{
  config,
  lib,
  namespace,
  ...
}:
with lib;
let
  cfg = config.${namespace}.services.authentik;
in
{
  imports = [ ./options.nix ];

  config = mkIf cfg.enable {
    services.authentik = {
      enable = true;
      environmentFile = cfg.environmentFile;
      settings = {
        port = cfg.port;
      };
    };

    # Open firewall for authentik if enabled
    networking.firewall = mkIf cfg.openFirewall {
      allowedTCPPorts = [
        cfg.port
        4822
      ];
      allowedUDPPorts = [
        cfg.port
        4822
      ];
    };

    # Ensure PostgreSQL is configured for authentik
    services.postgresql = {
      enable = mkDefault true;
      ensureDatabases = [ "authentik" ];
      ensureUsers = [
        {
          name = "authentik";
          ensureDBOwnership = true;
        }
      ];
    };

    # Ensure Redis is configured for authentik
    services.redis.servers.authentik = {
      enable = mkDefault true;
      port = mkDefault 6379;
    };

    virtualisation.oci-containers.containers.authentik_rac = {
      autoStart = true;
      image = "ghcr.io/goauthentik/rac";
      ports = [ "4822:4822" ];
      volumes = [
        "/media/nas/main/nix-app-data/authentik-rac:/media"
      ];
      # environmentFiles = [
      #   "/media/nas/main/nix-app-data/lubelogger/lubelogger.env"
      # ];
      environment = {
        AUTHENTIK_HOST = "https://authentik.mjallen.dev";
        AUTHENTIK_TOKEN = "0XGkB2pXoOTqcCMAjucAtfamvlsIZCPmy1Zri54Ozjj3zzMCvcLwkQPrukfx";
        AUTHENTIK_INSECURE = "false"; # Set to true for self-signed certs
        PUID = toString config.users.users.nix-apps.uid;
        PGID = toString config.users.groups.jallen-nas.gid;
        TZ = "America/Chicago";
      };
    };
  };
}