{
  kubernetes.resources = {
    configMaps.freshrss.data = {
      TZ = "Europe/Amsterdam";
      CRON_MIN = "2,32";
      ADMIN_EMAIL = "pim@kunis.nl";
      PUBLISHED_PORT = "443";
    };

    secrets.freshrss.stringData.adminPassword = "ref+sops://secrets/sops.yaml#/freshrss/password";

    deployments.freshrss = {
      metadata.labels.app = "freshrss";

      spec = {
        selector.matchLabels.app = "freshrss";

        template = {
          metadata.labels.app = "freshrss";

          spec = {
            containers.freshrss = {
              # TODO: pin this to a release when a new one is released.
              image = "freshrss/freshrss:edge";
              envFrom = [{ configMapRef.name = "freshrss"; }];
              ports.web.containerPort = 80;

              env = {
                ADMIN_PASSWORD.valueFrom.secretKeyRef = {
                  name = "freshrss";
                  key = "adminPassword";
                };

                ADMIN_API_PASSWORD.valueFrom.secretKeyRef = {
                  name = "freshrss";
                  key = "adminPassword";
                };
              };

              volumeMounts = [{
                name = "data";
                mountPath = "/var/www/FreshRSS/data";
              }];
            };

            volumes.data.persistentVolumeClaim.claimName = "freshrss";

            securityContext = {
              fsGroup = 33;
              fsGroupChangePolicy = "OnRootMismatch";
            };
          };
        };
      };
    };

    services.freshrss.spec = {
      selector.app = "freshrss";

      ports.web = {
        port = 80;
        targetPort = "web";
      };
    };
  };

  lab = {
    longhornVolumes.freshrss.storage = "400Mi";

    ingresses.freshrss = {
      host = "rss.kun.is";
      entrypoint = "localsecure";

      service = {
        name = "freshrss";
        portName = "web";
      };
    };
  };
}