{ config, lib, inputs, ... }: {

    options.sysconfig.opts.virtualization.authentik.enable = lib.options.mkOption {
        type = lib.types.bool;
        default = false;
    };

    config = lib.mkIf config.sysconfig.opts.virtualization.authentik.enable {

        sops.templates."authentik.env" = {
            content = ''
                AUTHENTIK_EMAIL__PASSWORD=${config.sops.placeholder."authentik/pass"}
                AUTHENTIK_SECRET_KEY=${config.sops.placeholder."authentik/secret_key"}
            '';

            path = "/ssd1/Authentik/data/authentik.env";
        };

        containers.authentik = {

            autoStart = true;
            privateNetwork = true;
            hostAddress = "192.168.100.10";
            localAddress = "192.168.100.12";
            bindMounts = {
                "/root/data" = {
                    hostPath = "/ssd1/Authentik/data";
                    isReadOnly = false;
                };
            };
            config = {

                imports = [
                    inputs.authentik-nix.nixosModules.default
                ];
                
                services.authentik = {

                    enable = true;
                    environmentFile = "/root/data/authentik.env";
                    settings = {
                        disable_startup_analytics = false;
                        avatars = "initials";
                    };
                };

                networking.firewall.enable = false;
            };
        };

    };
}