{
  config,
  lib,
  ...
}: {
  sops.secrets."k3s-token" = {
    sopsFile = ../../../../secrets/k3s-token.txt;
    format = "binary";
  };

  services.k3s = {
    enable = true;
    role = "server";
    clusterInit = true;
    tokenFile = config.sops.secrets."k3s-token".path;

    extraFlags = lib.concatStringsSep " " [
      "--disable=traefik"
      "--disable=servicelb"
      "--disable=local-storage"
      "--disable=helm-controller"
      "--tls-san=silver.int.min.rip"
    ];
  };
}