{
  nixhelm,
  system,
  config,
  lib,
  ...
}: {
  options.authelia.enable = lib.mkEnableOption "authelia";

  config = lib.mkIf config.authelia.enable {
    kubernetes = {
      helm.releases.authelia = {
        chart = nixhelm.chartsDerivations.${system}.authelia.authelia;
        includeCRDs = true;
        namespace = "authelia";

        values = {
          pod = {
            kind = "Deployment";
            replicas = 1;
          };

          secret.additionalSecrets.authelia.items = [
            {
              key = "storage";
              path = "storage";
            }
            {
              key = "session";
              path = "session";
            }
            {
              key = "users";
              path = "users";
            }
          ];

          configMap = {
            access_control.default_policy = "one_factor";

            authentication_backend = {
              password_reset.disable = true;
              ldap.enabled = false;

              file = {
                enabled = true;
                path = "/secrets/authelia/users";
                search.email = true;
                password.algorithm = "argon2";
              };
            };

            storage = {
              encryption_key = {
                secret_name = "authelia";
                path = "storage";
              };

              local = {
                enabled = true;
                path = "/tmp/storage"; # TODO
              };
            };

            session = {
              encryption_key = {
                secret_name = "authelia";
                path = "session";
              };

              cookies = [
                {
                  domain = "kun.is";
                  subdomain = "auth";
                }
              ];
            };

            notifier.filesystem = {
              enabled = true;
              # TODO: switch to SMTP
              filename = "/tmp/notifications.txt";
            };
          };
        };
      };

      resources.secrets.authelia.stringData = {
        storage = "ref+sops://secrets.yml#/authelia/encryption_keys/storage";
        session = "ref+sops://secrets.yml#/authelia/encryption_keys/session";
        users = "ref+sops://secrets.yml#/authelia/users";
      };
    };

    lab = {
      ingresses.authelia = {
        host = "auth.kun.is";

        service = {
          name = "authelia";
          portName = "http";
        };
      };

      longhorn.persistentVolumeClaim.data = {
        volumeName = "authelia";
        storage = "100Mi";
      };
    };
  };
}