{config, ...}: let
  vars = import ../../../../vars.nix;
in {
  virtualisation.arion = {
    projects.infrastructure.settings = {
      imports = [./arion-compose.nix];
    };
  };

  sops.secrets."cloudflared/tunnel_token" = {
    owner = vars.user;
  };

  sops.secrets."traefik/acme_email" = {
    owner = vars.user;
  };
  sops.secrets."traefik/cloudflare_email" = {
    owner = vars.user;
  };
  sops.secrets."traefik/cloudflare_api_key" = {
    owner = vars.user;
  };

  sops.secrets."dyndns/cloudflare_api_key" = {
    owner = vars.user;
  };

  sops.templates."cloudflared.env" = {
    path = "/home/${vars.user}/.docker/infrastructure/cloudflared.env";
    owner = vars.user;
    mode = "0775";
    content = ''
      TUNNEL_TOKEN="${config.sops.placeholder."cloudflared/tunnel_token"}"
    '';
  };

  sops.templates."traefik.env" = {
    path = "/home/${vars.user}/.docker/infrastructure/traefik.env";
    owner = vars.user;
    mode = "0775";
    content = ''
      CLOUDFLARE_EMAIL="${config.sops.placeholder."traefik/cloudflare_email"}"
      CLOUDFLARE_API_KEY="${config.sops.placeholder."traefik/cloudflare_api_key"}"
    '';
  };

  sops.templates."dyndns.env" = {
    path = "/home/${vars.user}/.docker/infrastructure/dyndns.env";
    owner = vars.user;
    mode = "0775";
    content = ''
      CLOUDFLARE_API_TOKEN="${config.sops.placeholder."dyndns/cloudflare_api_key"}"
    '';
  };

  sops.templates."traefik.toml" = {
    path = "/home/${vars.user}/.docker/infrastructure/traefik_data/traefik.toml";
    owner = vars.user;
    mode = "0775";
    content = ''
      [entryPoints]
        [entryPoints.web]
          address = ":80"
        [entryPoints.web-external]
          address = ":81"
        [entryPoints.websecure]
          address = ":443"
        [entryPoints.websecure-external]
          address = ":444"
      [api]
        dashboard = true
        insecure = true

      [certificatesResolvers.letsencrypt.acme]
        email = "${config.sops.placeholder."traefik/acme_email"}"
        storage = "/letsencrypt/acme.json"
        [certificatesResolvers.letsencrypt.acme.dnsChallenge]
          provider = "cloudflare"
          resolvers = ["1.1.1.1:53", "1.0.0.1:53"]

      [serversTransport]
        insecureSkipVerify = true

      [providers.docker]
        watch = true
        network = "dmz"
        exposedByDefault = false # overriden by traefik.enable=true
    '';
  };
}