{ config, containerCfg, pkgs, lib, ... }:
let serverCfg = config.syscfg.server;
in {
  systemd.tmfiles.rules = [
    "d ${serverCfg.dataPath}/authentik/media 0755 root root -"
    "d ${serverCfg.dataPath}/authentik/template 0755 root root -"
  ];
  containers = {

    auth_server = {
      image = "ghcr.io/goauthentik/server:latest";
      hostname = "auth_server";
      volumes = [
        "${serverCfg.dataPath}/authentik/media:/media"
        "${serverCfg.dataPath}/authentik/templates:/templates"
      ];
      environment = {
        "AUTHENTIK_POSTGRESQL__HOST" = "host.internal";
        "AUTHENTIK_POSTGRESQL__USER" = "authentik_user";
        "AUTHENTIK_POSTGRESQL__NAME" = "authentik_db";
        "AUTHENTIK_POSTGRESQL__PASSWORD" = "AUTHENTIK_DB_PASSWORD";
        "AUTHENTIK_SECRET_KEY" = "AUTHENTIK_SECRET_KEY";
        "AUTHENTIK_EMAIL__HOST" = "${serverCfg.mailDomain}";
        "AUTHENTIK_EMAIL__PORT" = "587";
        "AUTHENTIK_EMAIL__USERNAME" = "noreply@${serverCfg.hostDomain}";
        "AUTHENTIK_EMAIL__PASSWORD" = "AUTHENTIK_EMAIL_PASSWORD";
        "AUTHENTIK_EMAIL__USE_TLS" = "true";
        "AUTHENTIK_EMAIL__USE_SSL" = "false";
        "AUTHENTIK_EMAIL__TIMEOUT" = "10";
        "AUTHENTIK_EMAIL__FROM" = "sso@noreply.${serverCfg.hostDomain}";
      };
      labels = {
        "traefik.enable" = "true";
        "traefik.http.routers.sso.entrypoints" = "web-secure";
        "traefik.http.routers.sso.rule" = "Host(`sso.${serverCfg.hostDomain}`)";
        "traefik.http.routers.sso.tls" = "true";
        "traefik.http.services.sso.loadbalancer.server.port" = "${toString containerCfg.port}";
      };
      cmd = [ "server" ];
      extraOptions = [
        "--add-host=host.internal:host-gateway"
        "--ip=${containerCfg.ip}"
      ];
      ports = [
        "9999:${toString containerCfg.port}"
      ];
    };

    auth_worker = {
      image = "ghcr.io/goauthentik/server:latest";
      hostname = "auth_worker";
      volumes = [
        "${serverCfg.dataPath}/authentik/media:/media"
        "${serverCfg.dataPath}/authentik/templates:/templates"
        "/var/run/docker.sock:/var/run/docker.sock"
      ];
      environmentFiles = [
        config.sops.secrets."authentik_pass".path
      ];
      environment = {
        "AUTHENTIK_POSTGRESQL__HOST" = "host.internal";
        "AUTHENTIK_POSTGRESQL__USER" = "authentik_user";
        "AUTHENTIK_POSTGRESQL__NAME" = "authentik_db";
        "AUTHENTIK_SECRET_KEY" = "AUTHENTIK_SECRET_KEY";
      };
      cmd = [ "worker" ];
    };
  };
}