{
  config,
  lib,
  nixhelm,
  system,
  globals,
  ...
}: {
  options.bootstrap-default.enable = lib.mkEnableOption "bootstrap-default";

  config = lib.mkIf config.bootstrap-default.enable {
    kubernetes = {
      helm.releases = {
        metallb = {
          chart = nixhelm.chartsDerivations.${system}.metallb.metallb;
          includeCRDs = true;
        };

        longhorn = {
          chart = nixhelm.chartsDerivations.${system}.longhorn.longhorn;
          includeCRDs = true;

          values = {
            persistence.defaultClassReplicaCount = 2;
            service.ui.type = "LoadBalancer";

            defaultSettings = {
              defaultDataPath = "/mnt/longhorn";
              storageMinimalAvailablePercentage = 0;
              allowRecurringJobWhileVolumeDetached = true;
              backupTarget = "nfs://lewis.dmz:/mnt/longhorn/persistent/longhorn-backup";
            };
          };
        };
      };

      resources = {
        services.longhorn-frontend.spec.loadBalancerIP = globals.longhornIPv4;

        namespaces = {
          static-websites = {};
          freshrss = {};
          radicale = {};
          kms = {};
          atuin = {};
          nextcloud = {};
          hedgedoc = {};
          kitchenowl = {};
          forgejo = {};
          paperless = {};
          syncthing = {};
          immich = {};
          attic = {};
          inbucket = {};
          dns = {};
          media = {};
          minecraft = {};
          tailscale = {};
          ntfy = {};
          authentik = {};
          mealie = {};
        };

        nodes =
          builtins.mapAttrs
          (_name: labels: {
            metadata.labels = labels;
          })
          globals.nodeLabels;

        recurringJobs.backup-nfs.spec = {
          cron = "0 1 * * *"; # One o'clock at night
          task = "backup";
          retain = 2; # We don't need many, as we also make Borg backups.
          concurrency = 1;
        };

        backuptargets.backup.spec = {
          backupTargetURL = "nfs://lewis.dmz:/mnt/longhorn/persistent/longhorn-backup";
          pollInterval = "5m0s";
        };

        ipAddressPools.main.spec.addresses = ["192.168.30.128-192.168.30.200" "2a0d:6e00:1a77:30::2-2a0d:6e00:1a77:30:ffff:ffff:ffff:fffe"];
        l2Advertisements.main.metadata = {};

        # We don't need backups for music, just replication is enough.
        persistentVolumes.music.spec.csi.volumeAttributes.recurringJobSelector = lib.mkForce "";
      };
    };

    lab = {
      longhorn.persistentVolume = {
        freshrss.storage = "1Gi";
        radicale.storage = "200Mi";
        atuin-db.storage = "300Mi";
        nextcloud.storage = "50Gi";
        nextcloud-db.storage = "400Mi";
        hedgedoc-uploads.storage = "50Mi";
        hedgedoc-db.storage = "100Mi";
        kitchenowl.storage = "100Mi";
        forgejo.storage = "20Gi";
        paperless-data.storage = "10Gi";
        paperless-redisdata.storage = "20Mi";
        paperless-db.storage = "150Mi";
        syncthing.storage = "400Mi";
        pihole-data.storage = "750Mi";
        pihole-dnsmasq.storage = "16Mi";
        immich.storage = "50Gi";
        immich-db.storage = "5Gi";
        attic.storage = "15Gi";
        attic-db.storage = "150Mi";
        jellyfin.storage = "10Gi";
        transmission.storage = "25Mi";
        jellyseerr.storage = "75Mi";
        radarr.storage = "300Mi";
        prowlarr.storage = "150Mi";
        sonarr.storage = "250Mi";
        bazarr.storage = "25Mi";
        minecraft.storage = "1Gi";
        ntfy.storage = "300Mi";
        deluge.storage = "500Mi";
        keepassxc.storage = "100Mi";
        authentik-db.storage = "10Gi";
        authentik-redis.storage = "5Gi";
        mealie.storage = "3Gi";
        music.storage = "70Gi";
      };

      tailscaleIngresses.tailscale-longhorn = {
        host = "longhorn";

        service = {
          name = "longhorn-frontend";
          portName = "http";
        };
      };
    };
  };
}