{ inputs, config, lib, pkgs, ... }:
let
  cfg = config.services.traefik-proxy;
in
{
  imports = [
  ];

  options.services.traefik-proxy = {
    enable = lib.mkOption {
      type = with lib.types; uniq bool;
      default = false;
      description = "Enable Pre-Configured Traefik Proxy";
    };
  };

  config = lib.mkIf (cfg.enable ||
                     config.services.binary-cache.enable ||
                     config.suites.nas.media.enable) {
    services.traefik = {
      enable = true;
      staticConfigOptions = {
        entryPoints = {
          web = {
            address = ":80";
            asDefault = true;
            http.redirections.entrypoint = {
              to = "websecure";
              scheme = "https";
            };
          };
          websecure = {
            address = ":443";
            asDefault = true;
            http.tls.certResolver = "letsencrypt";
          };
        };
      };
    };
    networking.firewall.allowedTCPPorts = [ 80 443 ];

    # Configure Letsencrypt
    services.traefik.staticConfigOptions = {
      certificatesResolvers.letsencrypt.acme = {
        email = "kb01@kb-one.de";
        tlsChallenge = {};
        storage = "/var/secrets/traefik/acme.json";
      };
    };

  };
}