{ nixpkgs, pkgs, nixng, globals, config, lib, ... }:
let
  dnsmasqStream = (import ./dnsmasq-image.nix {
    inherit nixpkgs nixng globals;
    inherit (nixng) nglib;
  }).config.system.build.ociImage.stream;

  dnsmasqImage = pkgs.stdenv.mkDerivation {
    name = "dnsmasq.tar";
    src = dnsmasqStream;
    dontUnpack = true;
    buildPhase = ''
      $src > $out
    '';
  };
in
{
  options.dnsmasq.enable = lib.mkEnableOption "dnsmasq";

  config = lib.mkIf config.dnsmasq.enable {
    kubernetes.resources = {
      deployments.dnsmasq.spec = {
        selector.matchLabels.app = "dnsmasq";

        template = {
          metadata.labels.app = "dnsmasq";

          spec.containers.dnsmasq = {
            image = "nix:0${dnsmasqImage}";
            imagePullPolicy = "Always";

            ports.dns = {
              containerPort = 53;
              protocol = "UDP";
            };
          };
        };
      };

      services.dnsmasq.spec = {
        loadBalancerIP = globals.dnsmasqIPv4;
        type = "LoadBalancer";
        selector.app = "dnsmasq";

        ports.dns = {
          port = 53;
          targetPort = "dns";
          protocol = "UDP";
        };
      };
    };
  };
}