{ config, ... }:
{
  services.authelia.instances.tlaternet = {
    enable = true;

    settings = {
      default_2fa_method = "totp";
      headers.csp_template = todo!();

      authentication_backend.ldap = {

      };

      totp = {
        issuer = "tlater.net";
      };

      webauthn = {
        # enable_passkey_login = true; ?
        display_name = "tlater.net";
      };

      duo_api.disable = true;

      telemetry.metrics.enabled = true;
    };

    secrets = {
      storageEncryptionKeyFile = config.sops.secrets."authelia/storage-encryption-key".path;
      jwtSecretFile = config.sops.secrets."authelia/jwt-secret".path;
    };
  };

  services.lldap = {
    enable = true;
    settings = {
      ldap_user_email = "admin@tlater.net";

      ldap_base_dn = "dc=tlater,dc=net";

      database_url = "postgres:///lldap";
    };
  };
}