{ config, pkgs, ... }:

let
  hostname = "auth.${config.networking.domain}";
  port = "44300";
in
{
  imports = [
    ./client.nix
  ];

  users.users.kanidm.extraGroups = [ "nginx" ];
  services.kanidm = {
    # package = pkgs.kanidmWithSecretProvisioning_1_7;

    enableServer = true;
    serverSettings = {
      bindaddress = "127.0.0.1:${port}";
      ldapbindaddress = "0.0.0.0:636";
      domain = hostname;
      origin = "https://${hostname}";
      tls_chain = "/var/lib/acme/${hostname}/cert.pem";
      tls_key = "/var/lib/acme/${hostname}/key.pem";

      online_backup = {
        path = "/var/data/backups/kanidm";
        schedule = "00 06 * * *";
        versions = 5;
      };
    };

    provision = {
      enable = true;
      adminPasswordFile = config.age.secrets.kanidm-admin-password.path;
      idmAdminPasswordFile = config.age.secrets.kanidm-idm-admin-password.path;
    };
  };

  age.secrets = {
    kanidm-admin-password = {
      owner = "kanidm";
      file = ../../../secrets/zora/services/kanidm-admin-password.age;
    };
    kanidm-idm-admin-password = {
      owner = "kanidm";
      file = ../../../secrets/zora/services/kanidm-idm-admin-password.age;
    };
  };
}