{ config, lib, ... }: {

    options.sysconfig.docker.traefik.enable = with lib; mkOption {
        type = with types; bool;
        default = false;
    };

    config = lib.mkIf (config.sysconfig.docker.traefik.enable && config.sysconfig.docker.enable) {
            
        networking.firewall.allowedTCPPorts = [ 80 443 ];

        sops.secrets = {
            "traefik/cf_email" = {};
            "traefik/cf_api_key" = {};
        };

        sops.templates."traefik.env" = {
            content = ''
                CF_API_EMAIL=${config.sops.placeholder."traefik/cf_email"}
                CF_DNS_API_TOKEN=${config.sops.placeholder."traefik/cf_api_key"}
            '';
        };

        environment.etc = (builtins.listToAttrs (builtins.map (x: { 
            name = "traefik/${x}"; 
            value = {
                source = ./config/${x};
                mode = "0664";
            };
        }) (builtins.attrNames (builtins.readDir ./config))));

        /*environment.etc."traefik/traefik.yml" = {
            source = ./config/traefik.yml;
        };
        environment.etc."traefik/routing.yml" = {
            source = ./config/routing.yml;
        };*/

        virtualisation.oci-containers.containers.traefik = {
            
            image = "traefik:v3.6";
            
            environment = {
                TRAEFIK_CERTIFICATESRESOLVERS_CLOUDFLARE_ACME_EMAIL = "\${CF_API_EMAIL}";
            };
            
            environmentFiles = [ config.sops.templates."traefik.env".path ];
            
            volumes = [
                "/etc/traefik/:/etc/traefik/"
                "/run/docker.sock:/var/run/docker.sock" 
            ];

            networks = [
                "docker-main"
            ];

            ports = [
                "80:81"
                "443:444"
            ];

            labels = {
                "traefik.enable" = "true";
                "traefik.http.routers.dashboard.rule" = "Host(`traefik.esotericbytes.com`)";
                "traefik.http.routers.dashboard.entrypoints" = "localsecure";
                "traefik.http.routers.dashboard.service" = "api@internal";
                "traefik.http.routers.dashboard.tls.certResolver" = "cloudflare";
            };

            log-driver = "journald";
        };
        systemd.services."docker-traefik" = {
            serviceConfig = {
                Restart = lib.mkOverride 90 "always";
                RestartMaxDelaySec = lib.mkOverride 90 "1m";
                RestartSec = lib.mkOverride 90 "100ms";
                RestartSteps = lib.mkOverride 90 9;
            };
            after = [
                "docker-network-setup.service"
            ];
            requires = [
                "docker-network-setup.service"
            ];
            partOf = [
                "docker-compose-traefik-root.target"
            ];
            wantedBy = [
                "docker-compose-traefik-root.target"
            ];
        };

# Root service
# When started, this will automatically create all resources and start
# the containers. When stopped, this will teardown all resources.
        systemd.targets."docker-compose-traefik-root" = {
            wantedBy = [ "multi-user.target" ];
        };
    };
}