{
  config,
  lib,
  pkgs,
  ...
}:

let
  # shellCommand = cmd: (lib.concatMapStringsSep " " lib.strings.escapeShellArg cmd);
  shellCommand = cmd: (builtins.concatStringsSep " " cmd);
  settingsFormat = pkgs.formats.yaml { };
  config_file = settingsFormat.generate "kube-proxy-config.yaml" config.me.kube-proxy.settings;
in
{
  imports = [ ];

  options.me = {
    kube-proxy.enable = lib.mkOption {
      type = lib.types.bool;
      default = false;
      example = true;
      description = "Whether we want to install kube-proxy.";
    };

    kube-proxy.settings = lib.mkOption {
      type = settingsFormat.type;
      default = {
        kind = "KubeProxyConfiguration";
        apiVersion = "kubeproxy.config.k8s.io/v1alpha1";
        clientConnection = {
          kubeconfig = "/.persist/keys/kube/kube-proxy.kubeconfig";
        };
        mode = "iptables";
        # clusterCIDR = "10.200.0.0/16";
        # clusterCIDR = "2620:11f:7001:7:ffff:ffff:0ac8:0000/16";
        clusterCIDR = "fd49:0595:2bba::/48";
      };
      description = ''
        kubelet-config.yaml
      '';
    };
  };

  config = lib.mkIf config.me.kube-proxy.enable {
    systemd.services.kube-proxy = {
      enable = true;
      description = "Kubernetes Kube Proxy";
      documentation = [ "https://github.com/kubernetes/kubernetes" ];
      wantedBy = [ "kubernetes.target" ];
      path = with pkgs; [
        iptables
      ];
      unitConfig.DefaultDependencies = "no";
      serviceConfig = {
        ExecStart = (
          shellCommand [
            "${pkgs.kubernetes}/bin/kube-proxy"
            "--config=${config_file}"
            "--nodeport-addresses=primary"
            "--cluster-cidr=fd49:0595:2bba::/48"
          ]
        );
        Restart = "on-failure";
        RestartSec = 5;
      };
    };

    networking.firewall.allowedTCPPorts = [
      10256
    ];
  };
}