diff --git a/sys/srv/authelia.nix b/sys/srv/authelia.nix
new file mode 100644
index 0000000..914ff47
--- /dev/null
+++ b/sys/srv/authelia.nix
@@ -0,0 +1,106 @@
+{
+  lib,
+  pkgs,
+  ...
+}:
+with lib; {
+  systemd.services.authelia.serviceConfig.LoadCredential = ["storageEncryptionKeyFile.txt:/var/trust/authelia/storageEncryptionKeyFile.csv" "jwtSecretFile.txt:/var/trust/authelia/jwtSecretFile.csv"];
+
+  services = {
+    nginx = {
+      virtualHosts."auth.posixlycorrect.com" = {
+        enableACME = true;
+        forceSSL = true;
+      };
+    };
+
+    authelia.instances.main = {
+      enable = true;
+      # config based on https://github.com/authelia/authelia/blob/master/config.template.yml
+      settings = {
+        secrets = {
+          jwtSecretFile = "TODO:";
+          storageEncryptionKeyFile = "TODO:";
+        };
+
+        theme = "dark";
+        default_2fa_method = "totp";
+        server = {
+          disable_healthcheck = true;
+          port = 9091;
+          host = "localhost";
+          address = "tcp://:9091/";
+        };
+        # tls settings not modified https://github.com/authelia/authelia/blob/master/config.template.yml#L53
+        log = {
+          level = "info";
+          format = "text";
+        };
+        telemetry.enabled = false;
+        totp = {
+          disable = false;
+          issuer = "https://getaegis.app/ or whatever you prefer";
+          # default values assumed https://github.com/authelia/authelia/blob/master/config.template.yml#L181
+        };
+        webauthn = {
+          disable = false;
+          # default values assumed: https://github.com/authelia/authelia/blob/master/config.template.yml#L231
+        };
+        duo_api.disable = true;
+        # identity_validation default values assumed: https://github.com/authelia/authelia/blob/master/config.template.yml#L266
+        authentication_backend.file = {
+          path = "/var/trust/authelia/users_database.yml"; #TODO:
+          password.algorithm = "argon2";
+          password_policy.zxcvbn = {
+            enable = true;
+            min_score = 3;
+          };
+        };
+        access_control = {
+          default_policy = "deny";
+          rules = [
+            {
+              domain = "meet.posixlycorrect.com";
+              policy = "bypass";
+            }
+          ];
+        };
+        session = {
+          cookies = {
+            name = "posixlycorrect_session";
+            domain = "auth.posixlycorrect.com";
+            authelia_url = "https://auth.posixlycorrect.com";
+            same_site = "lax";
+
+            # see https://github.com/authelia/authelia/blob/master/config.template.yml#L756
+            inactivity = "5 minutes";
+            expiration = "1 hour";
+            remember_me = "1 month";
+          };
+
+          # see https://github.com/authelia/authelia/blob/master/config.template.yml#L774
+          name = "authelia_session";
+          same_site = "lax";
+          inactivity = "5m";
+          expiration = "1h";
+          remember_me = "1M";
+        };
+
+        regulation = {
+          max_retries = 3;
+          find_time = "2 minutes";
+          ban_time = "5 minutes";
+        };
+
+        storage.local.path = "/var/trust/authelia/db.sqlite3"; #TODO:
+
+        # TODO:
+        #notifier.smtp = {
+        #  
+        #};
+
+        # TODO: voy por acá: https://github.com/authelia/authelia/blob/master/config.template.yml#L714
+      };
+    };
+  };
+}