{ pkgs, namespace, lib, modulesPath, ... }:
let
  inherit (lib.${namespace}) enabled;
in
{
  imports = [
    (modulesPath + "/profiles/qemu-guest.nix")
  ];

  config = {
    reichard = {
      nix = enabled;

      system = {
        boot = {
          enable = true;
          xenGuest = true;
        };
      };

      services = {
        openssh = enabled;
        cloud-init = enabled;
        rke2 = {
          enable = true;
          disable = [ "rke2-ingress-nginx" ];
        };
        openiscsi = {
          enable = true;
          symlink = true;
        };
      };

      hardware = {
        opengl = {
          enable = true;
          enableIntel = true;
        };
      };
    };

    # Basic System
    system.stateVersion = "24.11";
    time.timeZone = "UTC";

    fileSystems."/" = {
      device = "/dev/disk/by-label/nixos";
      fsType = "ext4";
      autoResize = true;
    };

    # Network Configuration
    networking = {
      hostName = lib.mkForce "";
      useNetworkd = true;
      useDHCP = false;

      firewall = {
        enable = true;

        allowedTCPPorts = [
          # RKE2 Ports - https://docs.rke2.io/install/requirements#networking
          6443 # Kubernetes API
          9345 # RKE2 supervisor API
          2379 # etcd Client Port
          2380 # etcd Peer Port
          2381 # etcd Metrics Port
          10250 # kubelet metrics
          9099 # Canal CNI health checks
        ];

        allowedUDPPorts = [
          # RKE2 Ports - https://docs.rke2.io/install/requirements#networking
          8472 # Canal CNI with VXLAN
          # 51820 # Canal CNI with WireGuard IPv4 (if using encryption)
          # 51821 # Canal CNI with WireGuard IPv6 (if using encryption)
        ];

        # Allow Multicast
        extraCommands = ''
          iptables -A INPUT -m pkttype --pkt-type multicast -j ACCEPT
        '';
      };
    };

    systemd.services = {
      # RKE2 - Wait Cloud Init
      rke2-server = {
        after = [ "cloud-final.service" ];
        requires = [ "cloud-final.service" ];
      };

      # Runtime iSCSI Initiator Setup
      iscsi-initiator-setup = {
        description = "Setup iSCSI Initiator Name";
        requires = [ "cloud-final.service" ];
        before = [ "iscsid.service" ];
        after = [ "cloud-final.service" ];
        wantedBy = [ "multi-user.target" ];

        serviceConfig = {
          Type = "oneshot";
          RemainAfterExit = true;
        };

        path = [ pkgs.hostname pkgs.util-linux ];
        script = ''
          mkdir -p /run/iscsi
          echo "InitiatorName=iqn.2025.org.nixos:$(hostname)" > /run/iscsi/initiatorname.iscsi
          mount --bind /run/iscsi/initiatorname.iscsi /etc/iscsi/initiatorname.iscsi
        '';
      };
    };

    # System Packages
    environment = {
      systemPackages = with pkgs; [
        htop
        nfs-utils
        tmux
        vim
      ];

      # Don't Manage - Runtime Generation
      etc."iscsi/initiatorname.iscsi".enable = false;
    };
  };
}