{ config, ... }:
{
  sops.secrets.authelia_ldap_password = {
    format = "yaml";
    sopsFile = ../../secrets/auth01/secrets.yaml;
    key = "authelia_ldap_password";
    restartUnits = [ "authelia-auth.service" ];
    owner = "authelia-auth";
    group = "authelia-auth";
  };
  sops.secrets.authelia_jwt_secret = {
    format = "yaml";
    sopsFile = ../../secrets/auth01/secrets.yaml;
    key = "authelia_jwt_secret";
    restartUnits = [ "authelia-auth.service" ];
    owner = "authelia-auth";
    group = "authelia-auth";
  };
  sops.secrets.authelia_storage_encryption_key_file = {
    format = "yaml";
    key = "authelia_storage_encryption_key_file";
    sopsFile = ../../secrets/auth01/secrets.yaml;
    restartUnits = [ "authelia-auth.service" ];
    owner = "authelia-auth";
    group = "authelia-auth";
  };
  sops.secrets.authelia_session_secret = {
    format = "yaml";
    key = "authelia_session_secret";
    sopsFile = ../../secrets/auth01/secrets.yaml;
    restartUnits = [ "authelia-auth.service" ];
    owner = "authelia-auth";
    group = "authelia-auth";
  };

  services.authelia.instances."auth" = {
    enable = true;
    environmentVariables = {
      AUTHELIA_AUTHENTICATION_BACKEND_LDAP_PASSWORD_FILE =
        config.sops.secrets.authelia_ldap_password.path;
      AUTHELIA_SESSION_SECRET_FILE = config.sops.secrets.authelia_session_secret.path;
    };
    secrets = {
      jwtSecretFile = config.sops.secrets.authelia_jwt_secret.path;
      storageEncryptionKeyFile = config.sops.secrets.authelia_storage_encryption_key_file.path;
    };
    settings = {
      access_control = {
        default_policy = "two_factor";
      };
      session = {
        # secret = "{{- fileContent \"${config.sops.secrets.authelia_session_secret.path}\" }}";
        cookies = [
          {
            domain = "home.2rjus.net";
            authelia_url = "https://auth.home.2rjus.net";
            default_redirection_url = "https://dashboard.home.2rjus.net";
            name = "authelia_session";
            same_site = "lax";
            inactivity = "1h";
            expiration = "24h";
            remember_me = "30d";
          }
        ];
      };
      notifier = {
        filesystem.filename = "/var/lib/authelia-auth/notification.txt";
      };
      storage = {
        local.path = "/var/lib/authelia-auth/db.sqlite3";
      };
      authentication_backend = {
        password_reset = {
          disable = false;
        };
        ldap = {
          address = "ldap://127.0.0.1:3890";
          implementation = "lldap";
          timeout = "5s";
          base_dn = "dc=home,dc=2rjus,dc=net";
          user = "uid=authelia_ldap_user,ou=people,dc=home,dc=2rjus,dc=net";
          # password = "{{- fileContent \"${config.sops.secrets.authelia_ldap_password.path}\" -}}";
        };
      };
    };
  };
}