{pkgs, ...}: let
  kMasterIp = "10.13.0.1";
  kMasterHostname = "silver";
  kMasterApiServerPort = 6443;
in {
  networking.extraHosts = "${kMasterIp} ${kMasterHostname}";

  systemd.services.etcd.preStart = ''${pkgs.writeShellScript "etcd-wait" ''
      while [ ! -f /var/lib/kubernetes/secrets/etcd.pem ]; do sleep 1; done
    ''}'';

  services.kubernetes = {
    roles = ["master" "node"];
    masterAddress = kMasterHostname;
    apiserverAddress = "https://${kMasterHostname}:${toString kMasterApiServerPort}";

    apiserver = {
      securePort = kMasterApiServerPort;
      advertiseAddress = kMasterIp;
    };

    easyCerts = true;

    # use coredns
    addons.dns.enable = true;

    # needed if you use swap
    kubelet.extraOpts = "--fail-swap-on=false";
  };
}