{
  inputs,
  pkgs,
  lib,
  elib,
  uterranix-lib,
  ...
}: let
  inherit
    (uterranix-lib)
    tf
    terraformModule
    ;

  inherit
    (lib)
    filterAttrs
    optionalAttrs
    ;
in {
  imports = [
    inputs.uk3s-nix.terranixModules.uk3sHelmCharts
    inputs.uk3s-nix.terranixModules.uk3sIstio
    inputs.uk3s-nix.terranixModules.uk3sMetalLB
    ./website.nix
    ./jellyfin.nix
    ./gitea.nix
  ];

  uk3s.istio = {
    enable = true;
    istiod.enable = true;
    operator.enable = true;

    mode = "main";
  };

  uk3s.metallb = {
    enable = true;
    mode = "main";
  };

  resource."kubernetes_manifest"."istio_authorization_policy_deny_by_default" = {
    for_each = (list: tf "toset(${builtins.toJSON list})") [
      "default"
      "kube-system"
      "kube-public"
      "kube-node-lease"
      "istio-system"
      "metallb-system"
      "website"
      "ingress"
    ];

    manifest = {
      apiVersion = "security.istio.io/v1";
      kind = "AuthorizationPolicy";
      metadata = {
        name = "deny-by-default";
        namespace = tf "each.key";
      };
      spec = {};
    };
  };

  resource."kubernetes_manifest"."istio_peer_authentication" = {
    manifest = {
      apiVersion = "security.istio.io/v1beta1";
      kind = "PeerAuthentication";
      metadata = {
        name = "default";
        namespace = "istio-system";
      };
      spec = {
        mtls = {
          mode = "STRICT";
        };
      };
    };
  };
}