{
  config,
  lib,
  namespace,
  ...
}:
with lib;
let
  name = "authentik";
  cfg = config.${namespace}.services.${name};

  authentikConfig = lib.${namespace}.mkModule {
    inherit config name;
    description = "authentik Service";
    options = { };
    moduleConfig = {
      services = {
        authentik = {
          enable = true;
          environmentFile = cfg.environmentFile;
          settings = {
            port = cfg.port;
          };
        };
        redis.servers.authentik = {
          enable = mkDefault true;
          port = mkDefault 6379;
        };
        
        # postgresql = {
        #   enable = mkDefault true;
        #   ensureDatabases = [ name ];
        #   ensureUsers = [
        #     {
        #       name = name;
        #       ensureDBOwnership = true;
        #     }
        #   ];
        # };
      };

      # Open firewall for authentik if enabled
      networking.firewall = mkIf cfg.openFirewall {
        allowedTCPPorts = [
          4822
        ];
        allowedUDPPorts = [
          4822
        ];
      };

      virtualisation.oci-containers.containers.authentik_rac = {
        autoStart = true;
        image = "ghcr.io/goauthentik/rac";
        ports = [ "4822:4822" ];
        volumes = [
          "${cfg.configDir}/authentik-rac:/media"
        ];
        environment = {
          AUTHENTIK_HOST = "https://${name}.mjallen.dev";
          AUTHENTIK_TOKEN = "0XGkB2pXoOTqcCMAjucAtfamvlsIZCPmy1Zri54Ozjj3zzMCvcLwkQPrukfx";
          AUTHENTIK_INSECURE = "false"; # Set to true for self-signed certs
          PUID = toString cfg.puid;
          PGID = toString cfg.pgid;
          TZ = cfg.timeZone;
        };
      };
    };
  };
in
{
  imports = [ authentikConfig ];
}