{ config, ... }:

{
  sops.secrets.authelia-jwt-secret = {
    sopsFile = ./secrets.yaml;
  };
  sops.secrets.authelia-backend-ldap-password = {
    sopsFile = ./secrets.yaml;
  };
  sops.secrets.authelia-storage-encryption-key = {
    sopsFile = ./secrets.yaml;
  };
  sops.secrets.authelia-session-secret = {
    sopsFile = ./secrets.yaml;
  };

  services.authelia.instances.main = {
    enable = true;
    secrets = {
      jwtSecretFile = config.sops.secrets.authelia-jwt-secret.path;
      storageEncryptionKeyFile = config.sops.secrets.authelia-storage-encryption-key.path;
      sessionSecretFile = config.sops.secrets.authelia-session-secret.path;
      authenticationBackendLDAPPasswordFile = config.sops.secrets.authelia-backend-ldap-password.path;
    };
    settings = {
      theme = "dark";
      default_redirection_url = "https://cloud.cloonar.com";
  
      server = {
        host = "127.0.0.1";
        port = 9091;
      };
  
      # log = {
      #   level = "debug";
      #   format = "text";
      # };
  
      authentication_backend = {
        ldap = {
          url = "ldaps://ldap.cloonar.com";
          timout = "5s";
          base_dn = "DC=cloonar,DC=com";
          additional_users_dn = "OU=users";
          users_filter = "(&({username_attribute}={input})(objectClass=person))";
          username_attribute = "uid";
          mail_attribute = "mail";
          display_name_attribute = "displayName";
          additional_groups_dn = "OU=groups";
          groups_filter = "(&(member={dn})(objectClass=groupOfNames))";
          group_name_attribute = "cn";
          permit_referrals = false;
          permit_unauthenticated_bind = false;
          user = "cn=authelia,ou=system,ou=users,dc=cloonar,dc=com";
        };
      };
  
      # access_control = {
      #   default_policy = "deny";
      #   rules = [
      #     {
      #       domain = ["auth.example.com"];
      #       policy = "bypass";
      #     }
      #     {
      #       domain = ["*.example.com"];
      #       policy = "one_factor";
      #     }
      #   ];
      # };
  
      session = {
        name = "authelia_session";
        expiration = "12h";
        inactivity = "45m";
        remember_me_duration = "1M";
        domain = "auth.cloonar.com";
      };
  
      regulation = {
        max_retries = 3;
        find_time = "5m";
        ban_time = "15m";
      };
  
      storage = {
        mysql = {
          host = "/run/mysqld/mysqld.sock'";
          database = "authelia";
          username = "authelia";
          timeout = "5s";
        };
      };
  
      notifier = {
        disable_startup_check = false;
        filesystem = {
          filename = "/var/lib/authelia-main/notification.txt";
        };
      };
    };
  };
  services.nginx.virtualHosts."auth.cloonar.com" = {
    enableACME = true;
    forceSSL = true;
    acmeRoot = null;

    locations."/" = {
      proxyPass = "http://127.0.0.1:9091";
      proxyWebsockets = true;
    };
  };

  config.services.mysql.ensureUsers = [
    {
      name = "authelia";
      ensurePermissions = {
        "authelia.*" = "ALL PRIVILEGES";
      };
    }
  ];

  config.services.mysql.ensureDatabases = [ "authelia" ];
  config.services.mysqlBackup.databases = [ "authelia" ];
}