{
  config,
  lib,
  pkgs,
  ...
}: let
  inherit (lib) types mkIf optionalString;
  inherit
    (builtins)
    isNull
    any
    all
    attrValues
    toString
    ;

  inherit (config.services) nginx;

  validAuthMethods = [
    "regular"
    "basic"
  ];
  getUpstreamFromInstance = instance: let
    inherit (config.services.authelia.instances.${instance}.settings) server;
    port = server.port or 9091;
    host = server.host or "127.0.0.1";

    targetHost =
      if host == "0.0.0.0"
      then "127.0.0.1"
      else if lib.hasInfix ":" host
      then throw "TODO IPv6 not supported in Authelia server address (hard to parse, can't tell if it is [::])."
      else host;
  in "http://${targetHost}:${toString port}";

  # use this when reverse proxying to authelia (and only authelia because i
  # like the nixos recommended proxy settings better)
  autheliaProxyConfig = pkgs.writeText "authelia-proxy-config.conf" ''
    ## Headers
    proxy_set_header Host $host;
    proxy_set_header X-Original-URL $scheme://$http_host$request_uri;
    proxy_set_header X-Forwarded-Proto $scheme;
    proxy_set_header X-Forwarded-Host $http_host;
    proxy_set_header X-Forwarded-URI $request_uri;
    proxy_set_header X-Forwarded-Ssl on;
    proxy_set_header X-Forwarded-For $remote_addr;
    proxy_set_header X-Real-IP $remote_addr;

    ## Basic Proxy Configuration
    client_body_buffer_size 128k;
    # Timeout if the real server is dead.
    proxy_next_upstream error timeout invalid_header http_500 http_502 http_503;
    proxy_redirect  http://  $scheme://;
    proxy_http_version 1.1;
    proxy_cache_bypass $cookie_session;
    proxy_no_cache $cookie_session;
    proxy_buffers 64 256k;

    ## Trusted Proxies Configuration
    ## Please read the following documentation before configuring this:
    ##     https://www.authelia.com/integration/proxies/nginx/#trusted-proxies
    # set_real_ip_from 10.0.0.0/8;
    # set_real_ip_from 172.16.0.0/12;
    # set_real_ip_from 192.168.0.0/16;
    # set_real_ip_from fc00::/7;
    real_ip_header X-Forwarded-For;
    real_ip_recursive on;

    ## Advanced Proxy Configuration
    send_timeout 5m;
    proxy_read_timeout 360;
    proxy_send_timeout 360;
    proxy_connect_timeout 360;
  '';

  autheliaLocation = ''
    internal;

    ## Headers
    ## The headers starting with X-* are required.
    proxy_set_header X-Original-Method $request_method;
    proxy_set_header X-Original-URL $scheme://$http_host$request_uri;
    proxy_set_header X-Forwarded-For $remote_addr;
    proxy_set_header Content-Length "";
    proxy_set_header Connection "";

    ## Basic Proxy Configuration
    proxy_pass_request_body off;
    proxy_next_upstream error timeout invalid_header http_500 http_502 http_503; # Timeout if the real server is dead
    proxy_redirect http:// $scheme://;
    proxy_http_version 1.1;
    proxy_cache_bypass $cookie_session;
    proxy_no_cache $cookie_session;
    proxy_buffers 4 32k;
    client_body_buffer_size 128k;

    ## Advanced Proxy Configuration
    send_timeout 5m;
    proxy_read_timeout 240;
    proxy_send_timeout 240;
    proxy_connect_timeout 240;
  '';
  autheliaLocationConfig = pkgs.writeText "authelia-location.conf" autheliaLocation;
  autheliaBasicLocationConfig = pkgs.writeText "authelia-location-basic.conf" ''
    ${autheliaLocation}

    # Auth Basic Headers
    proxy_set_header X-Original-Method $request_method;
    proxy_set_header X-Forwarded-Method $request_method;
    proxy_set_header X-Forwarded-Proto $scheme;
    proxy_set_header X-Forwarded-Host $http_host;
    proxy_set_header X-Forwarded-URI $request_uri;
  '';

  genAuthConfig = method: let
    snippet_regular = ''
      ## Configure the redirection when the authz failure occurs. Lines starting
      ## with 'Modern Method' and 'Legacy Method' should be commented /
      ## uncommented as pairs. The modern method uses the session cookies
      ## configuration's authelia_url value to determine the redirection URL here.
      ## It's much simpler and compatible with the mutli-cookie domain easily.

      ## Modern Method: Set the $redirection_url to the Location header of the
      ## response to the Authz endpoint.
      auth_request_set $redirection_url $upstream_http_location;

      ## Modern Method: When there is a 401 response code from the authz endpoint
      ## redirect to the $redirection_url.
      error_page 401 =302 $redirection_url;
    '';
  in ''
    ## Send a subrequest to Authelia to verify if the user is authenticated and
    # has permission to access the resource.

    auth_request /internal/authelia/authz${optionalString (method == "basic") "/basic"};

    ## Save the upstream metadata response headers from Authelia to variables.
    auth_request_set $user $upstream_http_remote_user;
    auth_request_set $groups $upstream_http_remote_groups;
    auth_request_set $name $upstream_http_remote_name;
    auth_request_set $email $upstream_http_remote_email;

    ## Inject the metadata response headers from the variables into the request
    ## made to the backend.
    proxy_set_header Remote-User $user;
    proxy_set_header Remote-Groups $groups;
    proxy_set_header Remote-Name $name;
    proxy_set_header Remote-Email $email;

    ${optionalString (method == "regular") snippet_regular}
  '';
  genAuthConfigPkg = method: pkgs.writeText "authelia-authrequest-${method}.conf" (genAuthConfig method);
in {
  # authelia
  options.services.nginx = let
    mkAttrsOfSubmoduleOpt = module: lib.mkOption {type = with types; attrsOf (submodule module);};

    # make system config accessible from submodules
    systemConfig = config;

    # submodule definitions
    vhostModule = {
      name,
      config,
      ...
    } @ attrs: {
      options = {
        locations = mkAttrsOfSubmoduleOpt (genLocationModule attrs);
        authelia = {
          endpoint = {
            instance = lib.mkOption {
              description = ''
                Local Authelia instance to act as the authentication endpoint.
                This virtualHost will be configured to provide the
                public-facing authentication service.
              '';
              type = with types; nullOr str;
              default = null;
            };
            upstream = lib.mkOption {
              description = ''
                Internal URL of the Authelia endpoint to forward authentication
                requests to.
              '';
              type = with types; nullOr str;
              default = null;
            };
          };
          instance = lib.mkOption {
            description = ''
              Local Authelia instance to use. Setting this option will
              automatically configure Authelia on the specified virtualHost
              with the given instance of Authelia.
            '';
            type = with types; nullOr str;
            default = null;
          };
          upstream = lib.mkOption {
            description = ''
              Internal URL of the Authelia endpoint to forward authorization
              requests to. This should not be the public-facing authentication
              endpoint URL.
            '';
            type = with types; nullOr str;
            default = null;
          };
          method = lib.mkOption {
            description = ''
              Default Authelia authentication method to use for all locations
              in this virtualHost. Authentication is disabled by default for
              all locations if this is set to `null`.
            '';
            type = with types; nullOr (enum validAuthMethods);
            default = "regular";
            example = "basic";
          };
        };
      };
      config = {
        authelia.upstream = mkIf (!(isNull config.authelia.instance)) (
          getUpstreamFromInstance config.authelia.instance
        );
        authelia.endpoint.upstream = mkIf (!(isNull config.authelia.endpoint.instance)) (
          getUpstreamFromInstance config.authelia.endpoint.instance
        );

        forceSSL = lib.mkIf (!(isNull config.authelia.endpoint.upstream)) true;

        # authelia nginx internal endpoints
        locations = let
          api = "${config.authelia.upstream}/api/authz/auth-request";
        in
          lib.mkMerge [
            (lib.mkIf (!(isNull config.authelia.upstream)) {
              # just setup both, they can't be accessed externally anyways.
              "/internal/authelia/authz" = {
                proxyPass = api;
                recommendedProxySettings = false;
                extraConfig = ''
                  include ${autheliaLocationConfig};
                '';
              };
              "/internal/authelia/authz/basic" = {
                proxyPass = "${api}/basic";
                recommendedProxySettings = false;
                extraConfig = ''
                  include ${autheliaBasicLocationConfig};
                '';
              };
            })
            (lib.mkIf (!(isNull config.authelia.endpoint.upstream)) {
              "/" = {
                extraConfig = ''
                  include "${autheliaProxyConfig}";
                '';
                proxyPass = "${config.authelia.endpoint.upstream}";
                recommendedProxySettings = false;
              };
              "= /api/verify" = {
                proxyPass = "${config.authelia.endpoint.upstream}";
                recommendedProxySettings = false;
              };
              "/api/authz" = {
                proxyPass = "${config.authelia.endpoint.upstream}";
                recommendedProxySettings = false;
              };
            })
          ];
      };
    };

    genLocationModule = vhostAttrs: {
      name,
      config,
      ...
    }: let
      vhostConfig = vhostAttrs.config;
    in {
      options.authelia.method = lib.mkOption {
        description = ''
          Authelia authentication method to use for this location.
          Authentication is disabled for this location if this is set to
          `null`.
        '';
        type = with types; nullOr (enum validAuthMethods);
        default = vhostConfig.authelia.method;
        example = "basic";
      };
      config =
        lib.mkIf
        (
          (!(lib.strings.hasPrefix "/internal/authelia/" name))
          && (!(isNull vhostConfig.authelia.upstream))
          && (!(isNull config.authelia.method))
        )
        {
          extraConfig = ''
            include ${genAuthConfigPkg config.authelia.method};
          '';
        };
    };
  in {
    virtualHosts = mkAttrsOfSubmoduleOpt vhostModule;
  };

  # TODO check if any vhosts have authelia configured
  config = let
    # TODO later, there are only assertions here
    configured = any (
      vhost: (!(isNull vhost.authelia.upstream)) || (!(isNull vhost.authelia.endpoint.upstream))
    ) (attrValues nginx.virtualHosts);
  in
    mkIf true {
      assertions = [
        {
          assertion = all (
            vhost: (!(isNull vhost.authelia.upstream)) -> (isNull vhost.authelia.endpoint.upstream)
          ) (attrValues nginx.virtualHosts);
          message = "`services.nginx.virtualHosts.<name>.authelia.upstream` and `services.nginx.virtualHosts.<name>.authelia.endpoint.upstream` cannot be set at the same time.";
        }
        # {
        #   assertion = all (
        #     vhost: vhost.authelia.instance -> config.services.authelia.instances ? "${vhost.authelia.instance}"
        #   ) (attrValues nginx.virtualHosts);
        #   message = "`services.authelia.instances.<name>` must be configured if `services.nginx.virtualHosts.<name>.authelia.instance` is set.";
        # }
      ];
    };
}