{ config, ... }:

let
  autheliaStateDir = "/var/lib/authelia-main";
in {
  services.authelia.instances.main = {
    enable = true;

    environmentVariables.AUTHELIA_AUTHENTICATION_BACKEND_LDAP_PASSWORD_FILE = config.age.secrets.authelia-lldap-bind-user-pass.path;
    secrets = {
      jwtSecretFile = config.age.secrets.authelia-jwt.path;
      storageEncryptionKeyFile = config.age.secrets.authelia-storage.path;
      sessionSecretFile = config.age.secrets.authelia-session.path;
      oidcIssuerPrivateKeyFile = config.age.secrets.authelia-oidc-issuer-privatekey-pem.path;
    };

    settings = {
      access_control.default_policy = "one_factor";
      session.domain = "fricloud.dk";

      storage.local.path = "${autheliaStateDir}/authelia.sqlite3";
      notifier.filesystem.filename = "${autheliaStateDir}/authelia_notifier.txt";

      authentication_backend = {
        password_reset.disable = false;
        refresh_interval = "1m";

        ldap = {
          implementation = "custom";

          # address in the future
          url = "ldap://localhost:${builtins.toString config.services.lldap.settings.ldap_port}";
          timeout = "5s";
          start_tls = false;

          base_dn = "dc=fricloud,dc=dk";
          additional_users_dn = "ou=people";
          users_filter = "(&(|({username_attribute}={input})({mail_attribute}={input}))(objectClass=person))";
          additional_groups_dn = "ou=groups";
          groups_filter = "(member={dn})";


          display_name_attribute = "displayName";
          username_attribute = "uid";
          group_name_attribute = "cn";
          mail_attribute = "mail";

          user = "uid=bind_user,ou=people,dc=fricloud,dc=dk";
        };
      };
    };
  };

  # example configuration for forgejo. Should live in forgejo.nix if needed
  # services.authelia.instances.main.settings.identity_providers.oidc.clients = [{
  #   id = "forgejo";
  #   description = "Forgejo";

  #   # authelia crypto hash generate pbkdf2 --variant sha512 --random --random.length 72 --random.charset rfc3986
  #   secret = "$pbkdf2-sha512$310000$cOGtLwMHyfugAJCIiUUjfQ$ao7zC8QB1m8aTGNf1dxYbRAPivZ0G1eaJ4bNFVfJiTFZX06U5baBjT0emvoaeFHXMFbYHzorb2/8vxnY/D0b5Q";

  #   public = false;
  #   authorization_policy = "one_factor";
  #   redirect_uris = [ "https://git.fricloud.dk/user/oauth2/authelia/callback" ];
  #   scopes = [
  #     "openid"
  #     "email"
  #     "profile"
  #   ];

  #   userinfo_signing_algorithm = "none";
  #   # userinfo_signed_response_alg = "none";
  #   # token_endpoint_auth_method = "client_secret_basic";
  # }];


  services.nginx.virtualHosts."auth.fricloud.dk" = {
    forceSSL = true;
    enableACME = true;
    locations."/".proxyPass = "http://localhost:${builtins.toString config.services.authelia.instances.main.settings.server.port}";
  };

  # persistent files
  environment.persistence.root.directories = [
    autheliaStateDir
  ];

  # setup secrets for authelia
  age.secrets = {
    authelia-jwt.owner = "authelia-main";
    authelia-storage.owner = "authelia-main";
    authelia-session.owner = "authelia-main";
    authelia-oidc-issuer-privatekey-pem.owner = "authelia-main";
    authelia-lldap-bind-user-pass.owner = "authelia-main";
  };
}