{
  pkgs,
  authentik-version,
  nixosModules,
  mkAuthentikScope,
}:

/*
  This is just meant as a demonstration on how to override the scope which includes the
  authentik components. This is an extended version of ./minimal-vmtest.nix

  First, a new scope is created from the default one using `overrideScope` on the result
  from `mkAuthentikScope`.
  Components with overrides in that scope are used by their dependents, i.e. dependents
  of `pythonEnv` (e.g. gopkgs) also pull in that overridden `pythonEnv`
  Then, that scope is passed to the module via the `services.authentik.authentikComponents` option
  And finally, the test script checks if the patched welcome string is present.
*/

let
  customWelcome = "Welcome to custom authentik";

  # creates a new scope using python 3.12 for mkPoetryEnv
  # and overrides the welcome string for the default oobe intial-setup flow
  customScope = (mkAuthentikScope { inherit pkgs; }).overrideScope (
    final: prev: {
      authentikComponents = prev.authentikComponents // {
        pythonEnv = prev.authentikComponents.pythonEnv.overrideAttrs (_: {
          python = pkgs.python312;
        });
        staticWorkdirDeps = prev.authentikComponents.staticWorkdirDeps.overrideAttrs (oA: {
          buildCommand =
            oA.buildCommand
            + ''
              rm -v $out/blueprints
              cp -vr ${prev.authentik-src}/blueprints $out/blueprints
              substituteInPlace $out/blueprints/default/flow-oobe.yaml \
                --replace "Welcome to authentik" "${customWelcome}"
            '';
        });
      };
    }
  );
in
pkgs.testers.runNixOSTest {
  name = "authentik";
  nodes = {
    authentik = {
      virtualisation = {
        cores = 3;
        memorySize = 3072;
      };
      imports = [
        nixosModules.default
        "${pkgs.path}/nixos/tests/common/user-account.nix"
        "${pkgs.path}/nixos/tests/common/x11.nix"
      ];

      # Keep in mind that the secret still ends up in the store and is world-readable because the
      # systemd-tmpfiles config lands in the store.
      # This is just a trick to not pass a store-path (which is prohibited) to `environmentFile`
      # without having to integrate secret managers like agenix or sops-nix into the test.
      # Don't do this in production.
      systemd.tmpfiles.rules = [
        "f /etc/authentik.env 0700 root root - AUTHENTIK_SECRET_KEY=notastorepath"
      ];

      services.authentik = {
        enable = true;
        environmentFile = "/etc/authentik.env";
        nginx = {
          enable = true;
          host = "localhost";
        };
        # pass authentikComponents with patched pythonEnv and staticWorkdirDeps
        inherit (customScope) authentikComponents;
        settings.disable_update_check = true;
      };

      services.xserver.enable = true;
      test-support.displayManager.auto.user = "alice";
      environment.systemPackages = with pkgs; [
        firefox
        xdotool
      ];
    };
  };

  enableOCR = true;

  # TODO maybe use bootstrap env vars instead of testing manual workflow?
  testScript = ''
    start_all()

    authentik.wait_for_unit("postgresql.service")
    authentik.wait_for_unit("authentik-migrate.service")
    authentik.wait_for_unit("authentik-worker.service")
    authentik.wait_for_unit("authentik.service")
    authentik.wait_for_open_port(9000)
    authentik.wait_until_succeeds("curl -fL http://localhost:9000/if/flow/initial-setup/ >&2")

    with subtest("Frontend renders"):
        machine.succeed("su - alice -c 'firefox http://localhost:9000/if/flow/initial-setup/' >&2 &")
        machine.wait_for_text("${customWelcome}")
        machine.screenshot("1_rendered_frontend")

    with subtest("admin account setup works"):
        machine.send_key("tab")
        machine.send_key("tab")
        machine.send_chars("akadmin@localhost")
        machine.send_key("tab")
        machine.send_chars("foobar")
        machine.send_key("tab")
        machine.send_chars("foobar")
        machine.send_key("ret")
        machine.wait_for_text("My applications")
        machine.send_key("esc")
        machine.screenshot("2_initial_setup_successful")

    with subtest("admin settings render and version as expected"):
        machine.succeed("su - alice -c 'firefox http://localhost:9000/if/admin/' >&2 &")
        machine.wait_for_text("General system status")
        machine.screenshot("3_rendered_admin_interface")
        machine.succeed("su - alice -c 'xdotool click 1' >&2")
        machine.succeed("su - alice -c 'xdotool key --delay 100 Page_Down' >&2")
        # sometimes the cursor covers the version string
        machine.succeed("su - alice -c 'xdotool mousemove_relative 50 50' >&2")
        machine.wait_for_text("${builtins.replaceStrings [ "." ] [ ".?" ] authentik-version}")
        machine.screenshot("4_correct_version_in_admin_interface")

    with subtest("nginx proxies to authentik"):
        machine.succeed("su - alice -c 'firefox http://localhost/' >&2 &")
        machine.wait_for_text("authentik")
        machine.screenshot("5_nginx_proxies_requests")
  '';
}