{ config, lib, ... }: {
  options.snowflake.services.containerised.envoy = {
    enable = lib.mkEnableOption "enable envoy";

    version = lib.mkOption {
      type = lib.types.str;
      description = "envoy version to use";
    };
    ports = lib.mkOption {
      type = lib.types.listOf lib.types.str;
      default = [ ];
      description = "ports to expose";
    };
    configSource = lib.mkOption {
      type = lib.types.path;
      description = "envoy config";
    };
  };

  config = lib.mkIf config.snowflake.services.containerised.envoy.enable {
    environment.etc."envoy/envoy.yaml".source =
      config.snowflake.services.containerised.envoy.configSource;
    virtualisation.oci-containers.containers.envoy = {
      autoStart = true;
      image =
        "docker.io/envoyproxy/envoy:${config.snowflake.services.containerised.envoy.version}";
      ports = config.snowflake.services.containerised.envoy.ports;
      volumes = [ "/etc/envoy/envoy.yaml:/etc/envoy/envoy.yaml:ro" ];
    };
  };
}