{ myLib, ... }: {
  kubernetes.resources = {
    serviceAccounts.inbucket = { };

    deployments.inbucket.spec = {
      selector.matchLabels.app = "inbucket";

      template = {
        metadata.labels.app = "inbucket";

        spec = {
          serviceAccountName = "inbucket";

          containers = {
            inbucket = {
              image = "inbucket/inbucket:edge";

              env.INBUCKET_WEB_ADDR.value = "0.0.0.0:80";

              ports = {
                web.containerPort = 80;
                smtp.containerPort = 2500;
              };
            };
          };
        };
      };
    };

    services = {
      web.spec = {
        type = "LoadBalancer";
        loadBalancerIP = myLib.globals.inbucketWebIPv4;
        selector.app = "inbucket";

        ports.web = {
          port = 80;
          targetPort = "web";
        };
      };

      email.spec = {
        type = "LoadBalancer";
        loadBalancerIP = myLib.globals.inbucketEmailIPv4;
        selector.app = "inbucket";

        ports = [{
          port = 25;
          targetPort = "smtp";
        }];
      };
    };
  };

  lab.tailscale = {
    enable = true;
    allowedServiceAccounts = [ "inbucket" ];
    deploymentsWithSidecarContainers.inbucket.hostName = "inbucket";
  };
}