{ ... }:
{
  _class = "clan.service";
  manifest.name = "pocket-id";
  manifest.description = "A simple and easy-to-use OIDC provider that allows users to authenticate with their passkeys to your services.";
  manifest.categories = [ "System" ];

  roles.default = {

    perInstance.nixosModule =
      {
        config,
        pkgs,
        lib,
        ...
      }:
      {
        clan.core.vars.generators.pocket-id = {
          files = {
            encryption-key = {
              owner = "${config.services.pocket-id.user}";
              group = "${config.services.pocket-id.group}";
              secret = true;
            };
          };
          runtimeInputs = [ pkgs.pwgen ];
          script = ''
            pwgen -s 32 1 > $out/encryption-key
          '';
        };

        clan.core.state.pocket-id.folders = [ config.services.pocket-id.dataDir ];

        services.pocket-id = {
          enable = lib.mkDefault true;
          settings = {
            ENCRYPTION_KEY_FILE = config.clan.core.vars.generators.pocket-id.files.encryption-key.path;
            PORT = lib.mkDefault 1411;
            ANALYTICS_DISABLED = lib.mkDefault true;
            UI_CONFIG_DISABLED = lib.mkDefault true;
          };
        };
      };
  };
}