{
  config,
  lib,
  pkgs,
  ...
}:

let
  # shellCommand = cmd: (lib.concatMapStringsSep " " lib.strings.escapeShellArg cmd);
  shellCommand = cmd: (builtins.concatStringsSep " " cmd);
in
{
  imports = [ ];

  options.me = {
    kube_controller_manager.enable = lib.mkOption {
      type = lib.types.bool;
      default = false;
      example = true;
      description = "Whether we want to install kube_controller_manager.";
    };
  };

  config = lib.mkIf config.me.kube_controller_manager.enable {
    systemd.services.kube-controller-manager = {
      enable = true;
      description = "Kubernetes Controller Manager";
      documentation = [ "https://github.com/kubernetes/kubernetes" ];
      wantedBy = [ "kubernetes.target" ];
      # path = with pkgs; [
      #   zfs
      # ];
      unitConfig.DefaultDependencies = "no";
      serviceConfig = {
        Type = "notify";
        ExecStart = (
          shellCommand [
            # NEW:
            "${pkgs.kubernetes}/bin/kube-controller-manager"
            "--bind-address=0.0.0.0"
            # "--cluster-cidr=10.200.0.0/16"
            "--cluster-cidr=2620:11f:7001:7:ffff:ffff:0ac8:0000/16"
            "--cluster-name=kubernetes"
            "--cluster-signing-cert-file=/.persist/keys/kube/ca.crt"
            "--cluster-signing-key-file=/.persist/keys/kube/ca.key"
            "--kubeconfig=/.persist/keys/kube/kube-controller-manager.kubeconfig"
            "--root-ca-file=/.persist/keys/kube/ca.crt"
            "--service-account-private-key-file=/.persist/keys/kube/service-accounts.key"
            "--service-cluster-ip-range=2620:11f:7001:7:ffff:ffff:0ac5:0000/16"
            # "--service-cluster-ip-range=10.197.0.0/16"
            "--use-service-account-credentials=true"
            "--v=2"
          ]
        );
        Restart = "on-failure";
        RestartSec = 5;
      };
    };
  };
}