{ self, config, lib, pkgs, ... }:

with self.lib.nginx;

let version = "2025.6.4";
in
{
  virtualisation.oci-containers.backend = "podman";
  virtualisation.oci-containers.containers = {
    authentik-redis = {
      image = "docker.io/library/redis:alpine";
      cmd = [ "--save" "60" "1" "--loglevel" "warning" ];
      autoStart = true;
      volumes = [
        "/var/lib/authentik/redis:/data"
      ];
      ports = [
        "10.10.0.1:6379:6379"
      ];
    };
    authentik-server = {
      image = "ghcr.io/goauthentik/server:${version}";
      environmentFiles = [ "/etc/secrets/authentik/container.env" ];
      cmd = [ "server" ];
      autoStart = true;
      ports = [
        # "10.10.0.1:9000:9000"
        "10.10.0.1:9443:9443"
      ];
    };
    authentik-worker = {
      image = "ghcr.io/goauthentik/server:${version}";
      environmentFiles = [ "/etc/secrets/authentik/container.env" ];
      cmd = [ "worker" ];
      autoStart = true;
      volumes = [
        "/var/lib/authentik/media:/media"
        "/var/lib/authentik/certs:/certs"
        "/var/lib/authentik/templates:/templates"
      ];
    };
    authentik-ldap = {
      image = "ghcr.io/goauthentik/ldap:${version}";
      environmentFiles = [ "/etc/secrets/authentik/ldap.env" ];
      autoStart = true;
      extraOptions = [ "-m=1000m" ];
      ports = [
        "389:3389"
        "636:6636"
      ];
    };
    authentik-proxy = {
      image = "ghcr.io/goauthentik/proxy:${version}";
      environmentFiles = [ "/etc/secrets/authentik/proxy.env" ];
      autoStart = true;
      ports = [
        "10.10.0.1:9444:9443"
      ];
    };
  };

  # services.authentik = {
  #   enable = true;
  #   createDatabase = false;
  #
  #   # The environmentFile needs to be on the target host!
  #   # Best use something like sops-nix or agenix to manage it
  #   environmentFile = "/etc/secrets/authentik/container.env";
  #   settings = {
  #     # email = {
  #     #   host = "smtp.example.com";
  #     #   port = 587;
  #     #   username = "authentik@example.com";
  #     #   use_tls = true;
  #     #   use_ssl = false;
  #     #   from = "authentik@example.com";
  #     # };
  #     disable_startup_analytics = true;
  #     avatars = "initials";
  #   };
  # };
  #
  #
  # services.authentik-ldap = {
  #   enable = true;
  #   environmentFile = "/etc/secrets/authentik/ldap.env";
  # };
  #
  # services.authentik-proxy = {
  #   enable = true;
  #   environmentFile = "/etc/secrets/authentik/proxy.env";
  # };

  # networking.firewall.allowedTCPPorts = [ 389 636 ];

  security.acme.certs = {
    "vapor.systems" = {
      extraDomainNames = [ "*.vapor.systems" ];
    };
  };

  services.nginx = {
    enable = true;
    virtualHosts = {
      "auth.vapor.systems" = {
        addSSL = true;
        useACMEHost = "vapor.systems";
        locations."/" = {
          proxyPass = "https://10.10.0.1:9443/";
          proxyWebsockets = true;
          extraConfig = ''
            proxy_pass_header Authorization;

            proxy_set_header X-Forwarded-Proto $scheme;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header Host $host;
            proxy_set_header Upgrade $http_upgrade;
          '';
        };
      };
    };
  };

  services.postgresql = {
    ensureDatabases = [ "authentik" ];

    ensureUsers = [{
      name = "authentik";
      ensureDBOwnership = true;
    }];
  };

  secrets = {
    authentik = {
      source = ../../secrets/authentik/container.env;
      dest = "/etc/secrets/authentik/container.env";
    };
    authentik-ldap = {
      source = ../../secrets/authentik/ldap.env;
      dest = "/etc/secrets/authentik/ldap.env";
    };
    authentik-proxy = {
      source = ../../secrets/authentik/proxy.env;
      dest = "/etc/secrets/authentik/proxy.env";
    };
  };
}