{ self, flake-utils, kubenix, nixhelm, ... }: flake-utils.lib.eachDefaultSystem
  (system: {
    kubenix = kubenix.packages.${system}.default.override {
      specialArgs.flake = self;

      module = { kubenix, ... }: {
        imports = [
          kubenix.modules.k8s
          kubenix.modules.helm
          # ./freshrss.nix
        ];
        kubernetes.kubeconfig = "~/.kube/config";
        kubenix.project = "home";

        kubernetes = {
          # namespace = "kubenix";

          customTypes = {
            # HACK: These are dummy custom types.
            # This is needed, because the CRDs imported as a chart are not available as Nix modules.
            # There is no nix-based validation on resources defined using these types!
            # See: https://github.com/hall/kubenix/issues/34
            ipAddressPool = {
              attrName = "ipAddressPools";
              group = "metallb.io";
              version = "v1beta1";
              kind = "IPAddressPool";
            };

            l2Advertisement = {
              attrName = "l2Advertisements";
              group = "metallb.io";
              version = "v1beta1";
              kind = "L2Advertisement";
            };
          };

          resources = {
            # namespaces = {
            #   kubenix = { };

            #   metallb-system.metadata.labels = {
            #     "pod-security.kubernetes.io/enforce" = "privileged";
            #     "pod-security.kubernetes.io/audit" = "privileged";
            #     "pod-security.kubernetes.io/warn" = "privileged";
            #   };
            # };

            deployments.cyberchef.spec = {
              replicas = 3;
              selector.matchLabels.app = "cyberchef";

              template = {
                metadata.labels.app = "cyberchef";

                spec = {
                  containers.cyberchef = {
                    image = "mpepping/cyberchef";

                    ports = [{
                      containerPort = 8000;
                      protocol = "TCP";
                    }];
                  };
                };
              };
            };

            services.cyberchef.spec = {
              selector.app = "cyberchef";

              ports = [{
                protocol = "TCP";
                port = 80;
                targetPort = 8000;
              }];
            };

            ingresses.cyberchef.spec = {
              ingressClassName = "traefik";

              rules = [{
                host = "cyberchef.kun.is";

                http.paths = [{
                  path = "/";
                  pathType = "Prefix";

                  backend.service = {
                    name = "cyberchef";
                    port.number = 80;
                  };
                }];
              }];
            };

            ipAddressPools.main = {
              # metadata.namespace = "metallb-system";
              spec.addresses = [ "192.168.40.100-192.168.40.254" ];
            };

            # l2Advertisements.main.metadata.namespace = "metallb-system";
            l2Advertisements.main.metadata = { };
          };

          helm.releases.metallb = {
            chart = nixhelm.chartsDerivations.${system}.metallb.metallb;
            # namespace = "metallb-system";
            includeCRDs = true;
          };
        };
      };
    };
  })