{ config, lib, pkgs, roles, ... }:
let
  inherit (builtins) head pathExists readFile;

  controller = head (lib.attrNames roles.controller.machines or {});

  # Read the controller's ip address
  ipAddressPath = "${config.clan.core.settings.directory}/vars/per-machine/${controller}/k3s/ip_v4";
  ipAddress = if pathExists ipAddressPath then readFile ipAddressPath else null;

  # Read the controller's token
  tokenPath = "${config.clan.core.settings.directory}/vars/per-machine/${controller}/k3s/token";
  token = if pathExists tokenPath then readFile tokenPath else null;
in
{
  config = {
    networking.firewall = {
      allowedTCPPorts = [
        6443 # k3s: required so that pods can reach the API server (running on port 6443 by default)
        2379 # k3s, etcd clients: required if using a "High Availability Embedded etcd" configuration
        2380 # k3s, etcd peers: required if using a "High Availability Embedded etcd" configuration
      ];

      allowedUDPPorts = [
        8472 # k3s, flannel: required if using multi-node for inter-node networking
      ];
    };

    services = {
      k3s = {
        enable = true;
        role = "agent";
        token = token;
        serverAddr = "https://${ipAddress}:6443";
      };
    };
  };
}