{ lib, pkgs, ... }:
let
  inherit (builtins) readFile;
in
{
  _class = "clan.service";

  manifest = {
    name = "amarth-services/k3s";
    description = "K3s service in order to set up a cluster";
    categories = [ "System" "Network" "Containers" "Virtualisation" ];
    readme = readFile ./README.md;
  };

  #==============================================================================================================
  # Server configuration
  #==============================================================================================================
  roles.server = {
    interface = { lib, ... }:
    let
      inherit (lib) mkOption types toString;
    in
    {
      options = {
        port = mkOption {
          type = types.port;
          default = 6443;
          example = "6443";
          description = ''
            Temporary option till I figure out something useful
          '';
        };
      };
    };

    perInstance = { instanceName, settings, machine, roles, ... }: {
      nixosModule = { config, pkgs, ... }: {
        clan.core.vars.generators.k3s = {
          share = false;
          files = {
            ip_v6 = {
              deploy = false;
              secret = false;
            };
            ip_v4 = {
              deploy = false;
              secret = false;
            };
            token = {
              deploy = true;
              secret = true;
            };
          };
          runtimeInputs = with pkgs; [ pwgen ];
          script = ''
            echo "::1" > "$out/ip_v6"
            echo "127.0.0.1" > "$out/ip_v4"
            pwgen 50 1 > "$out/token"
          '';
        };

        networking.firewall = {
          allowedTCPPorts = [
            6443 # k3s: required so that pods can reach the API server (running on port 6443 by default)
            2379 # k3s, etcd clients: required if using a "High Availability Embedded etcd" configuration
            2380 # k3s, etcd peers: required if using a "High Availability Embedded etcd" configuration
          ];

          allowedUDPPorts = [
            8472 # k3s, flannel: required if using multi-node for inter-node networking
          ];
        };

        services.k3s = {
          enable = true;
          role = "server";
          tokenFile = config.clan.core.vars.generators.k3s.files.token.path;
          clusterInit = true;

          autoDeployCharts = {
            harbor = {
              name = "harbor";
              repo = "https://helm.goharbor.io";
              version = "1.14.0";
              hash = "sha256-fMP7q1MIbvzPGS9My91vbQ1d3OJMjwc+o8YE/BXZaYU=";
              values = {
                existingSecretAdminPassword = "harbor-admin";
                expose = {
                  tls = {
                    enabled = true;
                    certSource = "secret";
                    secret.secretName = "my-tls-secret";
                  };
                  ingress = {
                    hosts.core = "example.com";
                    className = "nginx";
                  };
                };
              };
            };

            crossplane = {
              name = "crossplane";
              repo = "https://charts.crossplane.io/stable";
              version = "2.0.2";
              hash = "sha256-5gk/dvOJAy5O++QkrnS0oVZaanDgNmF0107qKyri3Js=";

              targetNamespace = "crossplane-system";
              createNamespace = true;

              values = {
                replicas = 1;

                deploymentStrategy = "RollingUpdate";
              };
            };
          };
        };
      };

      # exports.port = settings.port;
      # exports.address = "https://\${config.networking.fqdn}:${toString port}";
    };
  };

  #==============================================================================================================
  # Agent configuration
  #==============================================================================================================
  roles.agent = {
    interface = { lib, ... }: {
      options = {};
    };

    perInstance = { instanceName, settings, machine, roles, ... }: {
      nixosModule = { config, ... }:
        let
          inherit (builtins) head pathExists readFile;

          server = head (lib.attrNames (roles.server.machines or { not_found = {}; }));

          # Read the server's ip address
          ipAddressPath = "${config.clan.core.settings.directory}/vars/per-machine/${server}/k3s/ip_v4/value";
          ipAddress = if pathExists ipAddressPath then readFile ipAddressPath else null;

          # Read the server's token
          # tokenPath = "${config.clan.core.settings.directory}/vars/per-machine/${server}/k3s/token";
          # token = if pathExists tokenPath then readFile tokenPath else null;
        in
        {
          networking.firewall = {
            allowedTCPPorts = [
              6443 # k3s: required so that pods can reach the API server (running on port 6443 by default)
              2379 # k3s, etcd clients: required if using a "High Availability Embedded etcd" configuration
              2380 # k3s, etcd peers: required if using a "High Availability Embedded etcd" configuration
            ];

            allowedUDPPorts = [
              8472 # k3s, flannel: required if using multi-node for inter-node networking
            ];
          };

          services = {
            k3s = {
              enable = true;
              role = "agent";
              tokenFile = "/var/lib/k3s/__TODO_FIGURE_OUT_TOKEN__"; #config.clan.core.vars.generators.k3s.files.token.path;
              serverAddr = "https://${server}.${config.networking.domain}:6443";
            };
          };
        };
    };
  };
}