{ lib, ... }:
{
  _class = "clan.service";
  manifest.name = "pocket-id";
  manifest.description = "A simple and easy-to-use OIDC provider that allows users to authenticate with their passkeys to your services.";
  manifest.categories = [ "System" ];

  roles.default = {
    interface.options = {
      domain = lib.mkOption {
        type = lib.types.str;
        default = "auth";
        description = "";
      };
    };

    perInstance =
      {
        settings,
        ...
      }:
      {
        nixosModule =
          {
            config,
            pkgs,
            ...
          }:
          let
            domain = "${settings.domain}.${config.networking.fqdn}";
          in
          {
            clan.core.vars.generators.pocket-id = {
              files = {
                encryption-key = {
                  owner = "${config.services.pocket-id.user}";
                  group = "${config.services.pocket-id.group}";
                  secret = true;
                };
              };
              runtimeInputs = [ pkgs.pwgen ];
              script = ''
                pwgen -s 32 1 > $out/encryption-key
              '';
            };
            services.pocket-id = {
              enable = true;
              settings = {
                ENCRYPTION_KEY_FILE = config.clan.core.vars.generators.pocket-id.files.encryption-key.path;
                APP_ENV = "production";
                APP_URL = "https://${domain}";
                TRUST_PROXY = true;
                PORT = 1411;

                UI_CONFIG_DISABLED = true;
              };
            };
            services.nginx.virtualHosts."${domain}" = {
              forceSSL = true;
              enableACME = true;
              locations."/" = {
                proxyPass = "http://localhost:${builtins.toString config.services.pocket-id.settings.PORT}";
              };
            };

          };
      };
  };
}