{ config, ... }:
{
  age.secrets = {
    authelia-storage-key = {
      file = ../secrets/authelia-storage-key.age;
      owner = "authelia-main";
    };
    authelia-jwt-key = {
      file = ../secrets/authelia-jwt-key.age;
      owner = "authelia-main";
    };
    authelia-users = {
      file = ../secrets/authelia-users.yaml.age;
      owner = "authelia-main";
    };
    authelia-jwks = {
      file = ../secrets/authelia-jwks.age;
      owner = "authelia-main";
    };
  };

  services.authelia.instances.main = {
    enable = true;
    secrets.jwtSecretFile = config.age.secrets."authelia-jwt-key".path;
    secrets.oidcIssuerPrivateKeyFile = config.age.secrets."authelia-jwks".path;
    secrets.storageEncryptionKeyFile = config.age.secrets."authelia-storage-key".path;
    settings = {
      server.address = "tcp://:9092";
      default_2fa_method = "totp";
      notifier.filesystem.filename = "/var/lib/authelia-main/notification.txt";
      authentication_backend = {
        file.path = config.age.secrets."authelia-users".path;
      };
      access_control.default_policy = "one_factor";
      session.domain = "fcuny.net";
      storage = {
        local = {
          path = "/var/lib/authelia-main/db.sqlite3";
        };
      };
      identity_providers.oidc = {
        clients = [
          {
            id = "miniflux";
            description = "Miniflux RSS";
            secret = "$pbkdf2-sha512$310000$OPAy.BbYps2sWTt4Broxbg$uB6QZaHK1n7MHheaWhly/cvnNIw4gZbY.BibTCHvodcRAAggSTUA8rTdjzudaKtJZW7Lm4u0j2C2D1VFmRV2Aw";
            redirect_uris = [ "https://reader.fcuny.net/oauth2/oidc/callback" ];
            scopes = [
              "openid"
              "email"
              "profile"
            ];
          }
        ];
      };
    };
  };

  networking.firewall.allowedTCPPorts = [ 9092 ];
}