{
  globals,
  config,
  lib,
  ...
}: {
  options.pihole.enable = lib.mkEnableOption "pihole";

  config = lib.mkIf config.pihole.enable {
    kubernetes.resources = {
      secrets.pihole.stringData.webPassword = "ref+sops://secrets.yml#/pihole/password";

      deployments.pihole.spec = {
        selector.matchLabels.app = "pihole";

        strategy = {
          type = "RollingUpdate";

          rollingUpdate = {
            maxSurge = 0;
            maxUnavailable = 1;
          };
        };

        template = {
          metadata.labels.app = "pihole";

          spec = {
            containers.pihole = {
              image = globals.images.pihole;

              env = {
                TZ.value = "Europe/Amsterdam";
                PIHOLE_DNS_.value = "192.168.30.1";

                WEBPASSWORD.valueFrom.secretKeyRef = {
                  name = "pihole";
                  key = "webPassword";
                };
              };

              ports = {
                web.containerPort = 80;

                dns = {
                  containerPort = 53;
                  protocol = "UDP";
                };
              };

              volumeMounts = [
                {
                  name = "data";
                  mountPath = "/etc/pihole";
                }
                {
                  name = "dnsmasq";
                  mountPath = "/etc/dnsmasq.d";
                }
              ];
            };

            volumes = {
              data.persistentVolumeClaim.claimName = "pihole-data";
              dnsmasq.persistentVolumeClaim.claimName = "pihole-dnsmasq";
            };

            securityContext = {
              fsGroup = 1000;
              fsGroupChangePolicy = "OnRootMismatch";
            };
          };
        };
      };

      services = {
        pihole.spec = {
          type = "LoadBalancer";
          loadBalancerIP = globals.piholeIPv4;
          selector.app = "pihole";

          ports = {
            dns = {
              protocol = "UDP";
              port = 53;
              targetPort = "dns";
            };

            web = {
              port = 80;
              targetPort = "web";
            };
          };
        };
      };
    };

    lab = {
      longhorn.persistentVolumeClaim = {
        pihole-data = {
          volumeName = "pihole-data";
          storage = "750Mi";
        };

        pihole-dnsmasq = {
          volumeName = "pihole-dnsmasq";
          storage = "16Mi";
        };
      };

      tailscaleIngresses.tailscale-pihole = {
        host = "pihole";
        service.name = "pihole";
      };
    };
  };
}