{ lib, config, ... }:
let
  ingressOpts = { name, ... }: {
    options = {
      host = lib.mkOption {
        type = lib.types.str;
      };

      entrypoint = lib.mkOption {
        type = lib.types.str;
        default = "websecure";
      };

      service = {
        name = lib.mkOption {
          type = lib.types.str;
        };

        portName = lib.mkOption {
          type = lib.types.str;
        };
      };
    };
  };
in
{
  options = {
    lab.ingresses = lib.mkOption {
      type = with lib.types; attrsOf (submodule ingressOpts);
      default = { };
    };
  };

  config = {
    kubernetes.resources.ingresses = builtins.mapAttrs
      (name: ingress: {
        metadata.annotations = {
          "cert-manager.io/cluster-issuer" = "letsencrypt";
          "traefik.ingress.kubernetes.io/router.entrypoints" = ingress.entrypoint;
        };

        spec = {
          ingressClassName = "traefik";

          rules = [{
            host = ingress.host;

            http.paths = [{
              path = "/";
              pathType = "Prefix";

              backend.service = {
                name = ingress.service.name;
                port.name = ingress.service.portName;
              };
            }];
          }];

          tls = [{
            secretName = "${name}-tls";
            hosts = [ ingress.host ];
          }];
        };
      })
      config.lab.ingresses;
  };
}