{ inputs, config, lib, pkgs, ... }:
let
  cfg = config.services.traefik-proxy;
in
{
  imports = [
  ];

  options.services.traefik-proxy = {
    enable = lib.mkOption {
      type = with lib.types; uniq bool;
      default = false;
      description = "Enable Pre-Configured Traefik Proxy";
    };
  };

  config = lib.mkIf cfg.enable {
    services.traefik = {
      enable = true;
      staticConfigOptions = {
        entryPoints.web.address = ":80";
        entryPoints.websecure.address = ":443";
      };
    };
    networking.firewall.allowedTCPPorts = [ 80 443 ];
  
    # Enable Secure Dashboard
    services.traefik.staticConfigOptions.api = {};
    services.traefik.staticConfigOptions = {
      http.routers.dashboard.entrypoints = "websecure";
      http.routers.dashboard.tls.certResolver = "letsencrypt";
      http.routers.dashboard.rule = "Host(`game01.kb-one.de`) && (PathPrefix(`/api`) || PathPrefix(`/dashboard`))";
      http.routers.dashboard.service = "api@internal";
      # TODO: Set Basicauth via SOPS
      # http.routers.dashboard.middlewares = "auth";
      # http.middlewares.auth.basicauth.users = "master:\$\$2y\$\$05\$\$JwzsNHz7CMJh0RU1eMe3AOfY5H30Qr1Q/glS1r/qEHCNpo5LvWnRW";
    };

    # Configure Letsencrypt
    services.traefik.staticConfigOptions = {
      certificatesResolvers.letsencrypt.acme = {
        email = "kb01@kb-one.de";
        tlsChallenge = {};
        storage = "/var/secrets/traefik/acme.json";
      };
    };

  };
}