{ pkgs, ... }:

{
  boot.kernelParams = [
    "cgroup_memory=1"
    "cgroup_enable=memory"
    "cgroup_enable=cpuset"
  ];

  services.k3s = {
    enable = true;
    role = "server";
    clusterInit = true;
    extraFlags = ''
      --disable=traefik
      --flannel-backend=host-gw
    '';
  };

  networking.firewall = {
    allowedTCPPorts = [ 6443 ];
    allowedTCPPortRanges = [
      {
        from = 10250;
        to = 10250;
      }
      {
        from = 30000;
        to = 32767;
      }
    ];
    trustedInterfaces = [ "cni0" ];
  };

  environment.systemPackages = with pkgs; [
    kubectl
    kubernetes-helm
  ];
}