{ config, lib, ... }:
let
  cfg = config.services.authelia.instances.main;
  dataDir = /var/lib/authelia/${cfg.name};
in
{
  services.authelia.instances = {
    main = {
      enable = true;
      secrets = {
        jwtSecretFile = config.age.secrets.authelia-jwt.path;
        storageEncryptionKeyFile = config.age.secrets.authelia-encryption.path;
        sessionSecretFile = config.age.secrets.authelia-session.path;
      };
      settings = {
        theme = "light";
        log.level = "debug";

        authentication_backend = {
          file = {
            path = dataDir + "/users.yml";
          };
        };
        storage = {
          local = {
            path = dataDir + "/db.sqlite3";
          };
        };
        session = {
          cookies = [
            {
              domain = "shobu.fr";
              authelia_url = "https://auth.Shobu.fr";
              default_redirection_url = "https://shobu.fr";
            }
          ];
        };
        access_control = {
          default_policy = "deny";
          rules = [
            {
              domain = "*.shobu.fr";
              policy = "one_factor";
            }
          ];
        };
      };
    };
  };

  systemd.tmpfiles.rules = lib.mkif cfg.enable [
    "d '${dataDir}' 0700 ${cfg.user} ${cfg.group} - -"
  ];
}