{ pkgs, ... }:
let
  HOST_DOMAIN = "helcel.net";
  MAIL_HOST_DOMAIN = "norereply.${HOST_DOMAIN}";
  MAIL_SERVER_DOMAIN = "mail.infomaniak.com";
  DATA_PATH = "/media/data/";
in {
  project.name = "Authentik";

  networks = {
    internal = {
      internal = true;
      external = false;
    };
    external = { external = true; };
  };

  services = {

    auth_postgresql.service = {
      image = "postgres:14-alpine";
      container_name = "auth_postgresql";
      restart = "unless-stopped";
      networks = [ "internal" ];
      volumes = [ ];
      environment = {
        POSTGRES_PASSWORD = "/run/secrets/AUTHENTIK_POSTGRESQL__PASSWORD";
        POSTGRES_USER = "authentik";
        POSTGRES_DB = "authentik";
      };
    };

    auth_redis.service = {
      image = "redis:alpine";
      container_name = "auth_redis";
      restart = "unless-stopped";
      networks = [ "internal" ];
      volumes = [ ];
      environment = { };
      labels = { "traefik.enable" = "false"; };
    };

    auth_server.service = {
      image = "ghcr.io/goauthentik/server:latest";
      container_name = "auth_server";
      restart = "unless-stopped";
      networks = [ "internal" "external" ];
      volumes = [
        "${DATA_PATH}/authentik/media:/media"
        "${DATA_PATH}/authentik/templates:/templates"
      ];
      environment = {
        "AUTHENTIK_REDIS__HOST" = "auth_redis";
        "AUTHENTIK_POSTGRESQL__HOST" = "auth_postgresql";
        "AUTHENTIK_POSTGRESQL__USER" = "authentik";
        "AUTHENTIK_POSTGRESQL__NAME" = "authentik";
        "AUTHENTIK_POSTGRESQL__PASSWORD" = "AUTHENTIK_DB_PASSWORD";
        "AUTHENTIK_SECRET_KEY" = "AUTHENTIK_SECRET_KEY";
        "AUTHENTIK_EMAIL__HOST" = "${MAIL_SERVER_DOMAIN}";
        "AUTHENTIK_EMAIL__PORT" = "587";
        "AUTHENTIK_EMAIL__USERNAME" = "noreply@${MAIL_HOST_DOMAIN}";
        "AUTHENTIK_EMAIL__PASSWORD" = "AUTHENTIK_EMAIL_PASSWORD";
        "AUTHENTIK_EMAIL__USE_TLS" = "true";
        "AUTHENTIK_EMAIL__USE_SSL" = "false";
        "AUTHENTIK_EMAIL__TIMEOUT" = "10";
        "AUTHENTIK_EMAIL__FROM" = "sso@noreply.${MAIL_HOST_DOMAIN}";
      };
      labels = {
        "traefik.enable" = "true";
        "traefik.http.routers.sso.entrypoints" = "web-secure";
        "traefik.http.routers.sso.rule" = "Host(`sso.${HOST_DOMAIN}`)";
        "traefik.http.routers.sso.tls" = "true";
        "traefik.http.services.sso.loadbalancer.server.port" = "9000";
        "traefik.docker.network" = "external";
      };
      command = "server";
      service.ports = [
        "9999:9000" # host:container
      ];
    };

    auth_worker.service = {
      image = "ghcr.io/goauthentik/server:latest";
      container_name = "auth_worker";
      restart = "unless-stopped";
      networks = [ "internal" ];
      volumes = [
        "${DATA_PATH}/authentik/media:/media"
        "${DATA_PATH}/authentik/templates:/templates"
        "/var/run/docker.sock:/var/run/docker.sock"
      ];
      environment = {
        "AUTHENTIK_REDIS__HOST" = "auth_redis";
        "AUTHENTIK_POSTGRESQL__HOST" = "auth_postgresql";
        "AUTHENTIK_POSTGRESQL__USER" = "authentik";
        "AUTHENTIK_POSTGRESQL__NAME" = "authentik";
        "AUTHENTIK_POSTGRESQL__PASSWORD" = "AUTHENTIK_DB_PASSWORD";
        "AUTHENTIK_SECRET_KEY" = "AUTHENTIK_SECRET_KEY";
      };
      labels = { "traefik.enable" = "false"; };
      command = "worker";
      user = "root";
    };
  };
}