{ config, lib, pkgs, ... }:

let cfg = config.sydnix.deertopia.lldap;
in {
  options.sydnix.deertopia.lldap = {
    enable = lib.mkEnableOption ''
      Deertopia's lldap, a lightweight authentication server that provides an
      opinionated, simplified LDAP interface for authentication.
    '';
  };

  config = lib.mkIf cfg.enable {
    # HACK: Why doesn't the lldap module do this?  Sops-nix fails to set the
    # secrets' owner as the user does not yet exist.
    users.users.lldap = {
      isSystemUser = true;
      group = "lldap";
    };
    users.groups.lldap = {};

    sydnix.sops.secrets =
      let e = {
            mode = "0600";
            owner = "lldap";
            group = "lldap";
          };
      in {
        lldap-ldap-user-pass = e;
        lldap-jwt-secret = e;
        lldap-secret-env = {};
      };

    networking.firewall.allowedTCPPorts = [
      config.services.lldap.settings.http_port
      config.services.lldap.settings.ldap_port
    ];

    services.lldap = {
      enable = true;
      environment = {
        LLDAP_LDAP_USER_PASS_FILE = "/run/secrets/lldap-ldap-user-pass";
        LLDAP_JWT_SECRET_FILE = "/run/secrets/lldap-jwt-secret";
      };
      environmentFile = "/run/secrets/lldap-secret-env";
      settings = {
        ldap_base_dn = "dc=identify,dc=deertopia,dc=net";
        ldap_user_dn = "lain";
        ldap_user_email = "lain@deertopia.net";
      };
    };

    sydnix.deertopia.nginx.vhosts."identify".vhost = {
      forceSSL = true;
      enableACME = true;
      locations."/" = {
        proxyPass =
          let port = builtins.toString config.services.lldap.settings.http_port;
          in "http://localhost:${port}";
      };
    };

    sydnix.deertopia.nginx.vhosts."ldap".vhost = {
      forceSSL = true;
      enableACME = true;
      locations."/" = {
        proxyPass =
          let port = builtins.toString config.services.lldap.settings.ldap_port;
          in "http://localhost:${port}";
      };
    };
  };
}