{config, numbers, pkgs, lib, ...}:

with lib;

in

{
  services.k3s = {
    enable = true;
    role = "agent";
    tokenFile = "/etc/k3s.token";
    serverAddr =
        "https://172.16.17.1:6443";
    extraFlags = (
    " --flannel-backend=wireguard-native"+
    " --disable=traefik"+
    " --disable=servicelb"+
    " --disable=local-storage"+
    " --tls-san=k8s.cascade.strudelline.net"+
    " --kubelet-arg=config=/etc/rancher/k3s/kubelet.config}"+
    " --kubelet-arg=allowed-unsafe-sysctls=net.*"+
    " --embedded-registry"+
    " --nonroot-devices"+
    "");
  };
  
  environment.etc = {
    "rancher/k3s/kubelet.config".text = ''
      apiVersion: kubelet.config.k8s.io/v1beta1
      kind: KubeletConfiguration
      maxPods: 250
    '';
    "rancher/k3s/registries.yaml".text = ''
      mirrors:
        "*":
    '';
  };

  networking.firewall.allowedUDPPorts = [
    53 80 443 5432 5001 9898 9999 6443 4222 6222 8222 2379 2380 8472 10250
  ];
  networking.firewall.allowedUDPPortRanges = [
    { from = 5000; to = 32767; }
  ];
  networking.firewall.allowedTCPPorts = [
    53 80 443 5432 5001 9898 9999 6443 4222 6222 8222 2379 2380 10250
  ];
  networking.firewall.allowedTCPPortRanges = [
    { from = 5000; to = 32767; }
  ];
}