{ inputs, config, lib, ... }:

with lib;
let
  cfg = config.modules.services.authentik;
in
{
  imports = [ inputs.authentik-nix.nixosModules.default ];

  options.modules.services.authentik = {
    enable = mkEnableOption "Authentik - Identity Provider";
    domain = mkOption { type = types.str; };
    realHost = mkOption { type = types.str; default = "authentik.${cfg.domain}"; };
    email = {
      host = mkOption { type = types.str; default = "smtp.${cfg.domain}"; };
      username = mkOption { type = types.str; default = "authentik@${cfg.domain}"; };
      from = mkOption { type = types.str; default = cfg.email.username; };
    };
    secrets = {
       authentik-envs = mkOption { type = types.path; description = "path to the environment file"; };
    };
  };

  config = mkIf cfg.enable {
    services.authentik = {
      enable = true;

      environmentFile = cfg.secrets.authentik-envs;

      settings = {
        email = {
          host = cfg.email.host;
          port = 587;
          username = cfg.email.username;
          use_tls = true;
          use_ssl = false;
          from = cfg.email.from;
        };

        cert_discovery_dir = "env://CREDENTIALS_DIRECTORY";
      };
      nginx = {
        # This is configured manually since authentik-nix doesn't support
        # cases where cert domain != nginx host
        enable = false;
        enableACME = false;
        # host = cfg.realHost;
      };
    };

    modules.persistence.directories = [
      "/var/lib/private/authentik"
    ];

    systemd.services.authentik-worker.serviceConfig.LoadCredential = [
      "${cfg.domain}.pem:${config.security.acme.certs.${cfg.domain}.directory}/fullchain.pem"
      "${cfg.domain}.key:${config.security.acme.certs.${cfg.domain}.directory}/key.pem"
    ];

    services.nginx.virtualHosts.${cfg.realHost} = {
      useACMEHost = cfg.domain;
      forceSSL = true;
      locations."/" = {
        proxyWebsockets = true;
        proxyPass = "https://localhost:9443";
      };
    };
  };
}