{ config, ... }:
{
  services.authelia.instances.main = {
    enable = true;
    secrets.jwtSecretFile = config.age.secrets."authelia-jwt-key".path;
    secrets.oidcIssuerPrivateKeyFile = config.age.secrets."authelia-jwks".path;
    secrets.storageEncryptionKeyFile = config.age.secrets."authelia-storage-key".path;
    settings = {
      server.address = "tcp://:9092";
      default_2fa_method = "totp";
      notifier.filesystem.filename = "/var/lib/authelia-main/notification.txt";
      authentication_backend = {
        file.path = config.age.secrets."authelia-users".path;
      };
      access_control.default_policy = "one_factor";
      session.domain = "fcuny.net";
      storage = {
        local = {
          path = "/var/lib/authelia-main/db.sqlite3";
        };
      };
    };
  };

  networking.firewall.allowedTCPPorts = [ 9092 ];
}