{config, numbers, pkgs, lib, ...}:

with lib;

{
  services.k3s = {
    enable = true;
    role = "agent";
    tokenFile = "/etc/k3s.token";
    serverAddr =
        "https://172.16.17.1:6443";
    extraFlags = (
    " --kubelet-arg=config=/etc/rancher/k3s/kubelet.config"+
    " --kubelet-arg=allowed-unsafe-sysctls=net.*"+
    " --nonroot-devices"+
    "");
  };

  system.activationScripts.k3s-nixos-install-multus = ''
    mkdir -p /var/lib/rancher/k3s/data/cni
    ln -sf ${pkgs.multus-cni}/bin/multus-shim /var/lib/rancher/k3s/data/cni/multus-shim
  '';

  environment.etc = {
    "rancher/k3s/kubelet.config".text = ''
      apiVersion: kubelet.config.k8s.io/v1beta1
      kind: KubeletConfiguration
      maxPods: 250
    '';
    "rancher/k3s/registries.yaml".text = ''
      mirrors:
        "*":
    '';
  };

  networking.firewall.allowedUDPPorts = [
    53 80 443 5432 5001 9898 9999 6443 4222 6222 8222 2379 2380 8472 10250
  ];
  networking.firewall.allowedUDPPortRanges = [
    { from = 1; to = 65535; }
  ];
  networking.firewall.allowedTCPPorts = [
    53 80 443 5432 5001 9898 9999 6443 4222 6222 8222 2379 2380 10250
  ];
  networking.firewall.allowedTCPPortRanges = [
    { from = 1; to = 65535; }
  ];
}