{ lib, nixhelm, system, ... }: {
  config = {
    kubernetes = {
      helm.releases.longhorn = {
        chart = nixhelm.chartsDerivations.${system}.longhorn.longhorn;
        includeCRDs = true;
        values = {
          defaultSettings = {
            defaultDataPath = "/mnt/longhorn";
            storageMinimalAvailablePercentage = 0;
            allowRecurringJobWhileVolumeDetached = true;
            backupTarget = "nfs://lewis.dmz:/mnt/data/nfs/longhorn-backup";
          };

          persistence = {
            defaultClassReplicaCount = 2;
          };
        };
      };

      resources = {
        ingresses.longhorn = {
          metadata.annotations = {
            "cert-manager.io/cluster-issuer" = "letsencrypt";
            "traefik.ingress.kubernetes.io/router.entrypoints" = "localsecure";
          };

          spec = {
            ingressClassName = "traefik";

            rules = [{
              host = "longhorn.kun.is";

              http.paths = [{
                path = "/";
                pathType = "Prefix";

                backend.service = {
                  name = "longhorn-frontend";
                  port.number = 80;
                };
              }];
            }];

            tls = [{
              secretName = "longhorn-tls";
              hosts = [ "longhorn.kun.is" ];
            }];
          };
        };

        recurringJobs.backup-nfs.spec = {
          cron = "0 1 * * *"; # One o'clock at night
          task = "backup";
          retain = 2; # We don't need many, as we also make Borg backups.
          concurrency = 1;
        };
      };
    };
  };
}