{ lib, pkgs, ... }:
let
  inherit (builtins) readFile;
  inherit (lib) mkOption types;
in
{
  _class = "clan.service";

  manifest = {
    name = "amarth-services/zitadel";
    description = "Zitadel service module";
    categories = [ "System" "Identity" "IAM" ];
    readme = readFile ./README.md;
  };

  #==============================================================================================================
  # Controller configuration
  #==============================================================================================================
  roles.controller = {
    interface = {
      options = {
        hostName = mkOption {
          type = types.str;
          example = "auth.example.com";
          description = ''
            The domain at which zitadel will be hosted
          '';
        };

        displayName = mkOption {
          type = types.str;
          example = "My awesome org";
          description = ''
            The Name of the zitadel organisation
          '';
        };
      };
    };

    perInstance = { instanceName, settings, machine, roles, ... }: {
      nixosModule = { config, pkgs, ... }: {
        clan.core.vars.generators.zitadel = {
          share = false;

          files.masterKey = { deploy = true; secret = true; owner = "zitadel"; group = "zitadel"; mode = "0400" };
          files.initialAdminPassword = { deploy = false; secret = false; };

          runtimeInputs = with pkgs; [ pwgen ];

          script = ''
            pwgen 50 1 > "$out/initialAdminPassword"

            # https://zitadel.com/docs/self-hosting/manage/configure#masterkey
            # The master key has to be 32 bytes
            head -c 32 /dev/urandom > "$out/masterKey"
          '';
        };

        services.zitadel = {
          enable = true;

          masterKeyFile = config.clan.core.vars.generators.zitadel.files.masterKey.path;

          settings = {
            Port = 9092;

            ExternalDomain = settings.hostName;
            ExternalPort = 443;
            ExternalSecure = true;

            Metrics.Type = "otel";
            Tracing.Type = "otel";
            Telemetry.Enabled = true;

            SystemDefaults = {
              PasswordHasher.Hasher.Algorithm = "argon2id";
              SecretHasher.Hasher.Algorithm = "argon2id";
            };
          };

          steps.FirstInstance = {
            InstanceName = settings.hostName;

            Org = {
              Name = settings.displayName;
              Human = {
                UserName = "chris";
                FirstName = "Chris";
                LastName = "Kruining";
                Email = {
                  Address = "chris@kruining.eu";
                  Verified = true;
                };
                Password = config.clan.core.vars.generators.zitadel.files.initialAdminPassword.value;
              };
            };
          };
        };
      };
    };
  };

  #==============================================================================================================
  # Peer configuration
  #==============================================================================================================
  roles.peer = {
    interface = {
      options = {};
    };

    perInstance = { instanceName, settings, machine, roles, ... }: {
      nixosModule = {};
    };
  };
}