{
  kubernetes.resources = {
    ingresses.argo-workflows = {
      metadata.annotations = {
        "cert-manager.io/cluster-issuer" = "letsencrypt";
        "traefik.ingress.kubernetes.io/router.entrypoints" = "localsecure";
      };

      spec = {
        ingressClassName = "traefik";

        rules = [{
          host = "workflows.kun.is";

          http.paths = [{
            path = "/";
            pathType = "Prefix";

            backend.service = {
              name = "argo-workflows-server";
              port.number = 2746;
            };
          }];
        }];

        tls = [{
          secretName = "argo-workflows-tls";
          hosts = [ "workflows.kun.is" ];
        }];
      };
    };

    clusterRoles.argo-admin.rules = [{
      apiGroups = [ "argoproj.io" ];
      verbs = [ "*" ];
      resources = [ "*" ];
    }];

    serviceAccounts.argo-admin = { };

    clusterRoleBindings.argo-admin = {
      subjects = [{
        kind = "ServiceAccount";
        name = "argo-admin";
        namespace = "default";
      }];

      roleRef = {
        kind = "ClusterRole";
        name = "argo-admin";
        apiGroup = "rbac.authorization.k8s.io";
      };
    };
  };
}