{ config, pkgs, ... }:

let
  container_name = "traefik";
  compose-dir = "docker-compose/traefik";
  config-dir = "/mnt/config-storage/docker-data/traefik";
in

{
  config = {
    environment.etc."${compose-dir}/compose.yaml".text =
      /*
      yaml
      */
      ''
        services:
          traefik:
            image: docker.io/library/traefik:latest
            container_name: traefik
            networks:
              nextcloud-aio:
                ipv4_address: 172.16.1.253
              passbolt_frontend:
                ipv4_address: 172.16.20.253
              pihole:
                ipv4_address: 172.16.3.253
              hass_frontend:
                ipv4_address: 172.16.40.253
              immich_frontend:
                ipv4_address: 172.16.50.253
            ports:
              - 80:80
              - 443:443
            volumes:
              - /run/docker.sock:/run/docker.sock:ro
              - ${config-dir}/config/conf/:/etc/traefik/conf/:ro
              - ${config-dir}/config/traefik.yaml:/etc/traefik/traefik.yaml:ro
              - ${config-dir}/certs/:/var/traefik/certs/:rw
            environment:
              - CF_DNS_API_TOKEN=$CF_DNS_API_TOKEN
            labels:
              - traefik.enable=true
              - traefik.http.services.traefik.loadbalancer.server.port=8080
              - traefik.http.services.traefik.loadbalancer.server.scheme=http
              - traefik.http.routers.traefik-https.entrypoints=websecure
              - traefik.http.routers.traefik-https.rule=Host(`reverse.$DOMAIN_NAME`)
              - traefik.http.routers.traefik-https.tls=true
              - traefik.http.routers.traefik-https.tls.certresolver=cloudflare
            restart: always
        networks:
          nextcloud-aio:
            name: nextcloud-aio
            driver: bridge
            ipam:
              config:
                - subnet: "172.16.1.0/24"
                  gateway: "172.16.1.254"
          passbolt_frontend:
            name: passbolt_frontend
            driver: bridge
            ipam:
              config:
                - subnet: "172.16.20.0/24"
                  gateway: "172.16.20.254"
          pihole:
            name: pihole
            driver: bridge
            ipam:
              config:
                - subnet: "172.16.3.0/24"
                  gateway: "172.16.3.254"
          hass_frontend:
            name: hass_frontend
            driver: bridge
            ipam:
              config:
                - subnet: "172.16.40.0/24"
                  gateway: "172.16.40.254"
          immich_frontend:
            name: immich_frontend
            driver: bridge
            ipam:
              config:
                - subnet: "172.16.50.0/24"
                  gateway: "172.16.50.254"
      '';

    systemd.services.traefik = {
      description = "Docker container : ${container_name}";
      after = [ "network.target" "docker.service" "docker.socket" ];
      requires = [ "docker.service" ];
      wantedBy = [ "multi-user.target" ];
      path = [ pkgs.docker ];

      serviceConfig = {
        Type = "exec";
        # Pull the latest image before running
        ExecStartPre = "${pkgs.docker}/bin/docker compose -f /etc/${compose-dir}/compose.yaml pull";
        # Bring the service up
        ExecStart = "${pkgs.docker}/bin/docker compose -f /etc/${compose-dir}/compose.yaml up --remove-orphans";
        # Take it down gracefully
        ExecStop = "${pkgs.docker}/bin/docker compose -f /etc/${compose-dir}/compose.yaml down";

        Restart = "on-failure";
      };
    };
  };
}