{ config, lib, inputs, ... }: {

    options.sysconfig.virtualization.authentik.enable = lib.options.mkOption {
        type = lib.types.bool;
        default = false;
    };

    imports = [
        inputs.authentik-nix.nixosModules.default
    ];

    config = lib.mkIf config.sysconfig.virtualization.authentik.enable {

        sops.templates."authentik.env" = {
            content = ''
                AUTHENTIK_EMAIL__PASSWORD=${config.sops.placeholder."authentik/pass"}
                AUTHENTIK_SECRET_KEY=${config.sops.placeholder."authentik/secret_key"}
            '';

            path = "/ssd1/Authentik/data/authentik.env";
        };

        containers.authentik = {
            
            autostart = true;
            privateNetwork = true;
            hostAddress = "192.168.100.10";
            localAddress = "192.168.100.13";

            bindMounts = {
                "/root/data" = {
                    hostPath = "/ssd1/Authentik/data";
                };
            };

            config = {
                
                services.authentik = {
                    
                    enable = true;
                    environmentFile = "/root/data/authentik.env";

                    settings = {
                        #disable_startup_analytics = true;
                        avatars = "initials";
                    };

                };

                networking.firewall.enable = false;
            };
            
        };
    };
}