{ lib, ... }: {
  kubernetes.resources = {
    configMaps = {
      hedgedoc-env.data = {
        CMD_DOMAIN = "md.kun.is";
        CMD_PORT = "3000";
        CMD_URL_ADDPORT = "false";
        CMD_ALLOW_ANONYMOUS = "true";
        CMD_ALLOW_EMAIL_REGISTER = "false";
        CMD_PROTOCOL_USESSL = "true";
        CMD_CSP_ENABLE = "false";
      };

      hedgedoc-config.data.config = lib.generators.toJSON { } {
        useSSL = false;
      };
    };

    secrets.hedgedoc.stringData = {
      databaseURL = "ref+sops://secrets/sops.yaml#/hedgedoc/databaseURL";
      sessionSecret = "ref+sops://secrets/sops.yaml#/hedgedoc/sessionSecret";
    };

    deployments.hedgedoc = {
      metadata.labels.app = "hedgedoc";

      spec = {
        selector.matchLabels.app = "hedgedoc";

        template = {
          metadata.labels.app = "hedgedoc";

          spec = {
            containers.hedgedoc = {
              image = "quay.io/hedgedoc/hedgedoc:1.9.9";
              envFrom = [{ configMapRef.name = "hedgedoc-env"; }];
              ports.web.containerPort = 3000;

              env = {
                CMD_DB_URL.valueFrom.secretKeyRef = {
                  name = "hedgedoc";
                  key = "databaseURL";
                };

                CMD_SESSION_SECRET.valueFrom.secretKeyRef = {
                  name = "hedgedoc";
                  key = "sessionSecret";
                };
              };

              volumeMounts = [
                {
                  name = "uploads";
                  mountPath = "/hedgedoc/public/uploads";
                }
                {
                  name = "config";
                  mountPath = "/hedgedoc/config.json";
                  subPath = "config";
                }
              ];
            };

            volumes = {
              uploads.persistentVolumeClaim.claimName = "hedgedoc-uploads";
              config.configMap.name = "hedgedoc-config";
            };

            securityContext = {
              fsGroup = 65534;
              fsGroupChangePolicy = "OnRootMismatch";
            };
          };
        };
      };
    };

    services.hedgedoc.spec = {
      selector.app = "hedgedoc";

      ports.web = {
        port = 80;
        targetPort = "web";
      };
    };

    persistentVolumeClaims.hedgedoc-uploads.spec = {
      accessModes = [ "ReadWriteOnce" ];
      resources.requests.storage = "50Mi";
      storageClassName = "";
    };

    persistentVolumes.hedgedoc-uploads.spec = {
      accessModes = [ "ReadWriteOnce" ];
      capacity.storage = "50Mi";

      claimRef = {
        name = "hedgedoc-uploads";
        namespace = "default";
      };

      csi = {
        driver = "driver.longhorn.io";
        fsType = "ext4";

        volumeAttributes = {
          dataLocality = "disabled";
          fromBackup = "";
          fsType = "ext4";
          numberOfReplicas = "2";
          recurringJobSelector = lib.generators.toYAML { } [{
            name = "backup-nfs";
            isGroup = false;
          }];
          staleReplicaTimeout = "30";
          unmapMarkSnapChainRemoved = "ignored";
        };
        volumeHandle = "hedgedoc-uploads";
      };

      persistentVolumeReclaimPolicy = "Delete";
      volumeMode = "Filesystem";
    };
  };

  lab = {
    ingresses.hedgedoc = {
      host = "md.kun.is";

      service = {
        name = "hedgedoc";
        portName = "web";
      };
    };
  };
}