{ config, lib, pkgs, ... }: 
let
  controller = head (lib.attrNames roles.controller.machines or {});
in
{
  config = {
    networking.firewall = {
      allowedTCPPorts = [
        6443 # k3s: required so that pods can reach the API server (running on port 6443 by default)
        2379 # k3s, etcd clients: required if using a "High Availability Embedded etcd" configuration
        2380 # k3s, etcd peers: required if using a "High Availability Embedded etcd" configuration
      ];

      allowedUDPPorts = [
        8472 # k3s, flannel: required if using multi-node for inter-node networking
      ];
    };

    services = {
      k3s = {
        enable = true;
        role = "agent";
        token = "somehow get the token that is generated for the controller"; # config.clan.core.vars.generators.k3s-token.token.value;
        serverAddr = "https://<the ip address of the controller>";
      };
    };
  };
}