{
  config,
  lib,
  pkgs,
  self,
  ...
}:

{
  imports = [ ];

  options.me = {
    etcd.enable = lib.mkOption {
      type = lib.types.bool;
      default = false;
      example = true;
      description = "Whether we want to install etcd.";
    };

    etcd.cluster_name = lib.mkOption {
      type = lib.types.str;
      default = false;
      example = "lorem";
      description = "The unique name for the cluster.";
    };

    etcd.internal_ip = lib.mkOption {
      default = { };
      example = lib.literalExpression ''
        {
          "172.16.0.10" = true;
          "192.168.1.10" = lib.mkForce false;
        }
      '';
      type = lib.types.coercedTo (lib.types.listOf lib.types.str) (
        enabled: lib.listToAttrs (map (fs: lib.nameValuePair fs true) enabled)
      ) (lib.types.attrsOf lib.types.bool);
      description = "List internal IP addresses for accessing this node.";
    };

    etcd.initial_cluster = lib.mkOption {
      default = [ ];
      example = [
        "controller0=https://10.215.1.221:2380" # 2620:11f:7001:7:ffff:ffff:0ad7:01dd
        "controller1=https://10.215.1.222:2380" # 2620:11f:7001:7:ffff:ffff:0ad7:01de
        "controller2=https://10.215.1.223:2380" # 2620:11f:7001:7:ffff:ffff:0ad7:01df
      ];
      type = lib.types.listOf lib.types.str;
      description = "List of controller nodes to form the initial etcd cluster.";
    };
  };

  config = lib.mkIf config.me.etcd.enable {
    services.etcd = {
      enable = true;
      openFirewall = true;
      name = config.networking.hostName;
      certFile = "/.persist/keys/etcd/kube-api-server.crt";
      keyFile = "/.persist/keys/etcd/kube-api-server.key";
      peerCertFile = "/.persist/keys/etcd/kube-api-server.crt";
      peerKeyFile = "/.persist/keys/etcd/kube-api-server.key";
      trustedCaFile = "/.persist/keys/etcd/ca.crt";
      peerTrustedCaFile = "/.persist/keys/etcd/ca.crt";
      peerClientCertAuth = true;
      clientCertAuth = true;
      initialAdvertisePeerUrls = (
        builtins.map (iip: "https://${iip}:2380") (builtins.attrNames config.me.etcd.internal_ip)
      );
      listenPeerUrls = (
        builtins.map (iip: "https://${iip}:2380") (builtins.attrNames config.me.etcd.internal_ip)
      );
      listenClientUrls = (
        [
          "https://127.0.0.1:2379"
        ]
        ++ (builtins.map (iip: "https://${iip}:2379") (builtins.attrNames config.me.etcd.internal_ip))
      );
      advertiseClientUrls = (
        builtins.map (iip: "https://${iip}:2379") (builtins.attrNames config.me.etcd.internal_ip)
      );
      initialClusterToken = config.me.etcd.cluster_name;
      initialCluster = config.me.etcd.initial_cluster;
      initialClusterState = "new";
    };

    environment.persistence."/disk" = lib.mkIf (config.me.mountPersistence) {
      hideMounts = true;
      directories = [
        {
          directory = config.services.etcd.dataDir; # "/var/lib/etcd"
          user = "etcd";
          group = "etcd";
          mode = "0700";
        }
      ];
    };

    users.users.etcd.uid = 10016;
    users.groups.etcd.gid = 10016;

    environment.systemPackages = with pkgs; [
      net-tools # for debugging
      tcpdump
      e2fsprogs # mkfs.ext4
      gptfdisk # cgdisk
    ];
    networking.firewall.enable = false;
  };
}