{
  config,
  lib,
  pkgs,
  meta,
  ...
}: {
  nix.settings.experimental-features = ["nix-command" "flakes"];

  boot = {
    loader = {
      systemd-boot.enable = true;
      efi.canTouchEfiVariables = true;
    };
    supportedFilesystems = ["nfs"];
  };

  networking = {
    hostName = meta.hostname;
    networkmanager.enable = true;
    firewall.enable = false;
  };

  time.timeZone = "America/Toronto";

  environment.systemPackages = with pkgs; [
    curl
    neovim
    git
    nfs-utils
  ];

  users = {
    mutableUsers = false;
    users = {
      mthomson = {
        isNormalUser = true;
        extraGroups = ["wheel"];
        hashedPassword = "$y$j9T$z0rPbGIYSfVhMV2O.K4Dv1$sWP1o.2VLv5hDakM65bNp4CxJn8MNxAjcoj3aGRrnZB";
        openssh.authorizedKeys.keys = [
          "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCqLd5MRSD5GdVmFOgKGRq8t/I8I9xjH2gRMmNHSqtSPYWFx8xT8uOfwyHx1um73tMg99jb4LCs+OpTaTdEyitFygxF/UdSYvAwzP+Lg4p7n6vLljmt0V1i5Zbct3oPM5CKXsUaRZkNyJxB5gJEXe/wKQ3+xj59HV3+m6uw9MO72sI5PKSFIKQFA2LTCYkA2NfO+/VtrLwopcZ+fvIutdUgmaltA3ESWCglocQ+EDXFsdO/h2KUFN6sereT+EBVPC0ePbxWpT9gHZlpeHyPPDnDuj1lUYQisTVKiaRnyFk6FyLYyxquqk+kHX0vSGD/+tBQ/+NoE/ckp2XvjrM48M3+LqtTcOi5RnTHZFuP9NgKxUQyCGOntocNVJ50puLWgr1joFUdHABo3Xjaik0np0FL5QsfYFbNxY6x94OWUxYFUu+/ZRLMWhA3qab6+FcYo4nYB+VszNYv0kE0Lo0jk9EjACoDc/omS0i5P38wvMekwkE2k54U8CkkE+zB3gXtCATE+kN9/ueOy5W4xHhvnoRmMpFza2xO3LPIVB8mVTUiBRfwgz2+psb/AHQwsmORS9BzfA8QdaM1kbbmZo1F1iw8+m1ZCatos2xkcWgMwKfiT2224hZ7DsM+DAZ4IYQzxT7OBYknh7lX3kQeeficqF3Dlg2QLuAlOdnDqb2xyCSDyQ=="
        ];
      };
    };
  };

  services = {
    openssh = {
      enable = true;
      settings = {
        PasswordAuthentication = false;
      };
    };
    k3s = {
      enable = true;
      role =
        if meta.hostname == "patrick"
        then "server"
        else "agent";
      clusterInit = meta.hostname == "patrick";
      serverAddr =
        if meta.hostname == "patrick"
        then ""
        else "https://192.168.2.100:6443";
      tokenFile =
        if meta.hostname == "patrick"
        then /var/lib/rancher/k3s/server/token
        else /var/lib/rancher/k3s/server/agent-token;
      extraFlags =
        [
          "--kubelet-arg=allowed-unsafe-sysctls=net.ipv4.*"
        ]
        ++ (
          if meta.hostname == "patrick"
          then [
            "--disable servicelb"
            "--disable traefik"
            "--disable local-storage"
            "--write-kubeconfig-mode \"0644\""
          ]
          else []
        );
    };
    openiscsi = {
      enable = true;
      name = "${meta.hostname}-initiatorhost";
    };
    rpcbind.enable = true;
  };

  # Fixes for longhorn path mapping
  systemd.tmpfiles.rules = [
    "L+ /usr/local/bin - - - - /run/current-system/sw/bin/"
  ];
  virtualisation.docker.logDriver = "json-file";

  system.stateVersion = "24.05";
}