{ config, ... }:

{
  services.lldap = {
    enable = true;

    settings = {
      verbose = true;
      ldap_user_email = "fricloudlldap.grief462@simplelogin.com";
      ldap_base_dn = "dc=fricloud,dc=dk";
    };

    environment = {
      # always set admin password on startup
      LLDAP_LDAP_USER_PASS_FILE = config.age.secrets.lldap-user-pass.path;
      # only available on the newest master branch, will be enabled when a 
      # new version is released.
      # https://github.com/lldap/lldap/issues/790
      # LLDAP_FORCE_LDAP_USER_PASS_RESET = "true";
    };
  };

  services.nginx.virtualHosts."ldap.fricloud.dk" = {
    forceSSL = true;
    enableACME = true;
    locations."/".proxyPass = "http://localhost:${builtins.toString config.services.lldap.settings.http_port}";
  };

  # persistent files
  environment.persistence.root.directories = [
    { directory = "/var/lib/private/lldap"; mode = "0700"; }
  ];

  # lldap user + setup secrets owner (need to add user for secrets to work)
  users.users.lldap = { group = "lldap"; isSystemUser = true; };
  users.groups.lldap = {};
  age.secrets = {
    lldap-user-pass.owner = "lldap";
  };
}