{
  name = "authentik";
  nodes.machine = {lib, config, pkgs, ...}: {
    virtualisation = {
        cores = 3;
        memorySize = 2048;
    };
    xyno.services.authentik = {
      enable = true;
      url = "http://[::1]:9000";
      oauthApps."app1".name = "app1-name";
      ldapApps."app2".name = "app2-name";
      proxyApps."app3".name = "app3-name";
      proxyApps."app3".externalHost = "https://test.example.org";
    };
    services.authentik.environmentFile = lib.mkForce "/etc/authentik-env";
    sops.defaultSopsFile = ../../../secrets/common.yaml;
    environment.etc."authentik-env".text = ''
        AUTHENTIK_SECRET_KEY=db6363ba033b111c6835489c5c0aca5ec192c20ee1ea3116a601065c3b118c3d
        AUTHENTIK_BOOTSTRAP_TOKEN=75c041b7e79aac71ff0a74f7905c9f818ab2f0d21d8618fa5fd753f9e57a02f8
      '';
    sops.secrets."authentik/env" = lib.mkForce { sopsFile = ../../../instances/ds9/secrets/authentik.yaml; };
  };
  testScript = ''
      machine.wait_for_unit("authentik-config.service")
      print(machine.succeed("cat /run/authentik-terraform-config/app1_environment"))
      machine.wait_for_unit("authentik-proxy.service")
      machine.wait_for_unit("authentik-ldap.service")
    '';
}