let host = "stuce.ch";
in {
  services.authelia.instances."main" = {
    enable = true;
    secrets = {
      oidcHmacSecretFile = "/var/lib/authelia-main/hmac";
      oidcIssuerPrivateKeyFile = "/var/lib/authelia-main/rsa.2048.key";
      jwtSecretFile = "/var/lib/authelia-main/jwtSecret";
      storageEncryptionKeyFile =
        "/var/lib/authelia-main/storageEncryptionKeyFile";
    };
    environmentVariables = {
      AUTHELIA_AUTHENTICATION_BACKEND_LDAP_PASSWORD_FILE =
        "/var/lib/authelia-main/ldap_password";
      AUTHELIA_NOTIFIER_SMTP_PASSWORD_FILE =
        "/var/lib/authelia-main/smtp_password";
    };
    settings = {
      authentication_backend = {
        password_reset = { disable = false; };
        refresh_interval = "1m";
        ldap = {
          implementation = "lldap";
          address = "ldap://localhost:3890";
          base_dn = "dc=stuce,dc=ch";
          user = "uid=bind_user,ou=people,dc=stuce,dc=ch";
          additional_users_dn = "ou=people";
        };
      };
      storage = { local = { path = "/var/lib/authelia-main/db.sqlite3"; }; };
      session = {
        cookies = [{
          domain = "${host}";
          authelia_url = "https://auth.${host}";
          default_redirection_url = "https://${host}";
        }];
      };

      notifier = {
        # disable_startup_check = false;
        # filesystem = { filename = "/var/lib/authelia-main/notification.txt"; };
        smtp = {
          address = "submissions://mail.infomaniak.com:465";
          username = "no-reply@stuce.ch";
          sender = "no-reply@stuce.ch";
        };
      };

      identity_providers = {
        oidc = {
          jwks = { };
          clients = [{
            client_id =
              "uZzbagYr2RZqyVFsOZ23XJktE9tjllwuMnxiicfT5Ykcx6pX9JZDXlYahdg.DRq5guobvv0k";
            client_name = "Forgejo";
            # TODO: find a way to remove this secret from here
            client_secret =
              "$pbkdf2-sha512$310000$xmkdkyjsCmFEi2U.exnetg$UYnG78UZhBY/6Fb8ztGsKdJDtJdIRUrki4bngIPnsOfKxddzQovCDZ8AWETFim0Nar5AhbecJJTEM1kf2lG3WQ";
            public = false;
            authorization_policy = "two_factor";
            require_pkce = true;
            pkce_challenge_method = "S256";
            redirect_uris =
              [ "https://git.stuce.ch/user/oauth2/authelia/callback" ];
            scopes = [ "openid" "email" "profile" ];
            response_types = [ "code" ];
            grant_types = [ "authorization_code" ];
            access_token_signed_response_alg = "none";
            userinfo_signed_response_alg = "none";
            token_endpoint_auth_method = "client_secret_basic";
          }];
        };
      };

      access_control = {
        default_policy = "deny";
        rules = [
          {
            domain = "todo.Stuce.ch";
            policy = "one_factor";
            # resources = ["^/.*"];
            subject = [ "group:maison" ];
          }
          {
            domain = "armee.stuce.ch";
            policy = "one_factor";
            resources = [ "^/todo.*" ];
            subject = [ "user:sgt" ];
          }
          {
            domain = "vault.stuce.ch";
            policy = "two_factor";
            resources = [ "^/admin.*" ];
            subject = [ "user:stuce" ];
          }
          {
            domain = "ldap.stuce.ch";
            policy = "two_factor";
            subject = [ "user:stuce" ];
          }
          {
            domain = "armee.stuce.ch";
            policy = "one_factor";
            resources = [ "^/notes.*" ];
            subject = [ "group:ada" "group:cader" ];
          }
          {
            domain = "armee.stuce.ch";
            policy = "one_factor";
            resources = [ "^/plans.*" ];
            subject = [ "user:lt" ];
          }

        ];
      };
    };
  };
}