{
  config,
  lib,
  pkgs,
  ...
}:
{
  users.groups.authentik = { };
  users.users.authentik = {
    isSystemUser = true;
    extraGroups = [ "docker" ];
    group = "authentik";
  };

  virtualisation.docker.enable = true;

  systemd.services = {
    authentik-secrets-setup = {
      enable = true;
    };
  };
  services.authentik-ldap = {
    enable = true;
    environmentFile = "/var/lib/authentik-ldap-env";
  };
  services.authentik = {
    enable = true;
    # The environmentFile needs to be on the target host!
    # Best use something like sops-nix or agenix to manage it
    environmentFile = "/var/lib/authentik_secret";
    settings = {
      email = {
        host = "mail.${config.networking.domain}";
        port = 25;
        username = "authentik@${config.networking.domain}";
        use_tls = false;
        use_ssl = false;
        from = "authentik@${config.networking.domain}";
      };
      disable_startup_analytics = true;
      avatars = "initials";
    };
  };

  systemd.services.authentik-secrets-generator = {
    enable = true;
    requiredBy = [
      "authentik-secrets-setup.service"
      "authentik-worker.service"
    ];
    script = ''
      echo "AUTHENTIK_SECRET_KEY=$(${pkgs.openssl}/bin/openssl rand -hex 32)" > /var/lib/authentik_secret
    '';
  };

  services.nginx = {
    enable = true;
    virtualHosts = {
      "auth.${config.networking.domain}" = {
        enableACME = true;
        forceSSL = true;
        locations."/" = {
          proxyPass = "http://localhost:9000";
          proxyWebsockets = true;
          recommendedProxySettings = true;
          extraConfig = ''
            proxy_set_header X-Forwarded-Proto $scheme;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
          '';
        };
      };
    };
  };
}