{ appConfig, lib, pkgs, ... }: lib.mkMerge [
  # authelia
  {
    services.authelia.instances.default.enable = true;
    services.authelia.instances.default.settings.access_control.default_policy = "one_factor";
    services.authelia.instances.default.settings.log.format = "text";
    services.authelia.instances.default.settings.log.level = "info";
    services.authelia.instances.default.settings.notifier.filesystem.filename = "/var/lib/authelia-default/notifier.txt";
    services.authelia.instances.default.settings.server.host = "0.0.0.0";
    services.authelia.instances.default.settings.server.port = 9091;
    # TODO this is not appConfig.domain!
    services.authelia.instances.default.settings.session.domain = "nomath.org";
    services.authelia.instances.default.settings.storage.local.path = "/var/lib/authelia-default/storage.sqlite3";
  }
  # configure secrets
  {
    services.authelia.instances.default.secrets.manual = true;
    systemd.services.authelia-default.environment.AUTHELIA_JWT_SECRET_FILE = "%d/jwtSecret";
    systemd.services.authelia-default.environment.AUTHELIA_SESSION_SECRET_FILE = "%d/sessionSecret";
    systemd.services.authelia-default.environment.AUTHELIA_STORAGE_ENCRYPTION_KEY_FILE = "%d/storageEncryptionKey";
    systemd.services.authelia-default.serviceConfig.LoadCredential = [
      "jwtSecret:jwtSecret"
      "sessionSecret:sessionSecret"
      "storageEncryptionKey:storageEncryptionKey"
    ];
  }
  # configure users
  {
    services.authelia.instances.default.settings.authentication_backend.file.path = "/var/lib/authelia-default/users.yaml";
    services.authelia.instances.default.settings.authentication_backend.file.watch = true;

    systemd.services.authelia-default-users.before = [ "authelia-default.service" ];
    systemd.services.authelia-default-users.environment.CREDENTIALS_DIRECTORY = "%d";
    systemd.services.authelia-default-users.serviceConfig.Group = "authelia-default";
    systemd.services.authelia-default-users.serviceConfig.LoadCredential = lib.mapAttrsToList (username: attrs: "${username}:${username}.password") appConfig.users;
    systemd.services.authelia-default-users.serviceConfig.User = "authelia-default";
    systemd.services.authelia-default-users.wantedBy = [ "authelia-default.service" ];

    # TODO password is used on command line
    #
    # @topic apps/authelia
    systemd.services.authelia-default-users.script = "${pkgs.writers.writeDashBin "script" ''
      set -efu
      umask 0177
      PATH=${lib.makeBinPath [ pkgs.authelia pkgs.coreutils pkgs.jq pkgs.json2yaml ]}
      users=$(
        echo ${lib.escapeShellArg (lib.generators.toJSON {} (lib.attrValues appConfig.users))} | jq -c .[] | while read -r account; do
        username=$(echo "$account" | jq -r .username)
        passwordFile=$(echo "$account" | jq -r .passwordFile)
        hashedPassword=$(authelia crypto hash generate argon2 --password "$(cat "$CREDENTIALS_DIRECTORY"/"$username")" | cut -d' ' -f2-)
        jq -cn \
          --arg username "$username" \
          --arg password "$hashedPassword" \
          '{ key: $username, value: { displayname: $username, $password } }'
        done |
        jq -s from_entries
      )
      jq -cn --argjson users "$users" '{ $users }' |
      json2yaml > /var/lib/authelia-default/users.yaml
    ''}/bin/script";
  }
]