{config, ...}: {
  networking.firewall = {
    enable = true;
    allowedTCPPorts = [
      80
      443
      25565
      25567
      16261
      16262
    ];
    extraInputRules = ''
      tcp dport 2053 drop
    '';

    allowedUDPPorts = [
      16261
      16262
    ];
  };

  services.static-web-server = {
    enable = true;
    listen = "127.0.0.1:8080";
    root = "/var/www/kittykat";
  };

  systemd.tmpfiles.rules = [
    "d /var/www/kittykat 0755 root root -"
  ];

  services.traefik = {
    enable = true;

    staticConfigOptions = {
      entryPoints = {
        web = {
          address = ":80";
          http.redirections.entryPoint = {
            to = "websecure";
            scheme = "https";
          };
        };

        websecure = {
          address = ":443";
          http.tls.certResolver = "letsencrypt";
        };
      };

      log = {
        level = "INFO";
        filePath = "${config.services.traefik.dataDir}/traefik.log";
        format = "json";
      };

      certificatesResolvers.letsencrypt.acme = {
        email = "tulg@protonmail.ch";
        storage = "${config.services.traefik.dataDir}/acme.json";
        httpChallenge.entryPoint = "web";
      };

      api.dashboard = true;
    };

    dynamicConfigOptions.http = {
      routers.plain-html = {
        rule = "Host(`poggerer.xyz`)";
        entryPoints = ["websecure"];
        service = "plain-html";
        tls.certResolver = "letsencrypt";
      };

      services.plain-html.loadBalancer.servers = [
        {url = "http://127.0.0.1:8080";}
      ];
    };
  };
}