{ lib, stdenv, buildGoModule, fetchFromGitHub, python3Packages, makeWrapper, callPackage, ... }:

let authentik = callPackage ./authentik.nix { };
in
buildGoModule rec {
  pname = "authentik-server";
  version = "2023.8.3";

  src = fetchFromGitHub {
    owner = "goauthentik";
    repo = "authentik";
    rev = "version/${version}";
    hash = "sha256-dpGvxhA5NWO8LKrGXzalV9EVn/nUIj6sMy2HdY5tjlM=";
  };

  vendorHash = "sha256-F3JzzL6Gg9H4qdmp4MbQFupccATYIUIFL05is6xzoZY=";

  subPackages = [ "cmd/server" ];

  postPatch = ''
    substituteInPlace internal/gounicorn/gounicorn.go \
      --replace "./manage.py" "${authentik}/bin/manage.py"

    substituteInPlace internal/gounicorn/gounicorn.go \
      --replace "./lifecycle" "${authentik}/bin"
  '';

  postInstall = ''
    wrapProgram "$out/bin/server" --set PATH ${python3Packages.gunicorn}/bin
  '';

  nativeBuildInputs = [ makeWrapper ];
}