{
  config,
  lib,
  ...
}: let
  serviceName = "litellm";
  portUtils = import ../../../../lib/port-utils.nix {inherit lib;};
  servicePort = portUtils.getPort serviceName "AZ-CLD-1";
in {
  virtualisation.oci-containers.containers.${serviceName} = {
    image = "ghcr.io/berriai/litellm:main-stable";
    ports = ["127.0.0.1:${toString servicePort}:4000"];
    environmentFiles = [config.age.secrets.litellm-env.path];
    environment = {
      ANONYMIZED_TELEMETRY = "False";
      DO_NOT_TRACK = "True";
      SCARF_NO_ANALYTICS = "True";
      STORE_MODEL_IN_DB = "True";
    };
    extraOptions = ["--add-host=postgres:10.89.0.1" "--ip=10.89.0.30" "--network=web"];
  };

  # Traefik configuration
  services.traefik.dynamicConfigOptions.http = {
    services.${serviceName}.loadBalancer.servers = [
      {
        url = "http://localhost:${toString servicePort}/";
      }
    ];

    routers.${serviceName} = {
      rule = "Host(`llm.az-gruppe.com`)";
      tls = {
        certResolver = "ionos";
      };
      service = serviceName;
      entrypoints = "websecure";
    };
  };
}