let
  authentikImage = "ghcr.io/goauthentik/server:2024.4.2";
in {
  project.name = "auth";

  networks.dmz = {
    name = "dmz";
    external = true;
  };
  networks.internal = {};

  services = {
    authentik.service = {
      image = authentikImage;
      container_name = "authentik";
      labels = {
        "traefik.enable" = "true";

        "traefik.http.services.authentik.loadbalancer.server.port" = "9000";
        "traefik.http.routers.authentik.service" = "authentik";
        "traefik.http.routers.authentik.rule" = "Host(`auth.ghoscht.com`)";
        "traefik.http.routers.authentik.entrypoints" = "websecure";
        "traefik.http.routers.authentik.tls" = "true";
        "traefik.http.routers.authentik.tls.certresolver" = "letsencrypt";

        "traefik.http.services.authentik-external.loadbalancer.server.port" = "9000";
        "traefik.http.routers.authentik-external.service" = "authentik-external";
        "traefik.http.routers.authentik-external.rule" = "Host(`auth.ghoscht.com`)";
        "traefik.http.routers.authentik-external.entrypoints" = "websecure-external";
        "traefik.http.routers.authentik-external.tls" = "true";
        "traefik.http.routers.authentik-external.tls.certresolver" = "letsencrypt";
      };
      command = "server";
      environment = {
        AUTHENTIK_REDIS__HOST = "redis";
        AUTHENTIK_POSTGRESQL__HOST = "postgres";
        AUTHENTIK_ERROR_REPORTING__ENABLED = "true";
      };
      env_file = [
        "/home/ghoscht/.docker/auth/authentik.env"
      ];
      restart = "always";
      depends_on = {
        redis = {condition = "service_healthy";};
        postgres = {condition = "service_healthy";};
      };
      volumes = [
        "/storage/dataset/docker/auth/authentik_media:/media"
        "/storage/dataset/docker/auth/authentik_custom_templates:/templates"
      ];
      networks = [
        "dmz"
        "internal"
      ];
    };
    worker.service = {
      image = authentikImage;
      command = "worker";
      environment = {
        AUTHENTIK_REDIS__HOST = "redis";
        AUTHENTIK_POSTGRESQL__HOST = "postgres";
        AUTHENTIK_ERROR_REPORTING__ENABLED = "true";
      };
      env_file = [
        "/home/ghoscht/.docker/auth/authentik.env"
      ];
      depends_on = {
        redis = {condition = "service_healthy";};
        postgres = {condition = "service_healthy";};
      };
      volumes = [
        "/var/run/docker.sock:/var/run/docker.sock"
        "/storage/dataset/docker/auth/authentik_media:/media"
        "/storage/dataset/docker/auth/authentik_custom_templates:/templates"
      ];
      restart = "always";
      user = "root";
      networks = [
        "internal"
      ];
    };
    redis.service = {
      image = "redis:7.2.4";
      command = "--save 60 1 --loglevel warning";
      healthcheck = {
        test = [
          "CMD-SHELL"
          "redis-cli ping | grep PONG"
        ];
        start_period = "20s";
        interval = "30s";
        retries = 5;
        timeout = "5s";
      };
      restart = "always";
      volumes = [
        "/storage/dataset/docker/auth/redis_data:/data"
      ];
      networks = [
        "internal"
      ];
    };
    postgres.service = {
      image = "postgres:12.18";
      restart = "always";
      env_file = [
        "/home/ghoscht/.docker/auth/postgres.env"
      ];
      volumes = [
        "/storage/dataset/docker/auth/postgres_data:/var/lib/postgresql/data"
      ];
      healthcheck = {
        test = [
          "CMD-SHELL"
          "pg_isready -d $${POSTGRES_DB} -U $${POSTGRES_USER}"
        ];
        start_period = "20s";
        interval = "30s";
        retries = 5;
        timeout = "5s";
      };
      networks = [
        "internal"
      ];
    };
  };
}