{ config, ... }:

{
  services.traefik = {
    enable = true;
    staticConfigOptions = {
      providers = {
        docker = { };
      };
      entryPoints = {
        web = {
          address = ":80";
          asDefault = true;
          http.redirections.entrypoint = {
            to = "websecure";
            scheme = "https";
          };
        };

        websecure = {
          address = ":443";
          asDefault = true;
          http.tls.certResolver = "letsencrypt";
        };
      };

      certificatesResolvers.letsencrypt.acme = {
        email = "nolan@thewordnerd.info";
        storage = "${config.services.traefik.dataDir}/acme.json";
        httpChallenge.entryPoint = "web";
      };
    };
  };
  networking.firewall.allowedTCPPorts = [
    80
    443
  ];
  users.users.traefik.extraGroups = [ "podman" ];
}