{config, ...}: let
  inherit (config) sops;
  inherit (sops) templates placeholder;
  redis_port = "6380";
  authentik_port = "8084";
  postgres = {
    user = "authentik";
    db = "authentik";
    port = "5437";
  };
  authentik-config = {
    autoStart = true;
    image = "ghcr.io/goauthentik/server:2025.6.3";
    volumes = ["/home/tristan/pods/authentik/media:/media"];
    environment = {
      AUTHENTIK_POSTGRESQL__USER = postgres.user;
      AUTHENTIK_POSTGRESQL__HOST = "192.168.1.2";
      AUTHENTIK_POSTGRESQL__PORT = postgres.port;
      AUTHENTIK_REDIS__HOST = "192.168.1.2";
      AUTHENTIK_REDIS__PORT = redis_port;
      AUTHENTIK_EMAIL__FROM = "Authentik <tristan@tristans.cloud>";
      AUTHENTIK_DEFAULT_USER_CHANGE_USERNAME = "false";
    };
    environmentFiles = [templates."authentik/environment".path];
    dependsOn = ["authentik-redis" "authentik-postgres"];
  };
in {
  sops.secrets = {
    "authentik/postgres_password" = {};
    "authentik/secret_key" = {};
    "mail/host" = {};
    "mail/port" = {};
    "mail/username" = {};
    "mail/password" = {};
    "mail/ssl" = {};
  };
  sops.templates = {
    "authentik/environment" = {
      content = ''
        AUTHENTIK_POSTGRESQL__PASSWORD="${placeholder."authentik/postgres_password"}"
        AUTHENTIK_SECRET_KEY="${placeholder."authentik/secret_key"}"
        AUTHENTIK_EMAIL__HOST="${placeholder."mail/host"}"
        AUTHENTIK_EMAIL__PORT="${placeholder."mail/port"}"
        AUTHENTIK_EMAIL__USERNAME="${placeholder."mail/username"}"
        AUTHENTIK_EMAIL__PASSWORD="${placeholder."mail/password"}"
        AUTHENTIK_EMAIL__USE_SSL="${placeholder."mail/ssl"}"
      '';
    };
    "authentik/postgres_env" = {
      content = ''
        POSTGRES_PASSWORD="${placeholder."authentik/postgres_password"}"
      '';
    };
  };
  virtualisation.oci-containers.containers = {
    authentik-redis = {
      autoStart = true;
      image = "redis:7.2-alpine";
      ports = ["${redis_port}:6379"];
      volumes = ["authentik-redis:/data"];
    };

    authentik-server =
      authentik-config
      // {
        cmd = ["server"];
        ports = ["${authentik_port}:9000" "9084:9300"];
      };

    authentik-worker =
      authentik-config
      // {
        cmd = ["worker"];
      };

    authentik-postgres = {
      autoStart = true;
      image = "docker.io/postgres:14-alpine";
      ports = ["${postgres.port}:5432"];
      volumes = ["/home/tristan/pods/authentik/db:/var/lib/postgresql/data"];
      environment = {
        POSTGRES_USER = postgres.user;
        POSTGRES_DB = postgres.db;
      };
      environmentFiles = [templates."authentik/postgres_env".path];
    };
  };

  services.nginx.virtualHosts."auth.tristans.cloud" = {
    forceSSL = true;
    enableACME = true;
    locations."~" = {
      proxyPass = "http://localhost:${authentik_port}";
      proxyWebsockets = true;
    };
  };
}