{
  lib,
  pkgs,
  flakes,
  ...
}:
with lib; {
  imports = [flakes.authentik-nix.nixosModules.default];

  options = {
    services.nginx.virtualHosts = mkOption {
      type = with lib.types;
        attrsOf (
          submodule
          (
            {config, ...}: {
              options = {
                enableAuthentik = mkOption {
                  default = false;
                  type = bool;
                };
              };
              config = mkIf config.enableAuthentik {
                extraConfig = ''
                  auth_request        /outpost.goauthentik.io/auth/nginx;
                  error_page          401 = @goauthentik_proxy_signin;
                  auth_request_set $auth_cookie $upstream_http_set_cookie;
                  add_header Set-Cookie $auth_cookie;

                  # translate headers from the outposts back to the actual upstream
                  auth_request_set $authentik_username $upstream_http_x_authentik_username;
                  auth_request_set $authentik_groups $upstream_http_x_authentik_groups;
                  auth_request_set $authentik_email $upstream_http_x_authentik_email;
                  auth_request_set $authentik_name $upstream_http_x_authentik_name;
                  auth_request_set $authentik_uid $upstream_http_x_authentik_uid;

                  proxy_set_header X-authentik-username $authentik_username;
                  proxy_set_header X-authentik-groups $authentik_groups;
                  proxy_set_header X-authentik-email $authentik_email;
                  proxy_set_header X-authentik-name $authentik_name;
                  proxy_set_header X-authentik-uid $authentik_uid;

                  proxy_redirect  http://  $scheme://;

                  proxy_buffers 8 16k;
                  proxy_buffer_size 32k;
                '';
              };
            }
          )
        );
    };
  };

  config = {
    services = {
      nginx.virtualHosts."auth.posixlycorrect.com" = {
        enableACME = true;
        forceSSL = true;
        locations = {
          "/outpost.goauthentik.io" = {
            proxyPass = "http://auth.posixlycorrect.com/outpost.goauthentik.io";
            extraConfig = ''
              # ensure the host of this vserver matches your external URL you've configured
              # in authentik
              proxy_set_header    X-Forwarded-Host $host;
              proxy_set_header    X-Original-URL $scheme://$http_host$request_uri;
              add_header          Set-Cookie $auth_cookie;
              auth_request_set    $auth_cookie $upstream_http_set_cookie;

              # required for POST requests to work
              proxy_pass_request_body off;
              proxy_set_header Content-Length "";
            '';
          };
          "@goauthentik_proxy_signin" = {
            extraConfig = ''
              internal;
              add_header Set-Cookie $auth_cookie;
              return 302 /outpost.goauthentik.io/start?rd=$request_uri;
            '';
          };
        };
      };

      authentik = {
        enable = true;
        environmentFile = "/var/trust/authentik/authentik-env";
        nginx = {
          enable = true;
          enableACME = true;
          host = "auth.posixlycorrect.com";
        };
        settings = {
          email = {
            host = "smtp.fastmail.com";
            port = 587;
            username = "fabianmontero@fastmail.com";
            use_tls = true;
            use_ssl = false;
            from = "auth@posixlycorrect.com";
          };
          disable_startup_analytics = true;
          avatars = "initials";
        };
      };
    };
  };
}