services.traefik = {
  enable = true;

  staticConfigOptions = {
    entryPoints = {
      web = {
        address = ":80";
        http.redirections.entrypoint = {
          to = "websecure";
          scheme = "https";
        };
      };

      websecure = {
        address = ":443";
        http.tls.certResolver = "letsencrypt";
      };
    };

    log = {
      level = "INFO";
      filePath = "${config.services.traefik.dataDir}/traefik.log";
      format = "json";
    };

    certificatesResolvers.letsencrypt.acme = {
      email = "tulg@protonmail.ch";
      storage = "${config.services.traefik.dataDir}/acme.json";
      httpChallenge.entryPoint = "web";
    };

    api.dashboard = true;
  };

  dynamicConfigOptions = {
    http = {
      routers = {
        xray = {
          rule = "Host(`v2.kittykat.poggerer.xyz`)";
          entryPoints = [ "websecure" ];
          service = "xray";
          tls = {
            certResolver = "letsencrypt";
          };
        };
      };

      services = {
        xray = {
          loadBalancer = {
            servers = [
              { url = "http://127.0.0.1:2053"; }
            ];
          };
        };
      };
    };
  };
};