{
  lib,
  globals,
  config,
  ...
}: {
  options.traefik.enable = lib.mkEnableOption "traefik";

  config = lib.mkIf config.traefik.enable {
    kubernetes.resources = {
      helmChartConfigs = {
        traefik = {
          # Override Traefik's service with a static load balancer IP.
          # Create endpoint for HTTPS on port 444.
          # Allow external name services for servers in LAN.
          spec.valuesContent = lib.generators.toYAML {} {
            providers.kubernetesIngress.allowExternalNameServices = true;
            service.loadBalancerIP = globals.traefikIPv4;

            ports = {
              localsecure = {
                port = 8444;
                expose.default = true;
                exposedPort = 444;
                protocol = "TCP";

                tls = {
                  enabled = true;
                  options = "";
                  certResolver = "";
                  domains = [];
                };
              };

              web.redirectTo.port = "websecure";
            };
          };
        };
      };

      services = {
        esrom.spec = {
          type = "ExternalName";
          externalName = "esrom.dmz";

          ports.web = {
            port = 80;
            targetPort = 80;
          };
        };

        traefik-dashboard.spec = {
          selector = {
            "app.kubernetes.io/name" = "traefik";
            "app.kubernetes.io/instance" = "traefik-kube-system";
          };

          ports.web = {
            port = 80;
            targetPort = "traefik";
          };
        };
      };
    };

    lab = {
      ingresses.esrom = {
        host = "esrom.kun.is";

        service = {
          name = "esrom";
          portName = "web";
        };
      };

      tailscaleIngresses.traefik-dashboard = {
        host = "traefik";
        service.name = "traefik-dashboard";
      };
    };
  };
}