# unpackPhase
# patchPhase
# configurePhase
# buildPhase
# checkPhase
# installPhase
# fixupPhase
# installCheckPhase
# distPhase
{
  stdenv,
  openssl,
  fetchFromGitHub,
  kubernetes-helm,
  ...
}:
stdenv.mkDerivation (
  finalAttrs:
  let
    version = "1.18.5";
  in
  {
    name = "cilium-manifest";
    nativeBuildInputs = [
      openssl
      kubernetes-helm
    ];
    buildInputs = [ ];

    src = fetchFromGitHub {
      owner = "cilium";
      repo = "cilium";
      tag = "v${version}";
      hash = "sha256-348inOOQ/fgwTYnaSHrQ363xGYnx2UPts3D4ycDRsWE=";
    };

    buildPhase = ''
      helm template --dry-run=client cilium $src/install/kubernetes/cilium --version 1.18.5 --namespace kube-system \
           --set kubeProxyReplacement=true \
           --set ipam.mode=kubernetes \
           --set k8sServiceHost="2620:11f:7001:7:ffff:ffff:ad7:1dd" \
           --set k8sServicePort=6443 \
           --set ipv6.enabled=true \
           --set ipv4.enabled=true \
           --set enableIPv6Masquerade=false \
           --set enableIPv4BIGTCP=false \
           --set enableIPv6BIGTCP=false \
           --set routingMode=native \
           --set ipv4NativeRoutingCIDR=10.0.0.0/8 \
           --set ipv6NativeRoutingCIDR=2620:11f:7001:7:ffff::/96 \
           | tee $NIX_BUILD_TOP/cilium.yaml
    '';

    # --set hostFirewall.enabled=true
    # --set routingMode=native

    # --set 'ipam.operator.clusterPoolIPv4PodCIDRList=["10.0.0.0/8"]' \
    # --set 'ipam.operator.clusterPoolIPv6PodCIDRList=["fd00::/100"]' \

    # --set encryption.enabled=true \
    # --set encryption.type=wireguard
    # --set encryption.nodeEncryption=true

    installPhase = ''
      mkdir -p "$out"
      cp $NIX_BUILD_TOP/cilium.yaml $out/
    '';
  }
)