{ authentikHost, proxyHost, externalHostname, ... }:

{ config, lib, pkgs, ... }:

with lib;
let
  hostname = config.instance.hostname;
  authentikFqdn = pkgs.lib.getHostFqdn authentikHost;

  isAuthentik = hostname == authentikHost;
  isProxy = hostname == proxyHost;

  host = config.fudo.hosts."${hostname}";
  domainName = host.domain;
  zoneName = config.fudo.domains."${domainName}".zone;

in {
  config = {
    fudo.zones."${zoneName}".aliases.authentik = authentikHost;
    services = {
      authentikContainer = mkIf (authentikHost == hostname) {
        enable = isAuthentik;
        images = {
          authentik = "ghcr.io/goauthentik/server:2023.6.1";
          postgres = "docker.io/library/postgres:12-alpine";
          redis = "docker.io/library/redis:alpine";
        };
      };
      nginx = mkIf (isProxy || isAuthentik) {
        enable = true;
        recommendedOptimisation = true;
        recommendedProxySettings = true;
        virtualHosts = {
          "authentik.${domainName}" = mkIf isAuthentik {
            enableACME = false;
            forceSSL = false;
            locations."/" = {
              proxyPass = "http://localhost:${
                  toString config.services.authentikContainer.ports.http
                }";
              proxyWebsockets = true;
            };
          };
          "${externalHostname}" = mkIf isProxy {
            enableACME = true;
            forceSSL = true;
            locations."/" = {
              proxyPass = "http://authentik.${domainName}:80";
              proxyWebsockets = true;
            };
          };
        };
      };
    };
  };
}