{ config, ... }:

{
  services.lldap = {
    enable = true;

    settings = {
      verbose = true;
      ldap_user_email = "fricloudlldap.grief462@simplelogin.com";
      ldap_base_dn = "dc=fricloud,dc=dk";
    };

    environment = {
      # always set admin password on startup
      LLDAP_LDAP_USER_PASS_FILE = config.age.secrets.lldap-admin-user-pass.path;
      # only available on the newest master branch, will be enabled when a 
      # new version is released.
      # https://github.com/lldap/lldap/issues/790
      # LLDAP_FORCE_LDAP_USER_PASS_RESET = "true";
    };
  };

  services.nginx.virtualHosts."ldap.fricloud.dk" = {
    forceSSL = true;
    enableACME = true;
    locations."/".proxyPass = "http://localhost:${builtins.toString config.services.lldap.settings.http_port}";
  };

  # persistent files
  environment.persistence.root.directories = [
    { directory = "/var/lib/private/lldap"; mode = "0700"; }
  ];

  # lldap user + setup secrets owner (need to add user for secrets to work)
  users.users.lldap = { group = "lldap"; isSystemUser = true; };
  users.groups.lldap = {};
  age.secrets = {
    lldap-admin-user-pass.owner = "lldap";
  };

  # set settings other services can use
  #  CN = Common Name
  #  OU = Organizational Unit
  #  DC = Domain Component
  #
  # The users are all located in ou=people, + the base DN, so by default user bob is at cn=bob,ou=people,dc=example,dc=com.
  # Similarly, the groups are located in ou=groups, so the group family will be at cn=family,ou=groups,dc=example,dc=com.
  # Testing group membership through memberOf is supported, so you can have a filter like: (memberOf=cn=admins,ou=groups,dc=example,dc=com).
  mine.settings.ldap = rec {
    host = "localhost";
    port = 3890;
    url = "ldap://${host}:${builtins.toString port}";

    dc = "dc=fricloud,dc=dk";
    bind_dn = "uid=${users.bind},ou=${ou.users},${dc}";
    search_base = "ou=${ou.users},${dc}";
    user_filter = "(memberof=cn=${groups.member},ou=${ou.groups},${dc})";
    admin_filter = "(memberof=cn=${groups.admin},ou=${ou.groups},${dc})";

    users = {
      admin = "admin";
      bind = "bind_user";
    };

    groups = {
      admin = "lldap_admin";
      member = "base_member";
    };

    ou = {
      groups = "groups";
      users = "people";
    };

    attr = {
      uid = "uid";
      firstname = "givenName";
      lastname = "sn";
      email = "mail";
      avatar = "jpegPhoto";
    };

    age_secret = config.age.secrets.lldap-bind-user-pass.path;
  };
}