{
  lib,
  config,
  pkgs,
  ...
}:
let
  cfg = config.my.services.authentik;
in
{

  options.my.services.authentik = {
    enable = lib.mkEnableOption "Enable Authentik module";

    envFile = lib.mkOption {
      default = "";
      type = lib.types.str;
      description = ''
        The path to the env file
      '';
    };

    email = {
      host = lib.mkOption {
        type = lib.types.str;
        description = "SMTP server host for Authentik.";
        default = "smtp.example.com";
      };
      port = lib.mkOption {
        type = lib.types.int;
        description = "SMTP server port for Authentik.";
        default = 587;
      };
      username = lib.mkOption {
        type = lib.types.str;
        description = "SMTP username for Authentik.";
        default = "authentik@example.com";
      };
      use_tls = lib.mkOption {
        type = lib.types.bool;
        description = "Use TLS for SMTP connection.";
        default = true;
      };
      use_ssl = lib.mkOption {
        type = lib.types.bool;
        description = "Use SSL for SMTP connection.";
        default = false;
      };
      from = lib.mkOption {
        type = lib.types.str;
        description = "Email address to use in the From field.";
        default = "authentik@example.com";
      };
    };

    proxy = {
      enable = lib.mkEnableOption "Set the proxy entry for this service";

      domain = lib.mkOption {
        default = "example.com";
        type = lib.types.str;
        description = ''
          The domain where Caddy is reachable
        '';
      };

      subdomain = lib.mkOption {
        default = "auth";
        type = lib.types.str;
        description = ''
          The subdomain where the service is reachable
        '';
      };

      host = lib.mkOption {
        default = "localhost";
        type = lib.types.str;
        description = ''
          host name where the service is running
        '';
      };

    };
  };

  config = lib.mkMerge [
    (lib.mkIf cfg.enable {

      services.authentik = {
        enable = true;
        environmentFile = cfg.envFile;
        settings = {
          email = cfg.email;
          disable_startup_analytics = true;
          avatars = "initials";
        };
        nginx = {
          enable = true;
          enableACME = false;
          host = "${cfg.proxy.subdomain}.${cfg.proxy.domain}";
        };
      };

      networking.firewall.allowedTCPPorts = [ 9000 ];

    })

    (lib.mkIf cfg.proxy.enable {
      services.caddy = with cfg.proxy; {
        virtualHosts."${subdomain}.${domain}".extraConfig = ''
          reverse_proxy http://localhost:9000
          import cloudflare_${domain}
        '';
      };
    })
  ];
}