{ config, ... }:
let
  domain = "auth.${config.networking.domain}";
in
{
  age.secrets.authentik = {
    file = ../../../../secrets/nuc/authentik.age;
  };
  services.authentik = {
    enable = true;
    environmentFile = config.age.secrets.authentik.path;
    # nginx = {
    #   enable = true;
    #   enableACME = true;
    #   host = domain;
    # };
  };
  services.caddy.virtualHosts."${domain}".extraConfig = ''
    reverse_proxy localhost:9000
  '';
}