{ pkgs, ... }: {

    project.name = "authentik";

    services = let 
        authentik_img = "ghcr.io/goauthentik/server:2024.2.2";
    in {

        postgresql.service = {
            image = "docker.io/library/postgres:12-alpine";
            restart = "unless-stopped";
            #command = "";
            volumes = [
                "/ssd1/Authentik/data/postgres:/var/lib/postgresql/data"
                "/ssd1/Authentik/data/postgres.env:/etc/postgres/postgres.env"
            ];
            healthcheck = {
                test = [ "CMD-SHELL" "pg_isready -d $${POSTGRES_DB} -U $${POSTGRES_USER}" ];
                start_period = "20s";
                interval = "30s";
                retries = 5;
                timeout = "5s";
            };
            environment = {
                POSTGRES_PASSWORD = "$${POSTGRES_PASSWORD}";
                POSTGRES_USER = "$${POSTGRES_USER}";
                POSTGRES_DB = "$${POSTGRES_DB}";
            };
            env_file = [ "/etc/postgres/postgres.env" ];
            networks = [ "backend" ];
        };

        redis.service = {
            image = "docker.io/library/redis:alpine";
            restart = "unless-stopped";
            command = "--save 60 1 --loglevel warning";
            volumes = [
                "/ssd1/Authentik/data/redis:/data"
            ];
            healthcheck = {
                test = [ "CMD-SHELL" "redis-cli ping | grep PONG" ];
                start_period = "20s";
                interval = "30s";
                retries = 5;
                timeout = "3s";
            };
            #user = "authentik";
            #env_file = "";
            networks = [ "backend" ];
        };

        server.service = {
            image = authentik_img;
            restart = "unless-stopped";
            command = "server";
            volumes = [
                "/ssd1/Authentik/data/authentik.env:/etc/authentik/authentik.env"
            ];
            ports = [
                "9000:9000"
                "9443:9443"
            ];
            /*labels = [
                "traefik.enable=true"
                "traefik.http.routers.authentik.rule=Host(`auth.blunkall.us`)"
                "traefik.http.routers.authentik.entrypoints=websecure"
                "traefik.http.routers.authentik.tls=true"
                "traefik.http.routers.authentik.certResolver=cloudflare"
                "traefik.http.routers.authentik.service=authentik"
                "traefik.http.services.authentik.loadBalancer.server.port=9000"
            ];*/
            environment = {
                AUTHENTIK_REDIS__HOST = "redis";
                AUTHENTIK_POSTGRESQL__HOST = "postgresql";
                AUTHENTIK_POSTGRESQL__USER = "$${POSTGRES_USER}";
                AUTHENTIK_POSTGRESQL__NAME = "$${POSTGRES_DB}";
                AUTHENTIK_POSTGRESQL__PASSWORD = "$${POSTGRES_PASSWORD}";
                AUTHENTIK_ERROR_REPORTING__ENABLED = "true";
                AUTHENTIK_SECRET_KEY = "$${AUTHENTIK_SECRET_KEY}";
            };
            depends_on = [ "postgresql" "redis" ];
            #user = "";
            env_file = [ "/etc/authentik/authentik.env" ];
            networks = [ "backend" "frontend" ];
        };

        worker.service = {
            image = authentik_img;
            restart = "unless-stopped";
            command = "worker";
            volumes = [
                "/ssd1/Authentik/data/authentik.env:/root/authentik.env"
                "/var/run/podman/podman.sock:/var/run/docker.sock"
            ];
            depends_on = [ "postgresql" "redis" ];
            user = "root";
            env_file = [ "/root/authentik.env" ];
            networks = [ "backend" ];
        };
    };

    networks = {
        backend = {
            name = "backend";
        };
        frontend = {
            name = "frontend";
        };
    };
}