{ ... }:
{
  _class = "clan.service";

  manifest.name = "zitadel";

  roles = {
    controller = {
      interface = {
        options = {};
      };

      perInstance = { instanceName, settings, machine, roles, ... }: {
        nixosModule = { config }: {
          config = {
            services.zitadel.steps.${instanceName} = {
              InstanceName = settings.hostName;

              Org = {
                Name = settings.displayName;
                Human = {
                  UserName = "chris";
                  FirstName = "Chris";
                  LastName = "Kruining";
                  Email = {
                    Address = "chris@kruining.eu";
                    Verified = true;
                  };
                  Password = "KaasIsAwesome1!";
                };
              };
            };
          };
        };
      };
    };

    peer = {};
  };

  pweMachine = { instances, machine, ... }: {
    nixosModule = { config, ... }: {
      config = {
        services.zitadel = {
          enable = true;

          settings = {
            Port = 9092;

            ExternalDomain = "auth.amarth.cloud";
            ExternalPort = 443;
            ExternalSecure = true;

            Metrics.Type = "otel";
            Tracing.Type = "otel";
            Telemetry.Enabled = true;

            SystemDefaults = {
              PasswordHasher.Hasher.Algorithm = "argon2id";
              SecretHasher.Hasher.Algorithm = "argon2id";
            };

          };
        };
      };
    };
  };
}