{ config, ... }:
let
  cfg = import ./vars.nix;
  port = cfg.lldap.webPort;
  domain = cfg.lldap.domain;
in
{
  sops.secrets."lldap/admin" = { owner = "lldap";};
  sops.secrets."lldap/jwt" = { owner = "lldap";};

  users.groups.lldap = {
    gid = 389;
  };
  users.users.lldap = {
    isSystemUser = true;
    group = "lldap";
    uid = 389;
  };

  virtualisation.oci-containers.containers.lldap = {
    image = "docker.io/nitnelave/lldap:stable";
    environment = {
      TZ = "Europe/Berlin";
      UID = "389";
      GID = "389";
      LLDAP_VERBOSE = "true";
      LLDAP_LDAP_BASE_DN = "dc=mc-fucker,dc=cool";
      LLDAP_LDAP_USER_DN = "ldapadmin";
      LLDAP_HTTP_URL = "https://${domain}";
      LLDAP_JWT_SECRET_FILE = config.sops.secrets."lldap/jwt".path;
      LLDAP_LDAP_USER_PASS_FILE = config.sops.secrets."lldap/admin".path;
      LLDAP_SMTP_OPTIONS__ENABLE_PASSWORD_RESET = "true";
      LLDAP_SMTP_OPTIONS__SERVER = cfg.mail.host;
      LLDAP_SMTP_OPTIONS__PORT = cfg.mail.port;
      LLDAP_SMTP_OPTIONS__SMTP_ENCRYPTION = "STARTTLS";
      LLDAP_SMTP_OPTIONS__FROM = "LLDAP Admin <lldap@mc-fucker.cool>";
    };
    ports = [
      "389:3890"
      "${port}:${port}"
    ];
    extraOptions = cfg.podman.extraOptions;
    volumes = [
      "${config.sops.secrets."lldap/jwt".path}:${config.sops.secrets."lldap/jwt".path}:ro"
      "${config.sops.secrets."lldap/admin".path}:${config.sops.secrets."lldap/admin".path}:ro"
      "/var/lib/lldap:/data"
    ];
  };

  services.nginx.virtualHosts."${domain}" = {
    forceSSL = true;
    enableACME = true;
    locations."/" = {
      proxyPass = "http://localhost:${port}";
    };
    extraConfig = ''
      access_log  /var/log/nginx/${domain}_access.log;
      error_log   /var/log/nginx/${domain}_error.log;
    '';
  };

}
# vim: set et ts=2 sw=2 ai: