{ config, lib, pkgs, ... }:
{
  config = {
    clan.core.vars.generators = {
      k3s-ip = {
        share = true;
        files.ip_v6 = {
          deploy = false;
          secret = false;
        };
        files.ip_v4 = {
          deploy = false;
          secret = false;
        };
        script = ''
          echo "::1" > "$out/ip_v6"
          echo "127.0.0.1" > "$out/ip_v4"
        '';
      };

      k3s-token = {
        share = true;
        files.token = {
          deploy = false;
          secret = true;
        };
        runtimeInputs = with pkgs; [ pwgen ];
        script = ''
          pwgen 50 1 > "$out/token"
        '';
      };
    };

    networking.firewall = {
      allowedTCPPorts = [
        6443 # k3s: required so that pods can reach the API server (running on port 6443 by default)
        2379 # k3s, etcd clients: required if using a "High Availability Embedded etcd" configuration
        2380 # k3s, etcd peers: required if using a "High Availability Embedded etcd" configuration
      ];

      allowedUDPPorts = [
        8472 # k3s, flannel: required if using multi-node for inter-node networking
      ];
    };

    services = {
      k3s = {
        enable = true;
        role = "server";
        token = config.clan.core.vars.generators.k3s-token.token.value;
        clusterInit = true;
      };
    };
  };
}