let
  appName = "snikket";
  snikketImage = "git.gmem.ca/arch/snikket-server:latest";
  snikketPortalImage = "snikket/snikket-web-portal:stable";
in
{
  lib,
  config,
  kubenix,
  ...
}: {
  kubernetes.resources.services.snikket = {
    metadata.namespace = "snikket";
    spec = {
      selector.app = appName;
      ports.http = {
        port = 5280;
        targetPort = 5280;
      };
    };
  };
  kubernetes.resources.services.snikket-xmpp = {
    metadata.namespace = "snikket";
    spec = {
      type = "NodePort";
      selector.app = appName;
      ports.http = {
        port = 5222;
        targetPort = 5222;
        nodePort = 5222;
      };
    };
  };
  kubernetes.resources.services.snikket-web-portal = {
    metadata.namespace = "snikket";
    spec = {
      selector.app = appName + "-web-portal";
      ports.http = {
        port = 5765;
        targetPort = 5765;
      };
    };
  };
  kubernetes.resources.deployments.snikket = {
    metadata.namespace = "snikket";
    spec = {
      selector.matchLabels.app = appName;
      template = {
        metadata.labels.app = appName;
        spec = {
          containers = {
            snikket = {
              image = snikketImage;
              env.SNIKKET_TWEAK_TURNSERVER.value = "0";
              env.SNIKKET_TWEAK_INTERNAL_HTTP_INTERFACE.value = "0.0.0.0";
              envFrom = [{configMapRef.name = "snikket";}];
              imagePullPolicy = "Always";
              volumeMounts = [
                {
                  name = "certs";
                  mountPath = "/etc/prosody/certs/chat.gmem.ca.crt";
                  subPath = "tls.crt";
                }
                {
                  name = "certs";
                  mountPath = "/etc/prosody/certs/chat.gmem.ca.key";
                  subPath = "tls.key";
                }
              ];
              ports.http.containerPort = 5280;
            };
          };
          volumes = {
            certs.secret.secretName = "chat-gmem-ca";
          };
        };
      };
    };
  };
  kubernetes.resources.deployments.snikket-web-portal = {
    metadata.namespace = "snikket";
    spec = {
      selector.matchLabels.app = appName + "-web-portal";
      template = {
        metadata.labels.app = appName + "-web-portal";
        spec = {
          containers = {
            snikket = {
              image = snikketPortalImage;
              env.SNIKKET_TWEAK_PORTAL_INTERNAL_HTTP_INTERFACE.value = "0.0.0.0";
              env.SNIKKET_WEB_PROSODY_ENDPOINT.value = "http://snikket:5280";
              imagePullPolicy = "Always";
              ports.http.containerPort = 5765;
            };
          };
        };
      };
    };
  };
  kubernetes.resources.ingresses.snikket = {
    metadata = {
      name = appName;
      namespace = "snikket";
      annotations = {
        "cert-manager.io/cluster-issuer" = "le-issuer";
      };
    };
    spec = {
      tls = [
        {
          hosts = ["chat.gmem.ca"];
        }
      ];
      rules = [
        {
          host = "chat.gmem.ca";
          http.paths = [
            {
              path = "/";
              pathType = "Prefix";
              backend.service = {
                name = appName + "-web-portal";
                port.name = "http";
              };
            }
          ]
          ++ lib.lists.forEach [
            # Routes we want to hit Prosody's backend
            "/admin_api"
            "/invites_api"
            "/invites_bootstrap"
            "/upload"
            "/http-bind"
            "/xmpp-websocket"
            "/.well-known/host-meta"
            "/.well-known/host-meta.json"
          ] (path: {
            path = path;
            pathType = "Prefix";
            backend.service = {
              name = appName;
              port.name = "http";
            };
          });
        }
      ];
    };
  };
}