{
  config,
  lib,
  namespace,
  ...
}:
with lib;
# NOTE: AUTHENTIK_TOKEN for the RAC outpost is stored in sops.
# Add jallen-nas/authentik-rac/token to secrets/nas-secrets.yaml and ensure
# jallen-nas/sops.nix declares the "authentik-rac.env" template before deploying.
let
  name = "authentik";
  cfg = config.${namespace}.services.${name};
  cfgRac = config.${namespace}.services."authentikRac";

  authentikConfig = lib.${namespace}.mkModule {
    inherit config name;
    description = "authentik Service";
    options = { };
    moduleConfig = {
      services = {
        authentik = {
          enable = true;
          environmentFile = cfg.environmentFile;
          settings = {
            port = cfg.port;
          };
        };
      };
    };
  };

  authentikRacConfig = lib.${namespace}.mkModule {
    inherit config;
    name = "authentikRac";
    serviceName = "podman-authenticRac";
    description = "authentik_rac Service";
    options = { };
    moduleConfig = {
      virtualisation.oci-containers.containers."authenticRac" = {
        autoStart = true;
        image = "ghcr.io/goauthentik/rac";
        ports = [ "${toString cfgRac.port}:4822" ];
        volumes = [
          "${cfg.configDir}/authentik-rac:/media"
        ];
        # AUTHENTIK_TOKEN is injected via the sops template "authentik-rac.env"
        # defined in systems/x86_64-linux/jallen-nas/sops.nix
        environmentFiles = [ config.sops.templates."authentik-rac.env".path ];
        environment = {
          AUTHENTIK_HOST = "https://${name}.mjallen.dev";
          AUTHENTIK_INSECURE = "false";
          PUID = toString cfg.puid;
          PGID = toString cfg.pgid;
          TZ = cfg.timeZone;
        };
      };
    };
  };
in
{
  imports = [
    authentikConfig
    authentikRacConfig
  ];
}