{
  nixhelm,
  system,
  config,
  lib,
  ...
}: {
  options.authentik.enable = lib.mkEnableOption "authentik";

  config = lib.mkIf config.authentik.enable {
    kubernetes = {
      helm.releases.authentik = {
        chart = nixhelm.chartsDerivations.${system}.authentik.authentik;
        includeCRDs = true;
        namespace = "authentik";

        values = {
          authentik = {
            email = {
              host = "mail.smtp2go.com";
              port = 2525;
              from = "Authentik authentik@kun.is";
            };
          };

          postgresql = {
            enabled = true;
            auth.password = "ref+sops://secrets.yml#/authentik/postgresql_password";
            primary = {
              persistence.enabled = false;
              extraEnvVarsSecret = "postgresql-env";
              extraVolumes = [
                {
                  name = "data";

                  hostPath = {
                    path = "/mnt/longhorn/persistent/volumes/authentik-db";
                    type = "Directory";
                  };
                }
              ];
            };
          };

          redis = {
            enabled = true;
            master = {
              persistence.enabled = false;
              extraVolumes = [
                {
                  name = "authentik-redis";
                  hostPath = {
                    path = "/mnt/longhorn/persistent/volumes/authentik-redis";
                    type = "Directory";
                  };
                }
              ];
              extraVolumeMounts = [
                {
                  mountPath = "/data";
                  name = "authentik-redis";
                }
              ];
            };
          };
        };
      };

      resources = let
        env = {
          AUTHENTIK_POSTGRESQL__PASSWORD.value = "ref+sops://secrets.yml#/authentik/postgresql_password";
          AUTHENTIK_SECRET_KEY.value = "ref+sops://secrets.yml#/authentik/secret_key";
          AUTHENTIK_EMAIL__USERNAME.value = "ref+sops://secrets.yml#/smtp2go/username";
          AUTHENTIK_EMAIL__PASSWORD.value = "ref+sops://secrets.yml#/smtp2go/password";
        };
      in {
        secrets.postgresql-env.stringData = {
          POSTGRES_PASSWORD = "ref+sops://secrets.yml#/authentik/postgresql_password";
        };

        deployments = {
          authentik-server.spec.template.spec.containers.server.env = env;
          authentik-worker.spec.template.spec.containers.worker.env = env;
        };

        statefulSets.authentik-postgresql.spec.template.spec.nodeName = "atlas";
        statefulSets.authentik-redis-master.spec.template.spec.nodeName = "atlas";
      };
    };

    lab = {
      ingresses.authentik = {
        host = "authentik.kun.is";

        service = {
          name = "authentik-server";
          portName = "http";
        };
      };

      tailscaleIngresses = {
        tailscale-authentik = {
          host = "authentik";
          service = {
            name = "authentik-server";
            portName = "http";
          };
        };
      };
    };
  };
}