{ self, config, lib, pkgs, ... }:

with self.lib.nginx;

let version = "2023.8.3";
in
{
  virtualisation.oci-containers.backend = "podman";
  virtualisation.oci-containers.containers = {
    authentik-redis = {
      image = "docker.io/library/redis:alpine";
      cmd = [ "--save" "60" "1" "--loglevel" "warning" ];
      autoStart = true;
      volumes = [
        "/var/lib/authentik/redis:/data"
      ];
      ports = [
        "10.10.0.1:6379:6379"
      ];
    };
    authentik-server = {
      image = "ghcr.io/goauthentik/server:${version}";
      environmentFiles = [ "/etc/secrets/authentik/container.env" ];
      cmd = [ "server" ];
      autoStart = true;
      ports = [
        # "10.10.0.1:9000:9000"
        "10.10.0.1:9443:9443"
      ];
    };
    authentik-worker = {
      image = "ghcr.io/goauthentik/server:${version}";
      environmentFiles = [ "/etc/secrets/authentik/container.env" ];
      cmd = [ "worker" ];
      autoStart = true;
      volumes = [
        "/var/lib/authentik/media:/media"
        "/var/lib/authentik/certs:/certs"
        "/var/lib/authentik/templates:/templates"
      ];
    };
    authentik-ldap = {
      image = "ghcr.io/goauthentik/ldap:${version}";
      environmentFiles = [ "/etc/secrets/authentik/ldap.env" ];
      autoStart = true;
      extraOptions = ["-m=1000m"];
      ports = [
        "389:3389"
        "636:6636"
      ];
    };
    authentik-proxy = {
      image = "ghcr.io/goauthentik/proxy:${version}";
      environmentFiles = [ "/etc/secrets/authentik/proxy.env" ];
      autoStart = true;
      ports = [
        "10.10.0.1:9444:9443"
      ];
    };
  };

  # Allow binding of root ports for the ldap container
  # systemd.services.podman-authentik-ldap = {
  #   serviceConfig = {
  #     AmbientCapabilities = [ "CAP_NET_BIND_SERVICE" ];
  #   };
  # };

  security.acme.certs = {
    "vapor.systems" = {
      extraDomainNames = [ "*.vapor.systems" ];
    };
  };

  services.nginx = {
    enable = true;
    virtualHosts = {
      "auth.vapor.systems" = {
        addSSL = true;
        useACMEHost = "vapor.systems";
        locations."/" = {
          proxyPass = "https://10.10.0.1:9443/";
          proxyWebsockets = true;
          extraConfig = ''
            proxy_pass_header Authorization;

            proxy_set_header X-Forwarded-Proto $scheme;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header Host $host;
            proxy_set_header Upgrade $http_upgrade;
          '';
        };
      };
    };
  };

  services.postgresql = {
    ensureDatabases = [ "authentik" ];

    ensureUsers = [
      {
        name = "authentik";
        ensurePermissions = { "DATABASE authentik" = "ALL PRIVILEGES"; };
      }
    ];
  };

  secrets = {
    authentik = {
      source = ../../secrets/authentik/container.env;
      dest = "/etc/secrets/authentik/container.env";
    };
    authentik-ldap = {
      source = ../../secrets/authentik/ldap.env;
      dest = "/etc/secrets/authentik/ldap.env";
    };
    authentik-proxy = {
      source = ../../secrets/authentik/proxy.env;
      dest = "/etc/secrets/authentik/proxy.env";
    };
  };
}