{ config, lib, ... }: {
  options.snowflake.services.containerised.traefik = {
    enable = lib.mkEnableOption "enable traefik";

    version = lib.mkOption {
      type = lib.types.str;
      description = "traefik version to use";
    };
    ports = lib.mkOption {
      type = lib.types.listOf lib.types.str;
      default = [ ];
      description = "ports to expose";
    };
    configSource = lib.mkOption {
      type = lib.types.path;
      description = "traefik config";
    };
    environment = lib.mkOption {
      type = lib.types.attrsOf lib.types.str;
      description = "traefik config";
    };
  };

  config = lib.mkIf config.snowflake.services.containerised.traefik.enable {
    environment.etc."traefik/traefik.yml".source =
      config.snowflake.services.containerised.traefik.configSource;
    virtualisation.oci-containers.containers.traefik = {
      autoStart = true;
      image =
        "docker.io/traefik:${config.snowflake.services.containerised.traefik.version}";
      ports = config.snowflake.services.containerised.traefik.ports;
      volumes = [
        "/etc/traefik/traefik.yml:/etc/traefik/traefik.yml:ro"
        "/etc/letsencrypt/:/etc/letsencrypt/"
      ];
      environment = config.snowflake.services.containerised.traefik.environment;
    };
  };
}