{...}: {
  imports = [./fail2ban.nix];
  services.traefik = {
    enable = true;
    staticConfigOptions = {
      api = {insecure = true;};
      entryPoints = {
        http = {address = ":80";};
        https = {address = ":443";};
      };
      certificatesResolvers = {
        default = {
          acme = {
            email = "evie@xenia.me.uk";
            storage = "/var/lib/traefik/acme.json";
            httpChallenge = {entryPoint = "http";};
          };
        };
      };
    };
    dynamicConfigOptions.http = {
      routers.traefik = {
        rule = "Host(`traefik.xenia.me.uk`)";
        service = "traefik-webinterface";
        tls = {certResolver = "default";};
      };
      services.traefik-webinterface.loadBalancer.servers = [{url = "http://localhost:8080";}];
    };
  };
  networking.firewall = {
    enable = true;
    allowedTCPPorts = [80 443 8080];
  };
  services.fail2ban.jails.traefik = ''
    enabled = true
    filter = traefik-auth
    ports = http,https,8080
    backend = systemd
  '';
}