
  options.lab.k3s = {
    enable = lib.mkOption {
      default = false;
      type = lib.types.bool;
      description = ''
        Whether to run k3s on this server.
      '';
    };

    serverAddr = lib.mkOption {
      default = null;
      type = with lib.types; nullOr str;
      description = ''
        Address of the server whose cluster this server should join.
        Leaving this empty will make the server initialize the cluster.
      '';
    };
  };

  config = lib.mkIf cfg.enable {
    environment.systemPackages = with pkgs; [ k3s ];

    networking = {
      nftables.enable = lib.mkForce false;
      firewall.enable = lib.mkForce false;
    };

    services.k3s = {
      enable = true;
      role = "server";
      tokenFile = config.age.secrets.k3s-server-token.path;
      extraFlags = "--tls-san ${config.networking.fqdn} --disable servicelb";
      clusterInit = cfg.serverAddr == null;
      serverAddr = lib.mkIf (! (cfg.serverAddr == null)) cfg.serverAddr;
    };

    system = lib.mkIf (cfg.serverAddr == null) {
      activationScripts.k3s-bootstrap.text = (
        let
          k3sBootstrapFile = (kubenix.evalModules.x86_64-linux {
            module = import ./bootstrap.nix;
          }).config.kubernetes.result;
        in
        ''
          mkdir -p /var/lib/rancher/k3s/server/manifests
          ln -sf ${k3sBootstrapFile} /var/lib/rancher/k3s/server/manifests/k3s-bootstrap.json
        ''
      );
    };

    age.secrets.k3s-server-token.file = ../../secrets/k3s-server-token.age;
  };
}