{ config, pkgs, ... }:

{
  environment.systemPackages = with pkgs; [
    k3s
  ];

  environment.sessionVariables = {
    KUBECONFIG = "$HOME/.kube/config";
  };

  services.k3s = {
    enable = true;
    role = "server";
  };

  services.openssh = {
    enable = true;
    settings = {
      PasswordAuthentication = no;
      PermitRootLogin = "no";
    };
  };

  systemd.services.cloudflared-connector = {
    description = "Cloudflare Tunnel Connector";
    after = [ "network.target" ];
    wantedBy = [ "multi-user.target" ];
    serviceConfig = {
      ExecStart = "${pkgs.cloudflared}/bin/cloudflared tunnel --no-autoupdate run --token XXXXXXXXXXXXXXXXXXXXXXXXXXXX";
      Restart = "always";
      User = "cloudflared";
      Group = "cloudflared";
    };
  };

  users.users.cloudflared = {
    group = "cloudflared";
    isSystemUser = true;
  };
  users.groups.cloudflared = { };

  networking = {
    useDHCP = false;
    dhcpcd.enable = false;

    defaultGateway = "192.168.1.254";
    nameservers = [
      "1.1.1.1"
      "8.8.8.8"
    ];

    firewall = {
      enable = true;
      allowedTCPPorts = [
        6443
        10250
        22
      ];
      allowedUDPPorts = [ 8472 ];
    };

    interfaces.enp0s25.ipv4.addresses = [
      {
        address = "192.168.1.89";
        prefixLength = 24;
      }
    ];
  };
}