{ pkgs, ... }: {
  kubernetes.resources =
    let
      atticdSettings = {
        database.url = "ref+sops://secrets/sops.yaml#atticd/databaseURL";

        storage = {
          type = "local";
          path = "/var/lib/atticd/storage";
        };

        listen = "[::]:8080";

        # Data chunking
        #
        # Warning: If you change any of the values here, it will be
        # difficult to reuse existing chunks for newly-uploaded NARs
        # since the cutpoints will be different. As a result, the
        # deduplication ratio will suffer for a while after the change.
        chunking = {
          # The minimum NAR size to trigger chunking
          #
          # If 0, chunking is disabled entirely for newly-uploaded NARs.
          # If 1, all NARs are chunked.
          nar-size-threshold = 64 * 1024; # 64 KiB

          # The preferred minimum size of a chunk, in bytes
          min-size = 16 * 1024; # 16 KiB

          # The preferred average size of a chunk, in bytes
          avg-size = 64 * 1024; # 64 KiB

          # The preferred maximum size of a chunk, in bytes
          max-size = 256 * 1024; # 256 KiB
        };
      };
      generatedConfig = (pkgs.formats.toml { }).generate "atticd.toml" atticdSettings;
    in
    {
      configMaps = {
        atticd-env.data.ATTIC_SERVER_TOKEN_HS256_SECRET_BASE64 = "ref+sops://secrets/sops.yaml#atticd/jwtToken";
        atticd-config.data.config = builtins.readFile generatedConfig;
      };

      deployments.atticd = {
        metadata.labels.app = "atticd";

        spec = {
          selector.matchLabels.app = "atticd";

          template = {
            metadata.labels.app = "atticd";

            spec = {
              containers.atticd = {
                image = "git.kun.is/home/atticd:fd910d91c2143295e959d2c903e9ea25cf94ba27";
                envFrom = [{ configMapRef.name = "atticd-env"; }];
                ports.web.containerPort = 8080;
                args = [ "-f" "/etc/atticd/config.toml" ];

                volumeMounts = [
                  {
                    name = "data";
                    mountPath = "/var/lib/atticd/storage";
                  }
                  {
                    name = "config";
                    mountPath = "/etc/atticd/config.toml";
                    subPath = "config";
                  }
                ];
              };

              volumes = {
                data.persistentVolumeClaim.claimName = "atticd";
                config.configMap.name = "atticd-config";
              };
            };
          };
        };
      };

      services.atticd.spec = {
        selector.app = "atticd";

        ports.web = {
          port = 80;
          targetPort = "web";
        };
      };
    };

  lab = {
    ingresses.atticd = {
      host = "attic.kun.is";
      entrypoint = "localsecure";

      service = {
        name = "atticd";
        portName = "web";
      };
    };
  };
}