{
  lib,
  pkgs,
  ...
}:
with lib; {
  systemd.services.authelia.serviceConfig.LoadCredential = ["storageEncryptionKeyFile.txt:/var/trust/authelia/storageEncryptionKeyFile.csv" "jwtSecretFile.txt:/var/trust/authelia/jwtSecretFile.csv"];

  services = {
    nginx = {
      virtualHosts."auth.posixlycorrect.com" = {
        enableACME = true;
        forceSSL = true;
      };
    };

    authelia.instances.main = {
      enable = true;
      # config based on https://github.com/authelia/authelia/blob/master/config.template.yml
      settings = {
        secrets = {
          jwtSecretFile = "TODO:";
          storageEncryptionKeyFile = "TODO:";
        };

        theme = "dark";
        default_2fa_method = "totp";
        server = {
          disable_healthcheck = true;
          port = 9091;
          host = "localhost";
          address = "tcp://:9091/";
        };
        # tls settings not modified https://github.com/authelia/authelia/blob/master/config.template.yml#L53
        log = {
          level = "info";
          format = "text";
        };
        telemetry.enabled = false;
        totp = {
          disable = false;
          issuer = "https://getaegis.app/ or whatever you prefer";
          # default values assumed https://github.com/authelia/authelia/blob/master/config.template.yml#L181
        };
        webauthn = {
          disable = false;
          # default values assumed: https://github.com/authelia/authelia/blob/master/config.template.yml#L231
        };
        duo_api.disable = true;
        # identity_validation default values assumed: https://github.com/authelia/authelia/blob/master/config.template.yml#L266
        authentication_backend.file = {
          path = "/var/trust/authelia/users_database.yml"; #TODO:
          password.algorithm = "argon2";
          password_policy.zxcvbn = {
            enable = true;
            min_score = 3;
          };
        };
        access_control = {
          default_policy = "deny";
          rules = [
            {
              domain = "meet.posixlycorrect.com";
              policy = "bypass";
            }
          ];
        };
        session = {
          cookies = {
            name = "posixlycorrect_session";
            domain = "auth.posixlycorrect.com";
            authelia_url = "https://auth.posixlycorrect.com";
            same_site = "lax";

            # see https://github.com/authelia/authelia/blob/master/config.template.yml#L756
            inactivity = "5 minutes";
            expiration = "1 hour";
            remember_me = "1 month";
          };

          # see https://github.com/authelia/authelia/blob/master/config.template.yml#L774
          name = "authelia_session";
          same_site = "lax";
          inactivity = "5m";
          expiration = "1h";
          remember_me = "1M";
        };

        regulation = {
          max_retries = 3;
          find_time = "2 minutes";
          ban_time = "5 minutes";
        };

        storage.local.path = "/var/trust/authelia/db.sqlite3"; #TODO:

        # TODO:
        #notifier.smtp = {
        #  
        #};

        # TODO: voy por acá: https://github.com/authelia/authelia/blob/master/config.template.yml#L714
      };
    };
  };
}