{ lib, ... }:
let
  inherit (builtins) readFile;
in
{
  _class = "clan.service";

  manifest = {
    name = "amarth-services/zitadel";
    description = "Zitadel service module";
    categories = [ "System" "Identity" "IAM" ];
    readme = readFile ./README.md;
  };

  #==============================================================================================================
  # Controller configuration
  #==============================================================================================================
  roles.controller = {
    interface = {
      options = {};
    };

    perInstance = instanceArgs: {
      nixosModule = lib.modules.importApply ./roles/controller.nix instanceArgs;
    };
  };

  #==============================================================================================================
  # Peer configuration
  #==============================================================================================================
  roles.peer = {
    interface = {
      options = {};
    };

    perInstance = instanceArgs: {
      nixosModule = lib.modules.importApply ./roles/peer.nix instanceArgs;
    };
  };

  perMachine = { instances, machine, ... }: {
    nixosModule = { config, ... }: {
      config = {
        services.zitadel = {
          enable = true;

          settings = {
            Port = 9092;

            ExternalDomain = "auth.amarth.cloud";
            ExternalPort = 443;
            ExternalSecure = true;

            Metrics.Type = "otel";
            Tracing.Type = "otel";
            Telemetry.Enabled = true;

            SystemDefaults = {
              PasswordHasher.Hasher.Algorithm = "argon2id";
              SecretHasher.Hasher.Algorithm = "argon2id";
            };

          };
        };
      };
    };
  };
}