{ config, ... }:
{
    sops.templates."authentik-credentials.yaml" = {
        mode = "0444";
        content = ''
            apiVersion: v1
            kind: Secret
            metadata:
                name: authentik-credentials
                namespace: authentik
            type: Opaque
            stringData:
                admin-password: ${config.sops.placeholder.authentik_admin_password}
                authentik-secret-key: ${config.sops.placeholder.authentik_secret_key}
                replication-password: ${config.sops.placeholder.authentik_replication_password}
                smtp-password: ${config.sops.placeholder.authentik_smtp_password}
                user-password: ${config.sops.placeholder.authentik_user_password}
            ---
            apiVersion: v1
            kind: Secret
            metadata:
                name: authentik-db-auth
                namespace: authentik
            type: Opaque
            stringData:
                password: ${config.sops.placeholder.authentik_db_password}
            ---
            apiVersion: v1
            kind: Secret
            metadata:
                name: authentik-files
                namespace: authentik
            type: Opaque
            stringData:
                AWS_ACCESS_KEY_ID: ${config.sops.placeholder.authentik_files_keyid}
                AWS_SECRET_ACCESS_KEY: ${config.sops.placeholder.authentik_files_keysecret}
        '';
        path = "/var/lib/rancher/k3s/server/manifests/secrets/authentik-credentials.yaml";
    };
}