{...}: {
  resource = {
    kubernetes_pod."workspace" = {
      count = "\${data.coder_workspace.me.start_count}";
      metadata = {
        name = "coder-\${lower(data.coder_workspace.me.owner)}-\${lower(data.coder_workspace.me.name)}";
        namespace = "\${var.namespace}";
        annotations."com.coder.user.email" = "\${data.coder_workspace.me.owner_email}";
        labels = {
          "app.kubernetes.io/instance" = "coder-workspace-\${lower(data.coder_workspace.me.owner)}-\${lower(data.coder_workspace.me.name)}";
          "app.kubernetes.io/name" = "coder-workspace";
          "app.kubernetes.io/part-of" = "coder";
          "com.coder.resource" = "true";
          "com.coder.user.id" = "\${data.coder_workspace.me.owner_id}";
          "com.coder.user.name" = "\${data.coder_workspace.me.owner}";
          "com.coder.workspace.id" = "\${data.coder_workspace.me.id}";
          "com.coder.workspace.name" = "\${data.coder_workspace.me.name}";
        };
      };
      spec = {
        affinity.pod_anti_affinity.preferred_during_scheduling_ignored_during_execution = {
          weight = 1;
          pod_affinity_term = {
            topology_key = "kubernetes.io/hostname";
            label_selector.match_expressions = {
              key = "app.kubernetes.io/name";
              operator = "In";
              values = ["coder-workspace"];
            };
          };
        };
        container = [
          {
            name = "workspace";
            image = "registry.gitlab.com/technofab/coder-templates/coder-workspace:\${data.coder_parameter.image_tag.value}";
            command = ["/bin/sh" "-c" "\${resource.coder_agent.coder.init_script}"];
            env = [
              {
                name = "CODER_AGENT_TOKEN";
                value = "\${resource.coder_agent.coder.token}";
              }
            ];
            resources = {
              requests = {
                # TODO: allow configuring this via variables (template wide)
                cpu = "250m";
                memory = "512Mi";
              };
              limits = {
                cpu = "\${data.coder_parameter.cpu.value}";
                memory = "\${data.coder_parameter.memory.value}";
              };
            };
            security_context.run_as_user = "1000";
            volume_mount = [
              {
                mount_path = "/home";
                name = "home";
                read_only = false;
              }
              {
                mount_path = "/nix";
                name = "nix-store";
                read_only = false;
              }
            ];
          }
        ];
        security_context = {
          fs_group = "1000";
          run_as_user = "1000";
        };
        volume = [
          {
            name = "home";
            persistent_volume_claim.claim_name = "\${resource.kubernetes_persistent_volume_claim.home.metadata.0.name}";
          }
          {
            name = "nix-store";
            persistent_volume_claim.claim_name = "\${resource.kubernetes_persistent_volume_claim.nix-store.metadata.0.name}";
          }
        ];
      };
    };
    kubernetes_persistent_volume_claim."home" = {
      metadata = {
        name = "coder-home-\${lower(data.coder_workspace.me.owner)}-\${lower(data.coder_workspace.me.name)}";
        namespace = "\${var.namespace}";
        annotations."com.coder.user.email" = "\${data.coder_workspace.me.owner_email}";
        labels = {
          "app.kubernetes.io/instance" = "coder-pvc-home-\${lower(data.coder_workspace.me.owner)}-\${lower(data.coder_workspace.me.name)}";
          "app.kubernetes.io/name" = "coder-pvc";
          "app.kubernetes.io/part-of" = "coder";
          "com.coder.resource" = "true";
          "com.coder.user.id" = "\${data.coder_workspace.me.owner_id}";
          "com.coder.user.name" = "\${data.coder_workspace.me.owner}";
          "com.coder.workspace.id" = "\${data.coder_workspace.me.id}";
          "com.coder.workspace.name" = "\${data.coder_workspace.me.name}";
        };
      };
      spec = {
        access_modes = ["ReadWriteOnce"];
        resources.requests.storage = "\${data.coder_parameter.home_disk_size.value}Gi";
      };
      wait_until_bound = false;
    };
    kubernetes_persistent_volume_claim."nix-store" = {
      metadata = {
        name = "coder-nix-store-\${lower(data.coder_workspace.me.owner)}-\${lower(data.coder_workspace.me.name)}";
        namespace = "\${var.namespace}";
        annotations."com.coder.user.email" = "\${data.coder_workspace.me.owner_email}";
        labels = {
          "app.kubernetes.io/instance" = "coder-pvc-nix-store-\${lower(data.coder_workspace.me.owner)}-\${lower(data.coder_workspace.me.name)}";
          "app.kubernetes.io/name" = "coder-pvc";
          "app.kubernetes.io/part-of" = "coder";
          "com.coder.resource" = "true";
          "com.coder.user.id" = "\${data.coder_workspace.me.owner_id}";
          "com.coder.user.name" = "\${data.coder_workspace.me.owner}";
          "com.coder.workspace.id" = "\${data.coder_workspace.me.id}";
          "com.coder.workspace.name" = "\${data.coder_workspace.me.name}";
        };
      };
      spec = {
        access_modes = ["ReadWriteOnce"];
        resources.requests.storage = "\${data.coder_parameter.nix_store_disk_size.value}Gi";
      };
      wait_until_bound = false;
    };
  };
}