{
  config,
  lib,
  pkgs,
  ...
}: let
  serviceName = "bpi";
  servicePort = config.m3ta.ports.get serviceName;
  appDir = "/var/lib/bpi/app";
in {
  users.users.bpi = {
    isSystemUser = true;
    group = "bpi";
    home = "/var/lib/bpi";
    createHome = true;
  };
  users.groups.bpi = {};

  systemd.services.bpi = {
    description = "AZ INTEC Basispreis Index";
    after = ["network-online.target"];
    wants = ["network-online.target"];
    wantedBy = ["multi-user.target"];

    path = with pkgs; [
      git
      nodejs
      openssh
    ];

    environment = {
      PORT = toString servicePort;
      HOME = "/var/lib/bpi";
      BPI_BACKUP_DIR = "/var/lib/bpi/backups";
      BPI_MAX_BACKUPS = "10";
    };

    preStart = ''
      set -euo pipefail

      if [ ! -d "${appDir}/.git" ]; then
        rm -rf "${appDir}"
        git clone --depth=1 https://git.az-gruppe.com/AZ-Intec-GmbH/BPI.git "${appDir}"
      else
        git -C "${appDir}" pull --ff-only
      fi

      if [ ! -f "${appDir}/server.js" ]; then
        echo "${appDir}/server.js fehlt. Bitte server.js in das BPI Repository committen."
        exit 1
      fi
    '';

    serviceConfig = {
      Type = "simple";
      User = "bpi";
      Group = "bpi";
      StateDirectory = "bpi";
      WorkingDirectory = "/var/lib/bpi";
      ExecStart = "${pkgs.nodejs}/bin/node ${appDir}/server.js";
      Restart = "on-failure";
      RestartSec = "10s";
    };
  };

  services.traefik.dynamicConfigOptions.http = {
    services.bpi.loadBalancer.servers = [
      {url = "http://localhost:${toString servicePort}/";}
    ];

    routers.bpi = {
      rule = "Host(`bpi.l.az-gruppe.com`)";
      tls = {
        certResolver = "ionos";
      };
      service = "bpi";
      entrypoints = "websecure";
    };
  };
}