{
  config,
  lib,
  namespace,
  ...
}:
let
  name = "ntfy";
  cfg = config.${namespace}.services.${name};

  ntfyConfig = lib.${namespace}.mkModule {
    inherit config name;
    description = "ntfy";
    options = { };
    moduleConfig = {
      services = {
        ntfy-sh = {
          enable = true;
          # environmentFile = "/run/.env";
          settings = {
            base-url = "https://${cfg.reverseProxy.subdomain}.mjallen.dev";
            enable-login = true;
            listen-http = ":${toString cfg.port}";
            cache-file = "${cfg.configDir}/ntfy/cache.db";
            attachment-cache-dir = "${cfg.dataDir}/ntfy/attachments";
            behind-proxy = true;
            auth-default-access = "deny-all";
            auth-file = "${cfg.configDir}/ntfy/user.db";
            auth-users = [
              "mjallen:$2a$10$g4TqI8UiKKVaKTmrwnXIw.wtajiLBM6oc3UCfJ//lPZFilJnBirn.:admin"
            ];
          };
        };
      };

      systemd.services = {
        ntfy-sh = {
          serviceConfig = {
            WorkingDirectory = lib.mkForce cfg.dataDir;
            StateDirectory = lib.mkForce cfg.dataDir;
            StateDirectoryMode = lib.mkForce 700;
            DynamicUser = lib.mkForce false;
            ProtectSystem = lib.mkForce null;
          };
        };
      };

      users.users.ntfy-sh = {
        isSystemUser = true;
        group = "ntfy-sh";
        home = cfg.dataDir;
      };
      users.groups.ntfy-sh = { };
    };
  };
in
with lib;
{
  imports = [ ntfyConfig ];
}