{ config, ... }:
let
  inherit (config.networking) fqdn;

  acmeEnabled = config.acme.enable;
in
{
  services.authelia.instances.main = {
    enable = true;

    secrets = {
      jwtSecretFile = builtins.toFile "authelia-jwtSecret" "QWERTYUIOPASDFGHJKLZXCVBNM1234567890abcdefABCDEFGH";
      storageEncryptionKeyFile = builtins.toFile "authelia-storageEncryptionKeyFile" "supersecretkeyaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa";
      sessionSecretFile = builtins.toFile "aauthelia-sessionSecretFile" "supersecretkey";
    };

    settings = {
      theme = "dark";
      default_redirection_url = "https://${fqdn}"; # HAS to be httpS

      server.address = "127.0.0.1:3001";

      log = {
        level = "debug";
        format = "text";
      };

      authentication_backend = {
        file = {
          path = "/var/lib/authelia-main/users_database.yml";
        };
      };

      access_control = {
        default_policy = "deny";
        rules = [
          {
            domain = [ "auth.${fqdn}" ];
            policy = "bypass";
          }
          {
            domain = [ "*.${fqdn}" ];
            policy = "one_factor";
          }
        ];
      };

      session = {
        name = "authelia_session";
        expiration = "12h";
        inactivity = "45m";
        remember_me = "1M";
        domain = "${fqdn}";
        redis.host = "/run/redis-authelia-main/redis.sock";
      };

      regulation = {
        max_retries = 3;
        find_time = "5m";
        ban_time = "15m";
      };

      storage = {
        local = {
          path = "/var/lib/authelia-main/db.sqlite3";
        };
      };

      notifier = {
        disable_startup_check = false;
        filesystem = {
          filename = "/var/lib/authelia-main/notification.txt";
        };
      };
    };
  };

  services.redis.servers.authelia-main = {
    enable = true;
    user = "authelia-main";
    port = 0;
    unixSocket = "/run/redis-authelia-main/redis.sock";
    unixSocketPerm = 600;
  };

  # services.openldap = {
  #   enable = true;

  #   # enable plain connections only
  #   urlList = [ "ldap:///" ];

  #   settings = {
  #     attrs = {
  #       olcLogLevel = "conns config";
  #     };

  #     children = {
  #       # "cn=schema".includes = [
  #       #   "${pkgs.openldap}/etc/schema/core.ldif"
  #       #   "${pkgs.openldap}/etc/schema/cosine.ldif"
  #       #   "${pkgs.openldap}/etc/schema/inetorgperson.ldif"
  #       # ];

  #       "olcDatabase={1}mdb".attrs = {
  #         objectClass = [
  #           "olcDatabaseConfig"
  #           "olcMdbConfig"
  #         ];

  #         olcDatabase = "{1}mdb";
  #         olcDbDirectory = "/var/lib/openldap/data";

  #         olcSuffix = "dc=example,dc=com";

  #         # your admin account, do not use writeText on a production system
  #         olcRootDN = "cn=admin,dc=example,dc=com";
  #         olcRootPW.path = builtins.roFile "olcRootPW" "pass";

  #         olcAccess = [
  #           # custom access rules for userPassword attributes
  #           ''
  #             {0}to attrs=userPassword
  #                           by self write
  #                           by anonymous auth
  #                           by * none''

  #           # allow read on anything else
  #           ''
  #             {1}to *
  #                           by * read''
  #         ];
  #       };
  #     };
  #   };
  # };
}