{ config, data, ...}:
let
  inherit (data.host) rootDomain;
  inherit (data.services.auth) domain;
  mailDomain = data.services.mailserver.domain;

  sops_opts = {
    sopsFile = ../secrets/authentik.env;
    format = "dotenv";
  };
in
{
  services.authentik = {
    enable = true;
    # The environmentFile needs to be on the target host!
    # Best use something like sops-nix or agenix to manage it
    environmentFile = config.sops.secrets.authentik.path;
    createDatabase = true;
    nginx = {
      enable = true;
      enableACME = true;
      host = domain;
    };
    settings = {
      email = {
        host = mailDomain;
        port = 587;
        username = "auth@${rootDomain}";
        use_tls = true;
        from = "Lgm's Auth System <auth@${rootDomain}>";
      };
      disable_startup_analytics = true;
      avatars = "initials";
    };
  };

  sops.secrets.authentik = sops_opts;
}