{ config, ... }:
let
  inherit (config.serverConfig) ports vhosts;
  inherit (config.networking) domain;
in
{

  services.authentik = {
    enable = true;
    # The environmentFile needs to be on the target host!
    # Best use something like sops-nix or agenix to manage it
    environmentFile = "/run/secrets/authentik/authentik-env";

    # authentik_env.age

    age.secrets.authentik_env = {
      file = ../secrets/authentik_env.age;
      owner = "authentik";
      group = "authentik";
      mode = "0600";
    };

    settings = {
      email = rec {
        host = vhosts.mail_host.host;
        port = 465;
        username = "admin@${domain}";
        use_tls = true;
        use_ssl = true;
        from = username;
      };
      disable_startup_analytics = true;
      avatars = "initials";
    };
  };
}