{ globals, config, lib, ... }: {
  options.dnsmasq.enable = lib.mkEnableOption "dnsmasq";

  config = lib.mkIf config.dnsmasq.enable {
    kubernetes.resources = {
      configMaps.dnsmasq-config.data.config = ''
        address=/kms.kun.is/${globals.kmsIPv4}
        address=/ssh.git.kun.is/${globals.gitIPv4}
        alias=${globals.routerPublicIPv4},${globals.traefikIPv4}
        expand-hosts
        host-record=hermes.dmz,${globals.dnsmasqIPv4}
        local=/dmz/
        log-queries
        no-hosts
        no-resolv
        port=53
        server=192.168.30.1
        server=/kun.is/${globals.bind9IPv4}
      '';

      deployments.dnsmasq.spec = {
        selector.matchLabels.app = "dnsmasq";

        template = {
          metadata.labels.app = "dnsmasq";

          spec = {
            containers.dnsmasq = {
              image = globals.images.dnsmasq;

              ports.dns = {
                containerPort = 53;
                protocol = "UDP";
              };

              volumeMounts = [{
                name = "config";
                mountPath = "/etc/dnsmasq.conf";
                subPath = "config";
              }];
            };

            volumes.config.configMap.name = "dnsmasq-config";
          };
        };
      };

      services.dnsmasq.spec = {
        loadBalancerIP = globals.dnsmasqIPv4;
        type = "LoadBalancer";
        selector.app = "dnsmasq";

        ports.dns = {
          port = 53;
          targetPort = "dns";
          protocol = "UDP";
        };
      };
    };
  };
}