{ pkgs, ... }: {

    project.name = "authentik";

    services = let 
        authentik_img = "ghcr.io/goauthentik/server:2024.2.2";
    in {

        postgresql.service = {
            image = "docker.io/library/postgres:12-alpine";
            restart = "unless-stopped";
            #command = "";
            volumes = [
                "/ssd1/Authentik/data/postgres:/var/lib/postgresql/data"
                "/ssd1/Authentik/data/postgres.env:/etc/postgres/postgres.env"
            ];
            healthcheck = {
                test = [ "CMD-SHELL" "pg_isready -d $${POSTGRES_DB} -U $${POSTGRES_USER}" ];
                start_period = "20s";
                interval = "30s";
                retries = 5;
                timeout = "5s";
            };
            environment = [
                "POSTGRES_PASSWORD=$${POSTGRES_PASSWORD}"
                "POSTGRES_USER=$${POSTGRES_USER}"
                "POSTGRES_DB=$${POSTGRES_DB}"
            ];
            env_file = "/etc/postgres/postgres.env";
            networks = [ "backend" ];
        };

        redis.service = {
            image = "docker.io/library/redis:alpine";
            restart = "unless-stopped";
            command = "--save 60 1 --loglevel warning";
            volumes = [
                "/ssd1/Authentik/data/redis:/data"
            ];
            healthcheck = {
                test = [ "CMD-SHELL" "redis-cli ping | grep PONG" ];
                start_period = "20s";
                interval = "30s";
                retries = 5;
                timeout = "3s";
            };
            #user = "authentik";
            #env_file = "";
            networks = [ "backend" ];
        };

        server.service = {
            image = authentik_img;
            restart = "unless-stopped";
            command = "server";
            volumes = [
                "/ssd1/Authentik/data/authentik.env:/etc/authentik/authentik.env"
            ];
            ports = [
                "9000:9000"
                "9443:9443"
            ];
            /*labels = [
                "traefik.enable=true"
                "traefik.http.routers.authentik.rule=Host(`auth.blunkall.us`)"
                "traefik.http.routers.authentik.entrypoints=websecure"
                "traefik.http.routers.authentik.tls=true"
                "traefik.http.routers.authentik.certResolver=cloudflare"
                "traefik.http.routers.authentik.service=authentik"
                "traefik.http.services.authentik.loadBalancer.server.port=9000"
            ];*/
            environment = [
                "AUTHENTIK_REDIS__HOST=redis"
                "AUTHENTIK_POSTGRESQL__HOST=postgresql"
                "AUTHENTIK_POSTGRESQL__USER=$${POSTGRES_USER}"
                "AUTHENTIK_POSTGRESQL__NAME=$${POSTGRES_DB}"
                "AUTHENTIK_POSTGRESQL__PASSWORD=$${POSTGRES_PASSWORD}"
                "AUTHENTIK_ERROR_REPORTING__ENABLED=true"
                "AUTHENTIK_SECRET_KEY=$${AUTHENTIK_SECRET_KEY}"
            ];
            depends_on = [ "postgresql" "redis" ];
            #user = "";
            env_file = "/etc/authentik/authentik.env";
            networks = [ "backend" "frontend" ];
        };

        worker.service = {
            image = authentik_img;
            restart = "unless-stopped";
            command = "worker";
            volumes = [
                "/ssd1/Authentik/data/authentik.env:/root/authentik.env"
            ];
            depends_on = [ "postgresql" "redis" ];
            user = "root";
            env_file = "/root/authentik.env";
            networks = [ "backend" ];
        };
    };

    networks = {
        backend = {
            name = "backend";
        };
        frontend = {
            name = "frontend";
        };
    };
}