{ config, lib, pkgs, ... }:

let cfg = config.sydnix.deertopia.lldap;
in {
  options.sydnix.deertopia.lldap = {
    enable = lib.mkEnableOption ''
      Deertopia's lldap, a lightweight authentication server that provides an
      opinionated, simplified LDAP interface for authentication.
    '';
  };

  config = lib.mkIf cfg.enable {
    # HACK: Why doesn't the lldap module do this?  Sops-nix fails to set the
    # secrets' owner as the user does not yet exist.
    users.users.lldap = {
      isSystemUser = true;
      group = "lldap";
    };
    users.groups.lldap = {};

    sydnix.sops.secrets =
      let e = {
            mode = "0600";
            owner = "lldap";
            group = "lldap";
          };
      in {
        lldap-ldap-user-pass = e;
        lldap-jwt-secret = e;
        lldap-secret-env = {};
      };

    networking.firewall.allowedTCPPorts = [
      config.services.lldap.settings.http_port
      config.services.lldap.settings.ldap_port
    ];

    services.lldap = {
      enable = true;
      environment = {
        LLDAP_LDAP_USER_PASS_FILE = "/run/secrets/lldap-ldap-user-pass";
        LLDAP_JWT_SECRET_FILE = "/run/secrets/lldap-jwt-secret";
      };
      environmentFile = "/run/secrets/lldap-secret-env";
      settings = {
        ldap_base_dn = "dc=identify,dc=deertopia,dc=net";
        ldap_user_dn = "lain";
        ldap_user_email = "lain@deertopia.net";
      };
    };

    sydnix.deertopia.nginx.vhosts."identify".vhost = {
      forceSSL = true;
      enableACME = true;
      locations."/" = {
        proxyPass =
          let port = builtins.toString config.services.lldap.settings.http_port;
          in "http://localhost:${port}";
      };
    };

    services.nginx.proxyCachePath."cache/" = {
      enable = true;
      keysZoneName = "auth_cache";
    };
    sydnix.deertopia.nginx.vhosts."ldap".vhost =
      let consultant = "http://localhost:9090";
          port = builtins.toString config.services.lldap.settings.http_port;
          base-dn = config.services.lldap.settings.ldap_base_dn;
          nginx-bind-user = "nginx-bind-user";
      in {
        forceSSL = true;
        enableACME = true;
        locations."/".extraConfig = ''
          auth_request /auth-proxy;
          error_page 401 =200 /login;
          proxy_pass ${consultant};
        '';
        locations."/login".extraConfig = ''
          proxy_pass ${consultant}/login;
          proxy_set_header X-Target $request_uri;
        '';
        locations."= /auth-proxy".extraConfig = ''
          internal;
          proxy_pass ${consultant};
          proxy_pass_request_body off;
          proxy_pass_request_headers off;
          proxy_set_header Content-Length "";
          proxy_cache auth_cache;
          proxy_cache_valid 200 10m;
          proxy_cache_key "$http_authorization$cookie_nginxauth";
          proxy_set_header X-Ldap-URL "ldap://localhost:${port}";
          proxy_set_header X-Ldap-BaseDN "cn=people,${base-dn}";
          proxy_set_header X-Ldap-BindDN "cn=${nginx-bind-user},${base-dn}";
          proxy_set_header X-Ldap-BindPass "secret123";
          proxy_set_header X-CookieName "nginxauth";
          proxy_set_header Cookie nginxauth=$cookie_nginxauth;
        '';
      };
  };
}