diff --git a/pkgs/servers/authelia/default.nix b/pkgs/servers/authelia/default.nix
index 6f8cccb3c75..3e71fc77656 100644
--- a/pkgs/servers/authelia/default.nix
+++ b/pkgs/servers/authelia/default.nix
@@ -1,48 +1,14 @@
-{ lib, fetchFromGitHub, buildGoModule, installShellFiles, buildNpmPackage }:
+{ lib, fetchFromGitHub, buildGoModule, installShellFiles, callPackage }:
 
+let
+  inherit (import ./sources.nix { inherit fetchFromGitHub; }) pname version src vendorHash;
+  web = callPackage ./web.nix { };
+in
 buildGoModule rec {
-  pname = "authelia";
-  version = "4.37.5";
-
-  src = fetchFromGitHub {
-    owner = "authelia";
-    repo = "authelia";
-    rev = "v${version}";
-    sha256 = "sha256-xsdBnyPHFIimhp2rcudWqvVR36WN4vBXbxRmvgqMcDw=";
-  };
-  vendorSha256 = "sha256-mzGE/T/2TT4+7uc2axTqG3aeLMnt1r9Ya7Zj2jIkw/w=";
+  inherit pname version src vendorHash;
 
   nativeBuildInputs = [ installShellFiles ];
 
-  web = buildNpmPackage {
-    inherit src version;
-
-    pname = "authelia-web";
-    sourceRoot = "source/web";
-
-    patches = [
-      ./change-web-out-dir.patch
-    ];
-
-    postPatch = ''
-      cp ${./package-lock.json} ./package-lock.json
-    '';
-
-    npmDepsHash = "sha256-MGs6UAxT5QZd8S3AO75mxuCb6U0UdRkGEjenOVj+Oqs=";
-
-    npmFlags = [ "--legacy-peer-deps" ];
-
-    installPhase = ''
-      runHook preInstall
-
-      mkdir -p $out/share
-      mv dist $out/share/authelia-web
-
-      runHook postInstall
-    '';
-  };
-
-
   postPatch = ''
     cp -r ${web}/share/authelia-web/* internal/server/public_html
   '';
diff --git a/pkgs/servers/authelia/sources.nix b/pkgs/servers/authelia/sources.nix
new file mode 100644
index 00000000000..3405a035fe5
--- /dev/null
+++ b/pkgs/servers/authelia/sources.nix
@@ -0,0 +1,14 @@
+{ fetchFromGitHub }:
+rec {
+  pname = "authelia";
+  version = "4.37.5";
+
+  src = fetchFromGitHub {
+    owner = "authelia";
+    repo = "authelia";
+    rev = "v${version}";
+    hash = "sha256-xsdBnyPHFIimhp2rcudWqvVR36WN4vBXbxRmvgqMcDw=";
+  };
+  vendorHash = "sha256-mzGE/T/2TT4+7uc2axTqG3aeLMnt1r9Ya7Zj2jIkw/w=";
+  npmDepsHash = "sha256-MGs6UAxT5QZd8S3AO75mxuCb6U0UdRkGEjenOVj+Oqs=";
+}
diff --git a/pkgs/servers/authelia/update.sh b/pkgs/servers/authelia/update.sh
index 216fc8fb5da..dd2435453c2 100755
--- a/pkgs/servers/authelia/update.sh
+++ b/pkgs/servers/authelia/update.sh
@@ -1,11 +1,11 @@
 #! /usr/bin/env nix-shell
-#! nix-shell -I nixpkgs=./. -i bash -p coreutils gnused nix nix-update nodePackages.npm
+#! nix-shell -I nixpkgs=./. -i bash -p coreutils gnused curl nix jq nodePackages.npm
 set -euo pipefail
 
 DRV_DIR="$(dirname "${BASH_SOURCE[0]}")"
-DRV_DIR=$(realpath $DRV_DIR)
+DRV_DIR=$(realpath "$DRV_DIR")
 NIXPKGS_ROOT="$DRV_DIR/../../.."
-NIXPKGS_ROOT=$(realpath $NIXPKGS_ROOT)
+NIXPKGS_ROOT=$(realpath "$NIXPKGS_ROOT")
 
 instantiateClean() {
     nix-instantiate --eval --strict -E "with import ./. {}; $1" | cut -d\" -f2
@@ -23,37 +23,63 @@ grab_version() {
     instantiateClean "authelia.version"
 }
 
+# provide a github token so you don't get rate limited
+# if you use gh cli you can use:
+#     `export GITHUB_TOKEN="$(cat ~/.config/gh/config.yml | yq '.hosts."github.com".oauth_token' -r)"`
+# or just set your token by hand:
+#     `read -s -p "Enter your token: " GITHUB_TOKEN; export GITHUB_TOKEN`
+#     (we use read so it doesn't show in our shell history and in secret mode so the token you paste isn't visible)
+if [ -z "${GITHUB_TOKEN:-}" ]; then
+    echo "no GITHUB_TOKEN provided - you could meet API request limiting" >&2
+fi
+
 OLD_VERSION=$(instantiateClean "authelia.version")
 
-nix-update authelia
+LATEST_TAG=$(curl ${GITHUB_TOKEN:+" -u \":$GITHUB_TOKEN\""} --silent https://api.github.com/repos/authelia/authelia/releases/latest | jq -r '.tag_name')
+NEW_VERSION=$(echo ${LATEST_TAG} | sed 's/^v//')
 
-NEW_VERSION=$(instantiateClean "authelia.version")
 if [[ "$OLD_VERSION" == "$NEW_VERSION" ]]; then
     echo "already up to date"
     exit
 fi
 
+TMP_HASH="sha256-AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA="
+echo "New version $NEW_VERSION"
+replace "$OLD_VERSION" "$NEW_VERSION" "$DRV_DIR/sources.nix"
+OLD_SRC_HASH="$(instantiateClean authelia.src.outputHash)"
+echo "Old src hash $OLD_SRC_HASH"
+replace "$OLD_SRC_HASH" "$TMP_HASH" "$DRV_DIR/sources.nix"
+NEW_SRC_HASH="$(fetchNewSha authelia.src)"
+echo "New src hash $NEW_SRC_HASH"
+replace "$TMP_HASH" "$NEW_SRC_HASH" "$DRV_DIR/sources.nix"
+
+# after updating src the next focus is the web dependencies
 # build package-lock.json since authelia uses pnpm
-# since they hard pin dependencies in package.json we can be pretty confident that versions will match
 WEB_DIR=$(mktemp -d)
 clean_up() {
   rm -rf "$WEB_DIR"
 }
 trap clean_up EXIT
 
-OLD_PWD=$PWD
-cd $WEB_DIR
-OUT=$(nix-build -E "with import $NIXPKGS_ROOT {}; authelia.src" --no-out-link)
-cp -r $OUT/web/package.json .
-npm install --package-lock-only --legacy-peer-deps --ignore-scripts
-mv package-lock.json "$DRV_DIR/"
+# OLD_PWD=$PWD
+# cd $WEB_DIR
+# OUT=$(nix-build -E "with import $NIXPKGS_ROOT {}; authelia.src" --no-out-link)
+# cp -r $OUT/web/package.json .
+# npm install --package-lock-only --legacy-peer-deps --ignore-scripts
+# mv package-lock.json "$DRV_DIR/"
 
-cd $OLD_PWD
-OLD_HASH="$(instantiateClean authelia.web.npmDepsHash)"
-echo "Old hash $OLD_HASH"
-TMP_HASH="sha256-AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA="
-replace "$OLD_HASH" "$TMP_HASH" "$DRV_DIR/default.nix"
-NEW_HASH="$(fetchNewSha authelia.web)"
-echo "New hash $NEW_HASH"
-replace "$TMP_HASH" "$NEW_HASH" "$DRV_DIR/default.nix"
+# cd $OLD_PWD
+OLD_NPM_DEPS_HASH="$(instantiateClean authelia.web.npmDepsHash)"
+echo "Old npm deps hash $OLD_NPM_DEPS_HASH"
+replace "$OLD_NPM_DEPS_HASH" "$TMP_HASH" "$DRV_DIR/sources.nix"
+NEW_NPM_DEPS_HASH="$(fetchNewSha authelia.web)"
+echo "New npm deps hash $NEW_NPM_DEPS_HASH"
+replace "$TMP_HASH" "$NEW_NPM_DEPS_HASH" "$DRV_DIR/sources.nix"
 clean_up
+
+OLD_GO_VENDOR_HASH="$(instantiateClean authelia.vendorHash)"
+echo "Old go vendor hash $OLD_GO_VENDOR_HASH"
+replace "$OLD_GO_VENDOR_HASH" "$TMP_HASH" "$DRV_DIR/sources.nix"
+NEW_GO_VENDOR_HASH="$(fetchNewSha authelia.go-modules)"
+echo "New go vendor hash $NEW_GO_VENDOR_HASH"
+replace "$TMP_HASH" "$NEW_GO_VENDOR_HASH" "$DRV_DIR/sources.nix"
diff --git a/pkgs/servers/authelia/web.nix b/pkgs/servers/authelia/web.nix
new file mode 100644
index 00000000000..e28df798fd0
--- /dev/null
+++ b/pkgs/servers/authelia/web.nix
@@ -0,0 +1,30 @@
+{ buildNpmPackage, fetchFromGitHub }:
+
+let
+  inherit (import ./sources.nix { inherit fetchFromGitHub; }) pname version src npmDepsHash;
+in
+buildNpmPackage {
+  pname = "${pname}-web";
+  inherit src version npmDepsHash;
+
+  sourceRoot = "source/web";
+
+  patches = [
+    ./change-web-out-dir.patch
+  ];
+
+  postPatch = ''
+    cp ${./package-lock.json} ./package-lock.json
+  '';
+
+  npmFlags = [ "--legacy-peer-deps" ];
+
+  installPhase = ''
+    runHook preInstall
+
+    mkdir -p $out/share
+    mv dist $out/share/authelia-web
+
+    runHook postInstall
+  '';
+}