{ config, pkgs, ... }:

{
  services.kanidm = {
    server.enable = true;
    unix.enable = false;
    package = pkgs.kanidm_1_9;

    server.settings = {
      bindaddress = "127.0.0.1:8443";
      ldapbindaddress = "0.0.0.0:636";
      domain = "${config.homelab.authDomain}";
      origin = "https://${config.homelab.authDomain}";

      tls_chain = "${config.security.acme.certs.${config.homelab.authDomain}.directory}/cert.pem";
      tls_key = "${config.security.acme.certs.${config.homelab.authDomain}.directory}/key.pem";

      online_backup = {
        schedule =  "00 22 * * *";
        path = "/media/apps/kanidm";
        versions = 14;
      };
    };
  };

  security.acme.certs."${config.homelab.authDomain}" = {
    group = "kanidm-acme";

    domain = "${config.homelab.authDomain}";
    dnsProvider = "cloudflare";
    dnsResolver = "1.1.1.1:53";
    dnsPropagationCheck = true;
  };

  services.caddy.virtualHosts."${config.homelab.authDomain}" = {
    useACMEHost = config.services.kanidm.server.settings.domain;
    extraConfig = ''
      reverse_proxy https://localhost:8443 {
        header_up Host "${config.homelab.authDomain}:8443"
        transport http {
          tls_server_name ${config.homelab.authDomain}
        }
      }
    '';
  };

  # create a group to fix permission issues when accessing
  # certificates.
  users.groups.kanidm-acme = {};
  users.users.caddy.extraGroups = [ "kanidm-acme" ];
  users.users.kanidm.extraGroups = [ "kanidm-acme" ];
}