{
  elib,
  secret,
  vars,
  config',
  ...
}: let
  inherit
    (elib)
    nfsVolume
    nomadJob
    ;
in {
  terraform.required_providers = {
    nomad = {
      source = "hashicorp/nomad";
      configuration_aliases = ["nomad.do-1"];
    };
  };

  resource."nomad_volume"."ingress-letsencrypt" = nfsVolume {
    provider = "nomad.do-1";
    volume_name = "ingress-letsencrypt";
    access_mode = "single-node-writer";
    server = secret.network.ips.blowhole.ip or "";
    share = "/mnt/kyle/infrastructure/ingress-toothpick/letsencrypt";
    mount_flags = ["nolock" "hard"];
  };

  resource."nomad_job"."ingress" = nomadJob {
    jobspec = ./job.hcl;
    vars = {
      flake_ref = "${vars.flake_host}?rev=${vars.flake_rev}&ref=${vars.flake_ref}";
      flake_sha = vars.flake_sha;
      store_path = config'.flake.nixngConfigurations.ingressToothpick.config.system.build.toplevel;
      upstreams = "\${file(\"${./upstreams.conf}\")}";
    };
  };
}