diff --git a/machines/lebesgue/config/configuration.nix b/machines/lebesgue/config/configuration.nix
index 9df77b6..1c1811c 100644
--- a/machines/lebesgue/config/configuration.nix
+++ b/machines/lebesgue/config/configuration.nix
@@ -20,6 +20,19 @@
       ssh-domain = "lebesgue";
     };
 
+    services.authelia = {
+      enable = true;
+      domain = "foehammer.me";
+      url = "https://auth.foehammer.me";
+      jwtSecretFile = config.sops.secrets.authelia-jwtsecret.path;
+
+      userDbFile = config.sops.secrets.authelia-users.path;
+      # oidcIssuerPrivateKeyFile = config.sops.secrets.authelia-oidc-privkey.path;
+      # oidcHmacSecretFile = config.sops.secrets.authelia-oidc-hmac.path;
+      sessionSecretFile = config.sops.secrets.authelia-session-secret.path;
+      storageEncryptionKeyFile = config.sops.secrets.authelia-storage-encryption.path;
+    };
+
     services.vaultwarden = {
       enable = true;
       domain = "https://passwords.foehammer.me";
diff --git a/machines/lebesgue/config/routing.nix b/machines/lebesgue/config/routing.nix
index 6d5c70a..068b5d3 100644
--- a/machines/lebesgue/config/routing.nix
+++ b/machines/lebesgue/config/routing.nix
@@ -8,6 +8,11 @@
           reverse_proxy :${toString config.foehammer.services.vaultwarden.port}
         '';
       };
+      "auth.foehammer.me" = {
+        extraConfig = ''
+          reverse_proxy :${toString config.foehammer.services.authelia.port}
+        '';
+      };
       "goatcounter.foehammer.me" = {
         extraConfig = ''
           reverse_proxy :${toString config.foehammer.services.goatcounter.port}
diff --git a/machines/lebesgue/config/secrets.nix b/machines/lebesgue/config/secrets.nix
index 89cbc0e..f8538b9 100644
--- a/machines/lebesgue/config/secrets.nix
+++ b/machines/lebesgue/config/secrets.nix
@@ -3,6 +3,10 @@
     defaultSopsFile = ../secrets/main.yaml;
 
     secrets = let
+      autheliaSecret = {
+        owner = "authelia-main";
+        sopsFile = ../secrets/authelia/secrets.yaml;
+      };
     in {
       admin-password.neededForUsers = true;
 
@@ -13,6 +17,16 @@
       restic-env = {owner = "restic";};
       restic-password = {owner = "restic";};
       restic-repository = {owner = "restic";};
+
+      authelia-jwtsecret = autheliaSecret;
+      authelia-oidc-privkey = autheliaSecret;
+      authelia-oidc-hmac = autheliaSecret;
+      authelia-session-secret = autheliaSecret;
+      authelia-storage-encryption = autheliaSecret;
+      authelia-users = {
+        owner = "authelia-main";
+        sopsFile = ../secrets/authelia/users.yaml;
+      };
     };
   };
 }