{
  config,
  lib,
  pkgs,
  ...
}:
let
  d = lib.py.data.services.authentik;
in
{
  virtualisation.oci-containers.containers =
    let
      authentikVersion = "2025.4";
      base = {
        environmentFiles = [ config.age.secrets.authentik-env.path ];
        extraOptions = [ "--network=authentik" ];
      };
      authentikBase = base // {
        image = "ghcr.io/goauthentik/server:${authentikVersion}";
        environment = {
          AUTHENTIK_REDIS__HOST = "authentik-redict";

          # Postgres Settings
          AUTHENTIK_POSTGRESQL__HOST = "authentik-db";
          AUTHENTIK_POSTGRESQL__PORT = "5432";
          AUTHENTIK_POSTGRESQL__USER = "authentik";
          AUTHENTIK_POSTGRESQL__NAME = "authentik";
          AUTHENTIK_POSTGRESQL__PASSWORD = "\${PG_PASS}";

          # Disable error reporting
          AUTHENTIK_ERROR_REPORTING__ENABLED = "false";

          # Avatars are an attribute based on an uploaded file
          AUTHENTIK_AVATARS = "attributes.user.avatar";

          # Email Settings
          AUTHENTIK_EMAIL__HOST = "mail.pyrox.dev";
          AUTHENTIK_EMAIL__USERNAME = "auth@pyrox.dev";
          AUTHENTIK_EMAIL__PORT = "465";
          AUTHENTIK_EMAIL__USE_TLS = "true";
          AUTHENTIK_EMAIL__FROM = "PyroServ Auth <auth@pyrox.dev>";
        };
      };
      authentikVols = [
        "/var/lib/authentik/media:/media"
        "/var/lib/authentik/templates:/templates"
      ];
    in
    {
      authentik-db = base // {
        image = "postgres:17-alpine";
        volumes = [ "/var/lib/authentik/db:/var/lib/postgresql/data" ];
        environment = {
          POSTGRES_PASSWORD = "\${PG_PASS}";
          POSTGRES_USER = "authentik";
          POSTGRES_DB = "authentik";
        };
      };
      authentik-redict = {
        image = "registry.redict.io/redict:alpine";
        extraOptions = [ "--network=authentik" ];
      };
      authentik-server = authentikBase // {
        cmd = [ "server" ];
        ports = [
          "${toString d.port}:9000"
          "6943:9443"
          "9301:9300"
        ];
        volumes = authentikVols ++ [ "/var/lib/authentik/custom.css:/web/dist/custom.css" ];
      };
      authentik-worker = authentikBase // {
        cmd = [ "worker" ];
        volumes = authentikVols ++ [ "/var/lib/authentik/certs:/certs" ];
      };
      authentik-ldap = base // {
        image = "ghcr.io/goauthentik/ldap:${authentikVersion}";
        ports = [
          "389:3389"
          "636:6636"
        ];
        environment = {
          AUTHENTIK_HOST = "https://${d.extUrl}";
          AUTHENTIK_INSECURE = "false";
        };
      };
    };
  age.secrets.authentik-env = {
    file = ./secrets/authentik-env.age;
    owner = "thehedgehog";
    group = "misc";
  };
}