{ config, pkgs, ... }:

let
  hostname = "auth.${config.networking.domain}";
  port = "44300";
in
{
  services.kanidm = {
    package = pkgs.kanidmWithSecretProvisioning_1_7;

    enableServer = true;
    serverSettings = {
      bindaddress = "127.0.0.1:${port}";
      ldapbindaddress = "0.0.0.0:636";
      domain = hostname;
      origin = "https://${hostname}";
      tls_chain = "/var/lib/acme/${hostname}/cert.pem";
      tls_key = "/var/lib/acme/${hostname}/key.pem";

      online_backup = {
        path = "/var/data/backups/kanidm";
        schedule = "00 06 * * *";
        versions = 5;
      };
    };

    enableClient = true;

    clientSettings = {
      uri = "https://127.0.0.1:${port}";
      verify_ca = false;
    };

    provision = {
      enable = true;
      adminPasswordFile = config.age.secrets.kanidm-admin-password.path;
      idmAdminPasswordFile = config.age.secrets.kanidm-idm-admin-password.path;
    };
  };
}