{
  lib,
  config,
  ...
}: {
  options = with lib.types; {
    lab.tailscaleIngresses = lib.mkOption {
      type = attrsOf (submodule {
        options = {
          host = lib.mkOption {type = str;};

          service = {
            name = lib.mkOption {type = str;};

            portName = lib.mkOption {
              type = str;
              default = "web";
            };
          };
        };
      });

      default = {};
    };
  };

  config = let
    cfg = config.lab.tailscaleIngresses;

    mkTailscaleIngress = name: {
      host,
      service,
    }: {
      spec = {
        ingressClassName = "tailscale";

        rules = [
          {
            http.paths = [
              {
                path = "/";
                pathType = "Prefix";

                backend.service = {
                  name = service.name;
                  port.name = service.portName;
                };
              }
            ];
          }
        ];

        tls = [
          {
            hosts = [host];
          }
        ];
      };
    };
  in {
    kubernetes.resources.ingresses = builtins.mapAttrs mkTailscaleIngress cfg;
  };
}