{...}: {
  imports = [../fail2ban/traefik.nix];
  services.traefik = {
    enable = true;
    staticConfigOptions = {
      api = {dashboard = true;};
      entryPoints = {
        http = {
          address = ":80";
          http.redirections.entryPoint = {
            to = "https";
            scheme = "https";
          };
        };
        https = {address = ":443";};
        ssh = {address = ":2222";};
      };
      certificatesResolvers = {
        default = {
          acme = {
            email = "evie@xenia.me.uk";
            storage = "/var/lib/traefik/acme.json";
            httpChallenge = {entryPoint = "http";};
          };
        };
      };
    };
    dynamicConfigOptions.http = {
      routers.api = {
        rule = "Host(`traefik.xenia.me.uk`)";
        entryPoints = ["http" "https"];
        service = "api@internal";
        middlewares = ["auth"];
        tls = {certResolver = "default";};
      };
      middlewares.auth.basicAuth.users = ["xenia:$apr1$LB0wVd6I$BHVPIyh.F5Ewt9/7PqAtS."];
    };
  };
  networking.firewall = {
    enable = true;
    allowedTCPPorts = [80 443 2222];
  };
  services.fail2ban.jails = {
    traefik-http = ''
      enabled = true
      filter = traefik-auth
      ports = http,https,2222
      backend = systemd
    '';
    traefik-ssh = ''
      enabled = true
      filter = sshd
      ports = 2222
      backend = systemd
    '';
  };
}