{
  config,
  pkgs,
  lib,
  ...
}: {
  options.local = {
    hostname = lib.mkOption {
      type = lib.types.str;
      default = "nixos-default";
      description = "System hostname";
    };
    username = lib.mkOption {
      type = lib.types.str;
      default = "user";
      description = "Primary user username";
    };
    userDescription = lib.mkOption {
      type = lib.types.str;
      default = "NixOS User";
      description = "Primary user description";
    };
    address = lib.mkOption {
      type = lib.types.str;
      default = "10.1.1.100";
      description = "Static IP address";
    };
  };

  imports = [
    ./modules/desktop-manager/sway_greetd_homemanager.nix
    ./modules/local/hostname_username.nix
    ./modules/local/networking_local.nix
    ./modules/bootloader/seabios-assigned-iso-at-birth.nix
    ./modules/lix-default.nix
    # Optionally: ./modules/toolsets/remote_building.nix
  ];

  config = {
    local.hostname = "nixos-traefik";
    local.username = "traefikprg";
    local.userDescription = "NixOS PRG Traefik Service";
    local.address = "10.1.1.250";

    services.traefik = {
      enable = true;
      group = "acme";
      staticConfigOptions = {
        entryPoints = {
          web = {
            address = ":80";
            asDefault = true;
            http.redirections.entrypoint = {
              to = "websecure";
              scheme = "https";
            };
          };
          websecure = {
            address = ":443";
            asDefault = true;
            http.tls = {
              domains = [
                {
                  main = "prg-radio.org";
                  sans = ["*.prg-radio.org"];
                }
              ];
            };
          };
        };
        log = {
          level = "INFO";
          filePath = "${config.services.traefik.dataDir}/traefik.log";
          format = "json";
        };
        api.dashboard = true;
        api.insecure = true;
      };
      dynamicConfigOptions = {
        tls.certificates = [
          {
            certFile = "/var/lib/acme/prg-radio.org/cert.pem";
            keyFile = "/var/lib/acme/prg-radio.org/key.pem";
          }
        ];
        http.routers = {
          forgejo = {
            rule = "Host(`git.prg-radio.org`)";
            service = "forgejo";
            entryPoints = ["websecure"];
            tls = {};
          };
        };
        http.services = {
          forgejo.loadBalancer = {
            servers = [
              {url = "http://10.1.1.4:3000";}
            ];
          };
        };
      };
    };

    security.acme = {
      acceptTerms = true;
      defaults.email = "dtu.prg@gmail.com";
      certs."prg-radio.org" = {
        domain = "*.prg-radio.org";
        group = "acme";
        dnsProvider = "cloudflare";
        environmentFile = "/home/traefikprg/cloudflare/cloudflare.env";
        reloadServices = ["traefik.service"];
      };
    };

    systemd.services.traefik = {
      after = ["acme-finished-prg-radio.org.target"];
      wants = ["acme-finished-prg-radio.org.target"];
    };

    networking.firewall.allowedTCPPorts = [80 443];
    networking.firewall.allowedUDPPorts = [80 443];

    system.stateVersion = "25.11";
  };
}