{ config, lib, ... }:
{
  services = {
    authelia.instances.escapeangle = {
      enable = true;

      settings = {
        theme = "auto";

        authentication_backend.ldap = {
          address = "ldap://localhost:3890";
          base_dn = "dc=escapeangle,dc=com";
          users_filter = "(&({username_attribute}={input})(objectClass=person))";
          groups_filter = "(&(member={dn})(objectClass=groupOfUniqueNames))";
          user = "uid=authelia,ou=people,dc=escapeangle,dc=com";
        };

        access_control = {
          default_policy = "deny";
          rules = lib.mkAfter [
            {
              domain = "*.escapeangle.com";
              policy = "one_factor";
            }
          ];
        };

        storage.postgres = {
          address = "db-01.tailnet.escapeangle.com";
          database = "authelia";
          username = "authelia";
          password = "authelia"; # using peer auth
        };

        session = {
          cookies = [
            {
              domain = "escapeangle.com";
              authelia_url = "https://auth.escapeangle.com";
              inactivity = "1M";
              expiration = "3M";
              remember_me = "1y";
            }
          ];
        };

        notifier.smtp = {
          address = "smtp://mail.escapeangle.com:587";
          username = "authelia@escapeangle.com";
          sender = "authelia@escapeangle.com";
        };

        log.level = "info";

        identity_providers.oidc = {
          cors = {
            endpoints = [ "token" ];
            allowed_origins_from_client_redirect_uris = true;
          };

          authorization_policies.default = {
            default_policy = "one_factor";
            rules = [
              {
                policy = "deny";
                subject = "group:lldap_strict_readonly";
              }
            ];
          };

          clients = [
            {
              client_id = "forgejo";
              client_name = "Forgejo";
              client_secret = "$pbkdf2-sha512$310000$C696AL9dgf0.yv6VF.jLvA$iNAWSUckoX/6y6yQcfo5FMjICl6D8iAeElIG5AZD5vC8Z8unBcLFR9LcqdMQgsYK3S9DNekQtJpNbbRzXrliDQ";
              public = false;
              authorization_policy = "two_factor";
              require_pkce = true;
              pkce_challenge_method = "S256";
              redirect_uris = [ "https://git.escapeangle.com/user/oauth2/Authelia/callback" ];
              scopes = [
                "openid"
                "email"
                "profile"
              ];
              response_types = [ "code" ];
              grant_types = [ "authorization_code" ];
              access_token_signed_response_alg = "none";
              userinfo_signed_response_alg = "none";
              token_endpoint_auth_method = "client_secret_basic";
            }
            {
              client_id = "headscale";
              client_name = "Headscale";
              client_secret = "$pbkdf2-sha512$310000$fvaPyF69vBFs3oG1h4Qa1w$ezdJFynGV6bSA8UzGNangyOcaST7a3.LZ6WkVYeI.Ag5znxPsjmm9U23BL7OBMQWAY75CsvftYJWK5eE8nxi9A";
              public = false;
              authorization_policy = "two_factor";
              require_pkce = true;
              redirect_uris = [ "https://headscale.escapeangle.com/oidc/callback" ];
              scopes = [
                "openid"
                "email"
                "profile"
                "groups"
              ];
              response_types = [ "code" ];
              grant_types = [ "authorization_code" ];
              access_token_signed_response_alg = "none";
              userinfo_signed_response_alg = "none";
              token_endpoint_auth_method = "client_secret_basic";
            }
            {
              client_id = "mealie";
              client_name = "Mealie";
              client_secret = "$pbkdf2-sha512$310000$Bi3.Z5ewisL.INFbSquvHQ$.Dicey0nFqoqGtmwoncmoNCARnK32twdVUcveWaO9OMKz5f8neIOEFTXSmIL7hf1erO20A08khv9W2I7aReZMw";
              public = false;
              authorization_policy = "two_factor";
              require_pkce = true;
              pkce_challenge_method = "S256";
              redirect_uris = [ "https://recipes.escapeangle.com/login" ];
              scopes = [
                "openid"
                "email"
                "profile"
                "groups"
              ];
              response_types = [ "code" ];
              grant_types = [ "authorization_code" ];
              access_token_signed_response_alg = "none";
              userinfo_signed_response_alg = "none";
              token_endpoint_auth_method = "client_secret_basic";
            }
          ];
        };
      };

      secrets = with config.sops; {
        jwtSecretFile = secrets."authelia/jwt_secret".path;
        oidcIssuerPrivateKeyFile = secrets."authelia/jwks".path;
        oidcHmacSecretFile = secrets."authelia/hmac_secret".path;
        sessionSecretFile = secrets."authelia/session_secret".path;
        storageEncryptionKeyFile = secrets."authelia/storage_encryption_key".path;
      };

      environmentVariables = with config.sops; {
        AUTHELIA_AUTHENTICATION_BACKEND_LDAP_PASSWORD_FILE =
          secrets."authelia/lldap_authelia_password".path;
        AUTHELIA_NOTIFIER_SMTP_PASSWORD_FILE = secrets."authelia/smtp_password".path;
      };
    };
  };

  services.nginx.virtualHosts."auth.escapeangle.com" = {
    forceSSL = true;
    enableACME = true;
    locations."/" = {
      proxyPass = "http://localhost:9091";
    };
  };

  sops = {
    defaultSopsFile = ../hosting-01.yaml;

    secrets = {
      "authelia/hmac_secret" = {
        owner = "authelia-escapeangle";
      };
      "authelia/jwks" = {
        owner = "authelia-escapeangle";
      };
      "authelia/jwt_secret" = {
        owner = "authelia-escapeangle";
      };
      "authelia/session_secret" = {
        owner = "authelia-escapeangle";
      };
      "authelia/storage_encryption_key" = {
        owner = "authelia-escapeangle";
      };
      "authelia/lldap_authelia_password" = {
        owner = "authelia-escapeangle";
      };
      "authelia/smtp_password" = {
        owner = "authelia-escapeangle";
      };
    };
  };
}