{ lib, stdenv, python3Packages, poetry, codespell, callPackage, ... }:

with python3Packages;

let
  server = callPackage ./authentik-server.nix { };
  web = callPackage ./authentik-web.nix { };
in
buildPythonPackage rec {
  pname = "authentik";
  version = "2023.8.3";

  format = "pyproject";
  src = pkgs.fetchFromGitHub {
    owner = "goauthentik";
    repo = pname;
    rev = "version/${version}";
    hash = "sha256-dpGvxhA5NWO8LKrGXzalV9EVn/nUIj6sMy2HdY5tjlM=";
  };

  patches = [ ./pyproject.diff ];

  postPatch = ''
    substituteInPlace pyproject.toml \
      --replace "psycopg2-binary" "psycopg2"

    substituteInPlace lifecycle/ak \
      --replace "python -m manage" "${placeholder "out"}/bin/manage.py"
    patchShebangs lifecycle/ak
  '';

  postInstall = ''
    cp -a ./lifecycle $out/${python.sitePackages}
    cp -a ./lifecycle/gunicorn.conf.py $out/bin/gunicorn.py
    chmod +x $out/bin/gunicorn.py
    cp -a ./manage.py $out/bin/manage.py
  '';

  passthru.proxy = callPackage ./authentik-outpost-proxy.nix { };

  propagatedBuildInputs = [
    poetry
    poetry-core

    psycopg2
    argon2-cffi
    celery
    channels
    channels-redis
    codespell
    colorama
    dacite
    deepmerge
    defusedxml
    django
    django-filter
    django-guardian
    django-model-utils
    django-otp
    django-prometheus
    django-redis
    djangorestframework
    djangorestframework-guardian
    docker
    drf-spectacular
    duo-client
    facebook-sdk
    flower
    geoip2
    gunicorn
    kubernetes
    ldap3
    lxml
    opencontainers
    packaging
    paramiko
    psycopg
    pycryptodome
    pydantic
    pydantic-scim
    pyjwt
    pyyaml
    requests-oauthlib
    sentry-sdk
    service-identity
    structlog
    swagger-spec-validator
    twilio
    twisted
    ua-parser
    urllib3
    uvicorn
    watchdog
    webauthn
    wsproto
    xmlsec
    zxcvbn
    jsonpatch
  ]
  ++ channels.optional-dependencies.daphne
  ++ uvicorn.optional-dependencies.standard;
}