{ config, self, ... }:
let
  inherit (config.networking) fqdn;
in
{
  age.secrets.authentik.file = "${self}/agenix/authentik.age";

  services.authentik = {
    enable = true;
    environmentFile = config.age.secrets.authentik.path; # just trust, this specifies port 3001
    # nginx = {
    #   enable = true;
    #   enableACME = true;
    #   host = "auth.${fqdn}";
    # };
  };
}