{
  imports = [
    ./default.nix
  ];

  networking.firewall.allowedTCPPorts = [
    80
    443
  ];
  networking.firewall.allowedUDPPorts = [
    443
  ];

  # for quic3 - max size to 2.5MB
  boot.kernelParams = [
    "net.core.rmem_max=2500000"
    "net.core.wmem_max=2500000"
  ];

  services.traefik = {
    enable = true;
    staticConfigOptions = {
      experimental.http3 = true;
      entryPoints = {
        web = {
          address = ":80";
        };
        websecure = {
          address = ":443";
          http3 = {};
        };
      };
      providers = {
        kubernetesIngress = {
          allowEmptyServices = true;
          allowExternalNameServices = true;
        };
        kubernetesCRD = {
          allowCrossNamespace = true;
          allowEmptyServices = true;
          allowExternalNameServices = true;
        };
      };
      api.dashboard = true;
      metrics.prometheus.entryPoint = "websecure";
      certificatesResolvers.letsencrypt.acme = {
        storage = "/var/lib/traefik/acme/acme.json";
        caServer = "https://acme-v02.api.letsencrypt.org/directory";
        tlsChallenge = {};
      };
    };
    dynamicConfigOptions = {
      http.middlewares = {
        "redirect-https".redirectScheme = {
          scheme = "https";
          permanent = true;
        };
      };
    };
  };
  systemd.services.traefik.environment = {
    KUBECONFIG = "/var/lib/traefik/k3s-kubeconfig.yaml";
  };
}