diff --git a/hosts/sakura/services/authelia.nix b/hosts/sakura/services/authelia.nix
new file mode 100644
index 0000000..9b49a20
--- /dev/null
+++ b/hosts/sakura/services/authelia.nix
@@ -0,0 +1,59 @@
+{config, ...}: {
+  networking.firewall.allowedTCPPorts = [9091];
+  sops.secrets.authelia-jwt = {owner = config.systemd.services.authelia-default.serviceConfig.User;};
+  sops.secrets.authelia-sek = {owner = config.systemd.services.authelia-default.serviceConfig.User;};
+  services.authelia.instances.default = {
+    enable = true;
+    secrets = {
+      jwtSecretFile = config.sops.secrets.authelia-jwt.path;
+      storageEncryptionKeyFile = config.sops.secrets.authelia-sek.path;
+    };
+    settings = {
+      log.level = "debug";
+      theme = "dark";
+      default_2fa_method = "totp";
+      default_redirection_url = "https://passport.notohh.dev/";
+      authentication_backend = {
+        file.path = "/etc/authelia/user.yml";
+      };
+      session = {
+        domain = "notohh.dev";
+        expiration = 3600;
+        inactivity = 300;
+      };
+      totp = {
+        issuer = "authelia.com";
+        disable = false;
+        algorithm = "sha1";
+        digits = 6;
+        period = 30;
+        skew = 1;
+        secret_size = 32;
+      };
+      server = {
+        host = "0.0.0.0";
+        port = 9091;
+      };
+      access_control = {
+        default_policy = "deny";
+        rules = [
+          {
+            domain = "notohh.dev";
+            policy = "bypass";
+          }
+        ];
+      };
+      regulation = {
+        max_retries = 3;
+        find_time = 120;
+        ban_time = 300;
+      };
+      notifier.filesystem = {
+        filename = "/var/lib/authelia-default/notif.txt";
+      };
+      storage.local = {
+        path = "/var/lib/authelia-default/db.sqlite3";
+      };
+    };
+  };
+}
diff --git a/hosts/sakura/services/default.nix b/hosts/sakura/services/default.nix
index ef4b5e0..5a454c2 100644
--- a/hosts/sakura/services/default.nix
+++ b/hosts/sakura/services/default.nix
@@ -1,6 +1,7 @@
 {...}: {
   imports = [
     ./traefik.nix
+    ./authelia.nix
     ./hugo.nix
     ./foundryvtt.nix
     ./forgejo.nix
diff --git a/hosts/sakura/services/traefik.nix b/hosts/sakura/services/traefik.nix
index 18a774d..ab7f083 100644
--- a/hosts/sakura/services/traefik.nix
+++ b/hosts/sakura/services/traefik.nix
@@ -1,6 +1,6 @@
 {config, ...}: {
   sops.secrets.cloudflare-api-key = {};
-  networking.firewall.allowedTCPPorts = [80 443];
+  networking.firewall.allowedTCPPorts = [80 443 8080];
   systemd.services.traefik = {
     environment = {
       CLOUDFLARE_EMAIL = "jch0tm2e@notohh.dev";
@@ -12,6 +12,12 @@
   services.traefik = {
     enable = true;
     dynamicConfigOptions = {
+      http.middlewares.authelia = {
+        forwardauth = {
+          address = "http://localhost:9091/api/verify?rd=https://passport.notohh.dev/";
+          trustForwardHeader = true;
+        };
+      };
       http = {
         routers = {
           api = {
@@ -34,12 +40,20 @@
             entrypoints = ["web"];
             service = "dashdot";
           };
+          authelia = {
+            rule = "Host(`passport.notohh.dev`)";
+            entrypoints = ["websecure"];
+            service = "authelia";
+            tls.domains = [{main = "*.notohh.dev";}];
+            tls.certresolver = "production";
+          };
           hugo = {
             rule = "Host(`notohh.dev`)";
-            entryPoints = ["websecure"];
+            entrypoints = ["websecure"];
             service = "hugo";
             tls.domains = [{main = "*.notohh.dev";}];
             tls.certresolver = "production";
+            middlewares = "authelia";
           };
           foundryvtt = {
             rule = "Host(`foundry.notohh.dev`)";
@@ -92,6 +106,7 @@
           };
         };
         services = {
+          authelia.loadBalancer.servers = [{url = "http://localhost:9091";}];
           dashdot.loadBalancer.servers = [{url = "http://localhost:4000";}];
           hugo.loadBalancer.servers = [{url = "http://localhost:1313";}];
           jellyfin.loadBalancer.servers = [{url = "http://localhost:8096";}];
@@ -123,6 +138,11 @@
           forwardedHeaders.insecure = true;
         };
       };
+      metrics = {
+        prometheus = {
+          addServicesLabels = true;
+        };
+      };
       certificatesResolvers = {
         staging.acme = {
           email = "x3xr6n66@notohh.dev";