{
  kubernetes.resources = {
    secrets.server.stringData.jwtSecretKey = "ref+sops://secrets/kubernetes.yaml#/kitchenowl/jwtSecretKey";

    deployments.server.spec = {
      selector.matchLabels.app = "kitchenowl";

      strategy = {
        type = "RollingUpdate";

        rollingUpdate = {
          maxSurge = 0;
          maxUnavailable = 1;
        };
      };

      template = {
        metadata.labels.app = "kitchenowl";

        spec = {
          volumes.data.persistentVolumeClaim.claimName = "data";

          containers.kitchenowl = {
            image = "tombursch/kitchenowl:v0.5.1";
            ports.web.containerPort = 8080;
            imagePullPolicy = "IfNotPresent";

            env.JWT_SECRET_KEY.valueFrom.secretKeyRef = {
              name = "server";
              key = "jwtSecretKey";
            };

            volumeMounts = [{
              name = "data";
              mountPath = "/data";
            }];
          };

          securityContext = {
            fsGroup = 0;
            fsGroupChangePolicy = "OnRootMismatch";
          };
        };
      };
    };

    services.server.spec = {
      selector.app = "kitchenowl";

      ports.web = {
        port = 80;
        targetPort = "web";
      };
    };
  };

  lab = {
    ingresses.web = {
      host = "boodschappen.kun.is";

      service = {
        name = "server";
        portName = "web";
      };
    };

    longhorn.persistentVolumeClaim.data = {
      volumeName = "kitchenowl";
      storage = "100Mi";
    };
  };
}