{ instanceName, settings, machine, roles, config, pkgs, ... }: {
  config = {
    clan.core.vars.generators = {
      zitadel = {
        share = false;

        files.initial-admin-password = { secret = true; deploy = true; };

        runtimeInputs = with pkgs; [ pwgen ];

        script = ''
          pwgen 50 1 > "$out/token"
        '';
      };
    };

    services.zitadel.steps.${instanceName} = {
      InstanceName = settings.hostName;

      Org = {
        Name = settings.displayName;
        Human = {
          UserName = "chris";
          FirstName = "Chris";
          LastName = "Kruining";
          Email = {
            Address = "chris@kruining.eu";
            Verified = true;
          };
          Password = config.clan.core.vars.generators.zitadel.initial-admin-password.value;
        };
      };
    };
  };
}