{config, ...}: let
  user = config.services.authelia.instances.main.user;
  domain = "authelia.${config.services.nginx.domain}";
in {
  services.authelia.instances.main = {
    enable = true;
    settings = {
      theme = "auto";

      access_control.default_policy = "one_factor";

      authentication_backend = {
        password_reset.disable = true;
        file.path = "/var/lib/authelia-main/users.yml";
      };

      notifier.filesystem.filename = "/var/lib/authelia-main/notification.txt";

      session = {
        domain = config.services.nginx.domain;
        redis.host = config.services.redis.servers.authelia.unixSocket;
      };

      # server.endpoints.authz.auth-request.implementation = "AuthRequest";

      storage.postgres = {
        host = "/run/postgresql";
        database = user;
        username = user;

        password = "unnecessary";
      };
    };

    secrets = {
      storageEncryptionKeyFile = config.sops.secrets."authelia/storageEncryptionKey".path; # Database
      sessionSecretFile = config.sops.secrets."authelia/sessionSecret".path; # Redis
      jwtSecretFile = config.sops.secrets."authelia/jwtSecret".path;
    };
  };

  systemd.services.authelia-main.after = ["postgresql.service"];

  services.nginx.virtualHosts."${domain}" = {
    forceSSL = true;
    enableACME = true;
    enableHSTS = true;

    locations = {
      "/" = {
        proxyPass = "http://127.0.0.1:9091";
        recommendedProxySettings = false;
        extraConfig = ''
          proxy_set_header Host $host;
          proxy_set_header X-Original-URL $scheme://$http_host$request_uri;
          proxy_set_header X-Forwarded-Proto $scheme;
          proxy_set_header X-Forwarded-Host $http_host;
          proxy_set_header X-Forwarded-URI $request_uri;
          proxy_set_header X-Forwarded-Ssl on;
          proxy_set_header X-Forwarded-For $remote_addr;
          proxy_set_header X-Real-IP $remote_addr;

          proxy_redirect http:// $scheme://;
          proxy_cache_bypass $cookie_session;
          proxy_no_cache $cookie_session;

          real_ip_header X-Forwarded-For;
          real_ip_recursive on;
        '';
      };

      "/api/verify" = {
        proxyPass = "http://127.0.0.1:9091";
        recommendedProxySettings = false;
      };

      "/api/authz/" = {
        proxyPass = "http://127.0.0.1:9091";
        recommendedProxySettings = false;
      };
    };
  };

  services.redis.servers.authelia = {
    inherit user;
    enable = true;
  };

  sops.secrets = {
    "authelia/storageEncryptionKey" = {
      owner = user;
      group = user;
    };

    "authelia/sessionSecret" = {
      owner = user;
      group = user;
    };

    "authelia/jwtSecret" = {
      owner = user;
      group = user;
    };
  };
}