{
  globals,
  config,
  lib,
  ...
}: {
  options.inbucket.enable = lib.mkEnableOption "inbucket";

  config = lib.mkIf config.inbucket.enable {
    kubernetes.resources = {
      serviceAccounts.inbucket = {};

      deployments.inbucket.spec = {
        selector.matchLabels.app = "inbucket";

        template = {
          metadata.labels.app = "inbucket";

          spec = {
            serviceAccountName = "inbucket";

            containers.inbucket = {
              image = globals.images.inbucket;
              env = {
                INBUCKET_MAILBOXNAMING.value = "full";
                INBUCKET_SMTP_DEFAULTACCEPT.value = "false";
                INBUCKET_SMTP_ACCEPTDOMAINS.value = "kun.is";
                INBUCKET_SMTP_DEFAULTSTORE.value = "false";
                INBUCKET_SMTP_STOREDOMAINS.value = "kun.is";
                INBUCKET_STORAGE_RETENTIONPERIOD.value = "168h";
              };
              ports = {
                web.containerPort = 9000;
                smtp.containerPort = 2500;
              };
            };
          };
        };
      };

      services = {
        inbucket.spec = {
          loadBalancerIP = globals.inbucketIPv4;
          type = "LoadBalancer";
          selector.app = "inbucket";

          ports = {
            smtp = {
              port = 25;
              targetPort = "smtp";
            };

            web = {
              port = 80;
              targetPort = "web";
            };
          };
        };
      };
    };

    lab = {
      tailscaleIngresses.tailscale = {
        host = "inbucket";
        service.name = "inbucket";
      };

      ingresses.inbucket = {
        host = "inbucket.kun.is";
        entrypoint = "localsecure";

        service = {
          name = "inbucket";
          portName = "web";
        };
      };
    };
  };
}