{config, ...}: let
  vars = import ../../../../vars.nix;
in {
  virtualisation.arion = {
    projects.infrastructure.settings = {
      imports = [./arion-compose.nix];
    };
  };

  sops.secrets."cloudflared/tunnel_token" = {
    owner = vars.user;
  };

  sops.secrets."traefik/acme_email" = {
    owner = vars.user;
  };
  sops.secrets."traefik/cloudflare_email" = {
    owner = vars.user;
  };
  sops.secrets."traefik/cloudflare_api_key" = {
    owner = vars.user;
  };

  sops.secrets."dyndns/cloudflare_api_key" = {
    owner = vars.user;
  };

  sops.secrets."diun/ntfy_access_token" = {
    owner = vars.user;
  };

  sops.templates."cloudflared.env" = {
    path = "/home/${vars.user}/.docker/infrastructure/cloudflared.env";
    owner = vars.user;
    mode = "0775";
    content = ''
      TUNNEL_TOKEN="${config.sops.placeholder."cloudflared/tunnel_token"}"
    '';
  };

  sops.templates."traefik.env" = {
    path = "/home/${vars.user}/.docker/infrastructure/traefik.env";
    owner = vars.user;
    mode = "0775";
    content = ''
      CLOUDFLARE_EMAIL="${config.sops.placeholder."traefik/cloudflare_email"}"
      CLOUDFLARE_API_KEY="${config.sops.placeholder."traefik/cloudflare_api_key"}"
    '';
  };

  sops.templates."dyndns.env" = {
    path = "/home/${vars.user}/.docker/infrastructure/dyndns.env";
    owner = vars.user;
    mode = "0775";
    content = ''
      CLOUDFLARE_API_TOKEN="${config.sops.placeholder."dyndns/cloudflare_api_key"}"
    '';
  };

  sops.templates."traefik.yml" = {
    path = "/home/${vars.user}/.docker/infrastructure/traefik_config/traefik.yml";
    owner = vars.user;
    mode = "0775";
    content = ''
      api:
        dashboard: true
        debug: true
        insecure: true
      entryPoints:
        web:
          address: ":80"
          http:
            redirections:
              entrypoint:
                to: websecure
                scheme: https
        web-external:
          address: ":81"
          http:
            redirections:
              entrypoint:
                to: websecure-external
                scheme: https
        websecure:
          address: ":443"
        websecure-external:
          address: ":444"
          providers:
      providers:
        docker:
          watch: true
          exposedByDefault: false
          network: dmz
      certificatesResolvers:
        letsencrypt:
          acme:
            email: ${config.sops.placeholder."traefik/acme_email"}
            storage: acme.json
            dnsChallenge:
              provider: cloudflare
              resolvers:
                - "1.1.1.1:53"
                - "1.0.0.1:53"
    '';
  };
  sops.templates."diun.env" = {
    path = "/home/${vars.user}/.docker/infrastructure/diun.env";
    owner = vars.user;
    mode = "0775";
    content = ''
      DIUN_NOTIF_NTFY_TOKEN="${config.sops.placeholder."diun/ntfy_access_token"}"
    '';
  };
}