{ lib, myLib, ... }: {
  kubernetes.resources.helmChartConfigs = {
    traefik = {
      metadata.namespace = "kube-system";

      # Override Traefik's service with a static load balancer IP.
      # Create endpoint for HTTPS on port 444.
      # Allow external name services for esrom.
      spec.valuesContent = lib.generators.toYAML { } {
        # service.annotations."metallb.universe.tf/loadBalancerIPs" = myLib.globals.traefikIPv4;
        providers.kubernetesIngress.allowExternalNameServices = true;
        service.loadBalancerIP = myLib.globals.traefikIPv4;

        ports = {
          localsecure = {
            port = 8444;
            expose = true;
            exposedPort = 444;
            protocol = "TCP";

            tls = {
              enabled = true;
              options = "";
              certResolver = "";
              domains = [ ];
            };
          };

          web.redirectTo = "websecure";
        };
      };
    };
  };
}