{
  modulesPath,
  lib,
  pkgs,
  ...
}: {
  imports = [
    (modulesPath + "/installer/scan/not-detected.nix")
    (modulesPath + "/profiles/qemu-guest.nix")
    ./disk-config.nix
  ];
  boot.loader.grub = {
    # no need to set devices, disko will add all devices that have a EF02 partition to the list already
    # devices = [ ];
    efiSupport = true;
    efiInstallAsRemovable = true;
  };
  services.openssh.enable = true;

  networking.firewall.allowedTCPPorts = [
    6443 # k3s: required so that pods can reach the API server (running on port 6443 by default)
    2379 # k3s, etcd clients: required if using a "High Availability Embedded etcd" configuration
    2380 # k3s, etcd peers: required if using a "High Availability Embedded etcd" configuration

    80
    443
  ];
  networking.firewall.allowedUDPPorts = [
    8472 # k3s, flannel: required if using multi-node for inter-node networking
  ];

  services.k3s = {
    enable = true;
    role = "server";
    token = "e73bb24efa7c545165e7edaf357bc8cfe0fc3e579ff41f6cdc4ea6b81f34ebd9c9ec13f27fb6d4aa5824dec3ac5c57dbf36460c5255fc434c2d33507e38578cb";
    clusterInit = true;
  };

  services.k3s.extraFlags = [
    "-tls-san=134.199.176.87"
    "--egress-selector-mode=disabled"

    "--disable=traefik"
    "--bind-address=0.0.0.0"
    "--advertise-address=134.199.176.87"
  ];

  # do not use DHCP, as DigitalOcean provisions IPs using cloud-init
  networking.useDHCP = lib.mkForce false;

  services.cloud-init = {
    enable = true;
    network.enable = true;
    settings = {
      datasource_list = ["ConfigDrive"];
      datasource.ConfigDrive = {};
    };
  };

  environment.systemPackages = map lib.lowPrio [
    pkgs.curl
    pkgs.gitMinimal
  ];

  users.users.root.openssh.authorizedKeys.keys = [
    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFuw7D+qDzzxBKsfKEmMd7odc98m3ZEnqWYFtuKwvC9k zoey@earth"
  ];

  system.stateVersion = "24.05";
}