{
  nixhelm,
  system,
  config,
  lib,
  ...
}: {
  options.authentik.enable = lib.mkEnableOption "authentik";

  config = lib.mkIf config.authentik.enable {
    kubernetes = {
      helm.releases.authentik = {
        chart = nixhelm.chartsDerivations.${system}.authentik.authentik;
        includeCRDs = true;
        namespace = "authentik";

        values = {
          authentik = {
            secret_key = "ref+sops://secrets.yml#/authentik/secret_key";
            postgresql.password = "ref+sops://secrets.yml#/authentik/postgresql_password";
          };

          postgresql = {
            enabled = true;
            auth.password = "ref+sops://secrets.yml#/authentik/postgresql_password";
            primary.persistence.existingClaim = "db";
          };

          redis = {
            enabled = true;
            master.persistence.existingClaim = "redis";
          };

          email = {
            host = "mail.smtp2go.com";
            port = 2525;
            username = "ref+sops://secrets.yml#/smtp2go/username";
            password = "ref+sops://secrets.yml#/smtp2go/password";
            from = "Authentik <authentik@kun.is>";
          };
        };
      };
    };

    lab = {
      longhorn.persistentVolumeClaim = {
        db = {
          volumeName = "authentik-db";
          storage = "10Gi";
        };

        redis = {
          volumeName = "authentik-redis";
          storage = "5Gi";
        };
      };

      ingresses.authentik = {
        host = "authentik.kun.is";

        service = {
          name = "authentik-server";
          portName = "http";
        };
      };

      tailscaleIngresses = {
        tailscale-authentik = {
          host = "authentik";
          service = {
            name = "authentik-server";
            portName = "http";
          };
        };
      };
    };
  };
}