{
  config,
  lib,
  globals,
  ...
}: {
  options.cyberchef.enable = lib.mkEnableOption "cyberchef";

  config = lib.mkIf config.cyberchef.enable {
    kubernetes.resources = {
      deployments.cyberchef.spec = {
        replicas = 3;
        selector.matchLabels.app = "cyberchef";

        template = {
          metadata.labels.app = "cyberchef";

          spec.containers.cyberchef = {
            image = globals.images.cyberchef;
            imagePullPolicy = "Always";
            ports.web.containerPort = 8000;
          };
        };
      };

      services.cyberchef.spec = {
        selector.app = "cyberchef";

        ports.web = {
          port = 80;
          targetPort = "web";
        };
      };

      ingresses.cyberchef.metadata.annotations."traefik.ingress.kubernetes.io/router.middlewares" = "kube-system-forwardauth-authelia@kubernetescrd";
    };

    lab.ingresses.cyberchef = {
      host = "cyberchef.kun.is";

      service = {
        name = "cyberchef";
        portName = "web";
      };
    };
  };
}