{ lib, namespace, ... }:
with lib;
{
  options.${namespace}.services.authentik = {
    enable = mkEnableOption "authentik identity provider";

    port = mkOption {
      type = types.port;
      default = 9000;
      description = "Port for authentik web interface";
    };

    openFirewall = mkOption {
      type = types.bool;
      default = true;
      description = "Whether to open firewall for authentik";
    };

    environmentFile = mkOption {
      type = types.nullOr types.path;
      default = null;
      description = "Path to environment file containing authentik secrets";
    };

    dataDir = mkOption {
      type = types.str;
      default = "/var/lib/authentik";
      description = "Data directory for authentik";
    };
  };
}