{ config, ... }:

let
  traefikCfg = config.services.traefik;

  magentaData = import ../data.secret.nix;
in
{
  networking.firewall.allowedTCPPorts = [ 80 443 8080 ];

  age.secrets.traefik-dashboard-basicauth-users = {
    file = ../../../secrets/traefik-dashboard-basicauth-users.age;
    owner = "traefik";
    inherit (traefikCfg) group;
  };

  services.traefik = {
    enable = true;
    staticConfigOptions = {
      entryPoints = {
        http = {
          address = ":80";
          http.redirections.entryPoint = {
            to = "https";
            scheme = "https";
          };
        };
        https.address = ":443";
        dashboard.address = ":8080";
      };
      api = { };
      log = { };
      accessLog = { };
      certificatesResolvers.le.acme = {
        storage = "${traefikCfg.dataDir}/acme.json";
        email = "dmitriy@pleshevski.ru";
        tlschallenge = true;
      };
    };
    dynamicConfigOptions = {
      http = {
        routers.to_traefik_dashboard = {
          rule = "Host(`${magentaData.addr}`)";
          entryPoints = [ "dashboard" ];
          middlewares = [ "traefik_dashboard_auth" ];
          service = "api@internal";
        };
        middlewares = {
          traefik_dashboard_auth.basicAuth = {
            usersFile = config.age.secrets.traefik-dashboard-basicauth-users.path;
          };
        };
      };
    };
  };
}