{
  config,
  lib,
  pkgs,
  self,
  ...
}:

{
  imports = [ ];

  options.me = {
    etcd.enable = lib.mkOption {
      type = lib.types.bool;
      default = false;
      example = true;
      description = "Whether we want to install etcd.";
    };

    etcd.cluster_name = lib.mkOption {
      type = lib.types.str;
      default = false;
      example = "lorem";
      description = "The unique name for the cluster.";
    };

    etcd.internal_ip = lib.mkOption {
      default = { };
      example = lib.literalExpression ''
        {
          "172.16.0.10" = true;
          "192.168.1.10" = lib.mkForce false;
        }
      '';
      type = lib.types.coercedTo (lib.types.listOf lib.types.str) (
        enabled: lib.listToAttrs (map (fs: lib.nameValuePair fs true) enabled)
      ) (lib.types.attrsOf lib.types.bool);
      description = "List internal IP addresses for accessing this node.";
    };

    etcd.initial_cluster = lib.mkOption {
      default = [ ];
      example = [
        "controller0=https://10.215.1.221:2380" # 2620:11f:7001:7:ffff:ffff:0ad7:01dd
        "controller1=https://10.215.1.222:2380" # 2620:11f:7001:7:ffff:ffff:0ad7:01de
        "controller2=https://10.215.1.223:2380" # 2620:11f:7001:7:ffff:ffff:0ad7:01df
      ];
      type = lib.types.listOf lib.types.str;
      description = "List of controller nodes to form the initial etcd cluster.";
    };
  };

  config = lib.mkIf config.me.etcd.enable {
    services.etcd = {
      enable = true;
      openFirewall = true;
      name = config.networking.hostName;
      certFile = "/.disk/keys/kubernetes.pem";
      keyFile = "/.disk/keys/kubernetes-key.pem";
      peerCertFile = "/.disk/keys/kubernetes.pem";
      peerKeyFile = "/.disk/keys/kubernetes-key.pem";
      trustedCaFile = "/.disk/keys/ca.pem";
      peerTrustedCaFile = "/.disk/keys/ca.pem";
      peerClientCertAuth = true;
      initialAdvertisePeerUrls = (
        builtins.map (iip: "https://${iip}:2380") (builtins.attrNames config.me.etcd.internal_ip)
      );
      listenPeerUrls = (
        builtins.map (iip: "https://${iip}:2380") (builtins.attrNames config.me.etcd.internal_ip)
      );
      listenClientUrls = (
        [
          "https://127.0.0.1:2379"
        ]
        ++ (builtins.map (iip: "https://${iip}:2379") (builtins.attrNames config.me.etcd.internal_ip))
      );
      advertiseClientUrls = (
        builtins.map (iip: "https://${iip}:2379") (builtins.attrNames config.me.etcd.internal_ip)
      );
      initialClusterToken = config.me.etcd.cluster_name;
      initialCluster = config.me.etcd.initial_cluster;
      initialClusterState = "new";
    };

    environment.persistence."/persist" = lib.mkIf (config.me.mountPersistence) {
      hideMounts = true;
      directories = [
        config.services.etcd.dataDir # "/var/lib/etcd"
      ];
    };
  };
}