{ config, ... }:
{
  services = {
    authelia.instances.tlaternet = {
      enable = true;

      environmentVariables = {
        AUTHELIA_AUTHENTICATION_BACKEND_LDAP_PASSWORD_FILE =
          config.sops.secrets."authelia/lldap-password".path;
        AUTHELIA_NOTIFIER_SMTP_SENDER_FILE = config.sops.secrets."authelia/ntfy-topic".path;
      };

      settings = {
        authentication_backend.ldap = {
          # TODO(tlater): Enable when authelia has a webhook notifier:
          # https://github.com/authelia/authelia/issues/7695
          password_reset.disable = true;
          refresh_interval = "1m";
          address = "ldap://${config.services.lldap.settings.ldap_host}:${toString config.services.lldap.settings.ldap_port}";
          implementation = "lldap";
          base_dn = config.services.lldap.settings.ldap_base_dn;
          user = "cn=authelia,ou=people,${config.services.lldap.settings.ldap_base_dn}";
        };

        password_policy.zxcvbn.enabled = true;

        telemetry.metrics.enabled = true;

        access_control = {
          default_policy = "deny";
          rules = [
            {
              domain = "*.${config.services.nginx.domain}";
              policy = "one_factor";
            }
          ];
        };
        notifier.filesystem.filename = "/var/lib/authelia-tlaternet/notification.txt";

        session = {
          cookies = [
            {
              domain = "${config.services.nginx.domain}";
              authelia_url = "https://auth.${config.services.nginx.domain}";
            }
          ];
          redis.host = config.services.redis.servers.authelia.unixSocket;
        };

        storage = {
          postgres = {
            address = "/var/run/postgresql";
            username = config.services.authelia.instances.tlaternet.user;
            database = config.services.authelia.instances.tlaternet.user;
          };
        };

        # Auth options
        default_2fa_method = "totp";
        totp.issuer = "tlater.net";
        webauthn = {
          display_name = "tlater.net";
          enable_passkey_login = true;

          attestation_conveyance_preference = "direct";
          filtering.prohibit_backup_eligibility = true;
          metadata = {
            enabled = true;
            validate_trust_anchor = true;
            validate_entry = true;
            validate_status = true;
            validate_entry_permit_zero_aaguid = false;
          };
        };
        duo_api.disable = true;
      };

      secrets = {
        storageEncryptionKeyFile = config.sops.secrets."authelia/storage-encryption-key".path;
        jwtSecretFile = config.sops.secrets."authelia/jwt-secret".path;
        sessionSecretFile = config.sops.secrets."authelia/session-secret".path;
      };
    };

    redis.servers.authelia = {
      enable = true;
      user = config.services.authelia.instances.tlaternet.user;
    };

    lldap = {
      enable = true;
      settings = {
        ldap_base_dn = "dc=tlater,dc=net";
        database_url = "postgres://lldap:@localhost/lldap?host=/var/run/postgresql";
        ldap_host = "127.0.0.1";

        http_host = "127.0.0.1";
        http_url = "https://lldap.${config.services.nginx.domain}";

        force_ldap_user_pass_reset = "always";

        smtp_options.enable_password_reset = false;

        environment = {
          LLDAP_JWT_SECRET_FILE = config.sops.secrets."authelia/jwt-secret".path;
          LLDAP_LDAP_USER_PASS_FILE = config.sops.secrets."lldap/admin-password".path;
          LLDAP_KEY_SEED_FILE = config.sops.secrets."lldap/key".path;
        };
      };
    };

    nginx.virtualHosts = {
      "lldap.${config.services.nginx.domain}" = {
        useACMEHost = "tlater.net";
        forceSSL = true;
        enableHSTS = true;

        locations."/".proxyPass =
          "http://${config.services.lldap.settings.http_host}:${toString config.services.lldap.settings.http_port}";
      };
    };
  };
}