{ config, ... }:
let
  domain = "auth.${config.networking.domain}";
in
{
  age.secrets.authentik-core = {
    file = ../../../../secrets/nuc/authentik/core.age;
  };
  age.secrets.authentik-ldap = {
    file = ../../../../secrets/nuc/authentik/ldap.age;
  };
  services.authentik = {
    enable = true;
    environmentFile = config.age.secrets.authentik-core.path;
    settings = {
      cert_discovery_dir = "env://CREDENTIALS_DIRECTORY";
    };
  };
  systemd.services.authentik-worker.serviceConfig.LoadCredential = [
    "${domain}.pem:/var/lib/caddy/certificates/acme-v02.api.letsencrypt.org-directory/${domain}/${domain}.crt"
    "${domain}.key:/var/lib/caddy/certificates/acme-v02.api.letsencrypt.org-directory/${domain}/${domain}.key"
  ];

  services.authentik-ldap = {
    enable = true;
    environmentFile = config.age.secrets.authentik-ldap.path;
  };
  services.caddy.virtualHosts."${domain}".extraConfig = ''
    reverse_proxy localhost:9000
  '';
  # open the firewall for proxy auth
  networking.firewall.allowedTCPPorts = [ 9000 ];
}