{ config, lib, pkgs, inputs, ... }:
with lib;
let
  cfg = config.nyxs-nix.services.k3s;
in
{
  options.nyxs-nix.services.k3s = with types; {
    enable = mkEnableOption "Enable the vrrp quotes service";

    initServer = mkOption {
      type = bool;
      default = false;
      description = "Whether or not the node is the main one or sub node";
    };
  };

  config = mkIf cfg.enable {
    networking.firewall.allowedTCPPorts = [
      6443 # k3s: required so that pods can reach the API server (running on port 6443 by default)
      2379 # k3s, etcd clients: required if using a "High Availability Embedded etcd" configuration
      2380 # k3s, etcd peers: required if using a "High Availability Embedded etcd" configuration
    ];
    networking.firewall.allowedUDPPorts = [
      8472 # k3s, flannel: required if using multi-node for inter-node networking
    ];
    
    sops.secrets.k3s_token = {
      format = "json";
      key = "token";
      sopsFile = "${inputs.secrets}/k3s.json";
    };
    
    services.k3s = {
      enable = true;
      token = config.sops.secrets.k3s_token.path;
      clusterInit = mkIf cfg.initServer true;
      serverAddr = mkIf (!cfg.initServer) "https://10.5.0.103:6443";
      # manifests = import ./manifests.nix { inherit lib cfg }
    };
  };
}