{
  ref,
  utils,
  ...
}: let
  identifier = with utils; "${lower ref.data.coder_workspace_owner.me.name}-${lower ref.data.coder_workspace.me.name}";
in {
  resource = {
    kubernetes_pod."workspace" = {
      count = ref.data.coder_workspace.me.start_count;
      metadata = [
        {
          name = "coder-${identifier}";
          namespace = ref.var.namespace;
          annotations."com.coder.user.email" = ref.data.coder_workspace_owner.me.email;
          labels = {
            "app.kubernetes.io/instance" = "coder-workspace-${identifier}";
            "app.kubernetes.io/name" = "coder-workspace";
            "app.kubernetes.io/part-of" = "coder";
            "com.coder.resource" = "true";
            "com.coder.user.id" = ref.data.coder_workspace_owner.me.id;
            "com.coder.user.name" = ref.data.coder_workspace_owner.me.name;
            "com.coder.workspace.id" = ref.data.coder_workspace.me.id;
            "com.coder.workspace.name" = ref.data.coder_workspace.me.name;
          };
        }
      ];
      # give the shutdown tasks enough time to run
      timeouts.delete = "31m";
      spec = [
        {
          termination_grace_period_seconds = 1800;
          affinity.pod_anti_affinity.preferred_during_scheduling_ignored_during_execution = {
            weight = 1;
            pod_affinity_term = {
              topology_key = "kubernetes.io/hostname";
              label_selector.match_expressions = {
                key = "app.kubernetes.io/name";
                operator = "In";
                values = ["coder-workspace"];
              };
            };
          };
          init_container = [
            {
              name = "chown";
              image = "alpine:3";
              command = ["chown" "1000:1000" "/mnt/nix" "/mnt/tmp" "/mnt/home"];
              security_context.run_as_user = "0";
              volume_mount = [
                {
                  mount_path = "/mnt/home";
                  name = "home";
                  read_only = false;
                }
                {
                  mount_path = "/mnt/nix";
                  name = "nix-store";
                  read_only = false;
                }
                {
                  mount_path = "/mnt/tmp";
                  name = "tmp";
                  read_only = false;
                }
              ];
            }
            {
              name = "copy-nix-store";
              image = "registry.gitlab.com/technofab/coder-templates/nix-coder-image:${ref.data.coder_parameter.image_tag.value}";
              command = ["cp" "-nR" "/nix/." "/pv_nix"];
              security_context.run_as_user = "1000";
              volume_mount = [
                {
                  mount_path = "/pv_nix";
                  name = "nix-store";
                  read_only = false;
                }
              ];
            }
          ];
          container = [
            {
              name = "workspace";
              image = "registry.gitlab.com/technofab/coder-templates/nix-coder-image:${ref.data.coder_parameter.image_tag.value}";
              command = ["/bin/sh" "-c" "${ref.coder_agent.coder.init_script}"];
              env = [
                {
                  name = "CODER_AGENT_TOKEN";
                  value = ref.coder_agent.coder.token;
                }
                {
                  name = "DOTFILES_REPO";
                  value = ref.data.coder_parameter.dotfiles_repo.value;
                }
                {
                  name = "TZ";
                  value = ref.data.coder_parameter.timezone.value;
                }
                {
                  name = "NIX_CONFIG";
                  value = ref.data.coder_parameter.nix_config.value;
                }
              ];
              resources = {
                requests = {
                  cpu = ref.var.cpu_request;
                  memory = ref.var.memory_request;
                };
                limits = {
                  cpu = ref.data.coder_parameter.cpu.value;
                  memory = ref.data.coder_parameter.memory.value;
                };
              };
              security_context = {
                run_as_user = "1000";
                run_as_group = "1000";
              };
              volume_mount = [
                {
                  mount_path = "/home";
                  name = "home";
                  read_only = false;
                }
                {
                  mount_path = "/nix";
                  name = "nix-store";
                  read_only = false;
                }
                {
                  mount_path = "/tmp";
                  name = "tmp";
                  read_only = false;
                }
              ];
            }
          ];
          security_context = {
            run_as_user = "1000";
            run_as_group = "1000";
          };
          volume = [
            {
              name = "home";
              persistent_volume_claim.claim_name = ref.kubernetes_persistent_volume_claim.home.metadata ".0.name";
            }
            {
              name = "nix-store";
              persistent_volume_claim.claim_name = ref.kubernetes_persistent_volume_claim.nix-store.metadata ".0.name";
            }
            {
              name = "tmp";
              empty_dir = {
                medium = "Memory";
                # not used for now
                # sizeLimit = "200Mi";
              };
            }
          ];
        }
      ];
    };
    kubernetes_persistent_volume_claim."home" = {
      metadata = [
        {
          name = "coder-home-${identifier}";
          namespace = ref.var.namespace;
          annotations."com.coder.user.email" = ref.data.coder_workspace_owner.me.email;
          labels = {
            "app.kubernetes.io/instance" = "coder-pvc-home-${identifier}";
            "app.kubernetes.io/name" = "coder-pvc";
            "app.kubernetes.io/part-of" = "coder";
            "com.coder.resource" = "true";
            "com.coder.user.id" = ref.data.coder_workspace_owner.me.id;
            "com.coder.user.name" = ref.data.coder_workspace_owner.me.name;
            "com.coder.workspace.id" = ref.data.coder_workspace.me.id;
            "com.coder.workspace.name" = ref.data.coder_workspace.me.name;
          };
        }
      ];
      spec = [
        {
          access_modes = ["ReadWriteOnce"];
          resources.requests.storage = "${ref.data.coder_parameter.home_disk_size.value}Gi";
        }
      ];
      wait_until_bound = false;
    };
    kubernetes_persistent_volume_claim."nix-store" = {
      metadata = [
        {
          name = "coder-nix-store-${identifier}";
          namespace = ref.var.namespace;
          annotations."com.coder.user.email" = ref.data.coder_workspace_owner.me.email;
          labels = {
            "app.kubernetes.io/instance" = "coder-pvc-nix-store-${identifier}";
            "app.kubernetes.io/name" = "coder-pvc";
            "app.kubernetes.io/part-of" = "coder";
            "com.coder.resource" = "true";
            "com.coder.user.id" = ref.data.coder_workspace_owner.me.id;
            "com.coder.user.name" = ref.data.coder_workspace_owner.me.name;
            "com.coder.workspace.id" = ref.data.coder_workspace.me.id;
            "com.coder.workspace.name" = ref.data.coder_workspace.me.name;
          };
        }
      ];
      spec = [
        {
          access_modes = ["ReadWriteOnce"];
          resources.requests.storage = "${ref.data.coder_parameter.nix_store_disk_size.value}Gi";
        }
      ];
      wait_until_bound = false;
    };
  };
}