{ config, lib, ... }:

{
  imports = [
    ./module
  ];

  services.lldap = {
    provisionUsername = "admin";
    provisionPasswordFile = config.age.secrets.lldap-admin-user-pass.path;

    provision = config.mine.shared.lib.ldap.mkScope (lconfig: llib: {
      # users
      users = {
        # bind user
        bind = {
          user_id = "bind_user";
          groups = [ lconfig.groups.password_manager lconfig.groups.strict_readonly ];
        };

        # system users - defined in each service
        # should not be done here

        # admin users
        admin = llib.mkProvisionUserAdmin "admin";
        eyjhb = llib.mkProvisionUserAdmin "eyjhb";
        rasmus = llib.mkProvisionUserAdmin "rasmus";

        # normal users
        user1 = llib.mkProvisionUserNormal "thief420";
        testusername = (llib.mkProvisionUserNormal "testusername") // { mail = "testusername@fricloud.dk"; };
      };

      # groups
      groups = {
        "base_member" = {};
        "system_service" = {};
        "system_mail" = {};
        "nextcloud_admin" = {};
        "drasl_admin" = {};
        "grafana_admin" = {};
      };

      # attributes
      group_attributes = {
        group_foo = {
          attributeType = "STRING";
          isEditable = true;
          isVisible = true;
        };
      };
      user_attributes = {
        membermail = {
          attributeType = "STRING";
          isEditable = false;
          isVisible = true;
        };
        membermaildiskquota = {
          attributeType = "INTEGER";
        };
        nextcloudquota = {
          attributeType = "INTEGER";
        };
      };

    });
  };

  systemd.services.lldapsetup.serviceConfig.EnvironmentFile = config.age.secrets.lldap-user-emails-env.path;
}