{
  lib,
  config,
  ...
}: let
  ingressOpts = {name, ...}: {
    options = {
      host = lib.mkOption {
        type = lib.types.str;
      };

      entrypoint = lib.mkOption {
        type = lib.types.str;
        default = "websecure";
      };

      service = {
        name = lib.mkOption {
          type = lib.types.str;
        };

        portName = lib.mkOption {
          type = lib.types.str;
        };
      };
    };
  };
in {
  options = {
    lab.ingresses = lib.mkOption {
      type = with lib.types; attrsOf (submodule ingressOpts);
      default = {};
    };
  };

  config = {
    kubernetes.resources.ingresses =
      builtins.mapAttrs
      (name: ingress: {
        metadata.annotations = {
          "cert-manager.io/cluster-issuer" = "letsencrypt";
          "traefik.ingress.kubernetes.io/router.entrypoints" = ingress.entrypoint;
        };

        spec = {
          ingressClassName = "traefik";

          rules = [
            {
              inherit (ingress) host;

              http.paths = [
                {
                  path = "/";
                  pathType = "Prefix";

                  backend.service = {
                    inherit (ingress.service) name;
                    port.name = ingress.service.portName;
                  };
                }
              ];
            }
          ];

          tls = [
            {
              secretName = "${name}-tls";
              hosts = [ingress.host];
            }
          ];
        };
      })
      config.lab.ingresses;
  };
}