{
  fetchFromGitHub,
  runCommandNoCC,
  kubernetes-helm,
  formats,
  lib,
}: let
  inherit
    (lib)
    getExe'
    ;
  ciliumSrc =
    fetchFromGitHub {
      owner = "cilium";
      repo = "cilium";
      rev = "v1.15.0";
      hash = "sha256-xJFwBCnJemskm42/J4JNYrMO47REUYfc51bTJqckA7g=";
    }
    + "/install/kubernetes/cilium";

  extractHelmChart = helmChart: values: name: attrs:
    runCommandNoCC (name + ".yaml") attrs ''
      ${getExe' kubernetes-helm "helm"} template --namespace kube-system -f ${(formats.json {}).generate "values.yaml" values} ${ciliumSrc} | sed 's~path: /lib/modules~path: /run/booted-system/kernel-modules~'> $out
    '';
in
  extractHelmChart ciliumSrc {
    kubeProxyReplacement = true;
    operator.replicas = 1;
    containerRuntime.integration = "containerd";
    # needed to install cni
    securityContext.privileged = true;
    cni.install = true;
    cni.binPath = "/run/cilium/cni";

    # helps the tests
    hubble.relay.enabled = "true";
    hubble.ui.enabled = "true";

    # seems to pass the tests, this is needed, the nginx one doesn't cut it
    ingressController.enabled = true;
    ingressController.loadbalancerMode = "shared";

    # https://github.com/cilium/cilium/issues/28837
    localRedirectPolicy = "true";
    bpf.masquerade = "true";
    envoy.enabled = "true";

    ipam = {
      mode = "cluster-pool";
      operator = {
        clusterPoolIPv4PodCIDRList = ["10.64.52.0/22"];
        clusterPoolIPv4MaskSize = 22;
      };
    };
  } "cilium" {}