{
  config,
  lib,
  namespace,
  ...
}:
with lib;
let
  cfg = config.${namespace}.services.traefik;
in
{

  config = mkIf cfg.enable {
    sops = {
      secrets = {
        "jallen-nas/traefik/crowdsec/lapi-key" = {
          sopsFile = (lib.snowfall.fs.get-file "secrets/nas-secrets.yaml");
          owner = config.users.users.traefik.name;
          group = config.users.users.traefik.group;
          restartUnits = [ "traefik.service" ];
        };

        "jallen-nas/traefik/crowdsec/capi-machine-id" = {
          sopsFile = (lib.snowfall.fs.get-file "secrets/nas-secrets.yaml");
          owner = config.users.users.traefik.name;
          group = config.users.users.traefik.group;
          restartUnits = [ "traefik.service" ];
        };

        "jallen-nas/traefik/crowdsec/capi-password" = {
          sopsFile = (lib.snowfall.fs.get-file "secrets/nas-secrets.yaml");
          owner = config.users.users.traefik.name;
          group = config.users.users.traefik.group;
          restartUnits = [ "traefik.service" ];
        };
        "jallen-nas/traefik/cloudflare-dns-api-token" = {
          sopsFile = (lib.snowfall.fs.get-file "secrets/nas-secrets.yaml");
          owner = config.users.users.traefik.name;
          group = config.users.users.traefik.group;
          restartUnits = [ "traefik.service" ];
        };
        "jallen-nas/traefik/cloudflare-zone-api-token" = {
          sopsFile = (lib.snowfall.fs.get-file "secrets/nas-secrets.yaml");
          owner = config.users.users.traefik.name;
          group = config.users.users.traefik.group;
          restartUnits = [ "traefik.service" ];
        };
        "jallen-nas/traefik/cloudflare-api-key" = {
          sopsFile = (lib.snowfall.fs.get-file "secrets/nas-secrets.yaml");
          owner = config.users.users.traefik.name;
          group = config.users.users.traefik.group;
          restartUnits = [ "traefik.service" ];
        };
        "jallen-nas/traefik/cloudflare-email" = {
          sopsFile = (lib.snowfall.fs.get-file "secrets/nas-secrets.yaml");
          owner = config.users.users.traefik.name;
          group = config.users.users.traefik.group;
          restartUnits = [ "traefik.service" ];
        };
      };
      templates = {
        "traefik.env" = {
          content = ''
            CLOUDFLARE_DNS_API_TOKEN=${config.sops.placeholder."jallen-nas/traefik/cloudflare-dns-api-token"}
            CLOUDFLARE_ZONE_API_TOKEN=${config.sops.placeholder."jallen-nas/traefik/cloudflare-zone-api-token"}
            CLOUDFLARE_API_KEY=${config.sops.placeholder."jallen-nas/traefik/cloudflare-api-key"}
            CLOUDFLARE_EMAIL=${config.sops.placeholder."jallen-nas/traefik/cloudflare-email"}
          '';
          owner = config.users.users.traefik.name;
          group = config.users.users.traefik.group;
          restartUnits = [ "traefik.service" ];
        };
      };
    };
  };
}