{ ... }:
{
  imports = [ ./fail2ban.nix ];
  services.traefik = {
    enable = true;
    staticConfigOptions = {
      api = { insecure = true; };
      entryPoints = {
        http = { address = ":80"; };
        https = { address = ":443"; };
      };
      certificatesResolvers = {
        default = {
          acme = {
            email = "evie@xenia.me.uk";
            storage = "/var/lib/traefik/acme.json";
            httpChallenge = { entryPoint = "http"; };
          };
        };
      };
    };
    dynamicConfigOptions.http = {
      routers.traefik = { rule = "Host(`traefik.xenia.me.uk`)"; service = "traefik-webinterface"; tls = { certResolver = "default"; }; };
      services.traefik-webinterface.loadBalancer.servers = [{ url = "http://localhost:8080"; }];
    };
  };
  networking.firewall = { enable = true; allowedTCPPorts = [ 80 443 8080 ]; };
  services.fail2ban.jails.traefik = ''
    enabled = true
    filter = traefik-auth
    ports = http,https,8080
    backend = systemd
  '';
}