{
  config,
  lib,
  ...
}: let
  serviceName = "n8n";
  servicePort = config.m3ta.ports.get serviceName;
in {
  services.n8n = {
    enable = true;
    environment = {
      WEBHOOK_URL = "https://wf.l.az-gruppe.com";
      NODES_EXCLUDE = "[]";
      N8N_RESTRICT_FILE_ACCESS_TO = "/mnt/DMS-INBOX;/mnt/DMS-ALT-INBOX";
      N8N_RUNNERS_ENABLED = lib.mkForce "false";
    };
  };

  systemd.services.n8n.serviceConfig = {
    EnvironmentFile = ["${config.age.secrets.n8n-env.path}"];
  };
  # Traefik configuration specific to n8n
  services.traefik.dynamicConfigOptions.http = {
    services.${serviceName}.loadBalancer.servers = [
      {
        url = "http://localhost:${toString servicePort}/";
      }
    ];

    routers.${serviceName} = {
      rule = "Host(`wf.l.az-gruppe.com`)";
      tls = {
        certResolver = "ionos";
      };
      service = serviceName;
      entrypoints = "websecure";
    };
  };
}