{ config, pkgs, lib, ... }:
let
  cfg = config.services.kanidm;
  certPath = "/etc/ssl-snakeoil/auth_feal_no";
  ldapbindaddress = "0.0.0.0:636";
in {
  # Kanidm - Identity management / auth provider
  services.kanidm = {
    enableServer = true;
    serverSettings = {
      origin = "https://${cfg.serverSettings.domain}";
      domain = "auth.feal.no";
      bindaddress = "127.0.1.2:8300";
      inherit ldapbindaddress;

      tls_chain = "/run/credentials/kanidm.service/cert.crt";
      tls_key   = "/run/credentials/kanidm.service/cert.key";
    };
  };

  systemd.services.kanidm = {
    serviceConfig.LoadCredential = [
      "cert.crt:${certPath}.crt"
      "cert.key:${certPath}.key"
    ];
  };


  services.nginx.virtualHosts."${cfg.serverSettings.domain}" = {
    forceSSL = true;
    sslCertificate    = "${certPath}.crt";
    sslCertificateKey = "${certPath}.key";
    locations."/" = {
      proxyPass = "https://${cfg.serverSettings.bindaddress}";
      extraConfig = ''
        proxy_ssl_verify off;
      '';
    };
  };

  environment = {
    systemPackages = [ pkgs.kanidm ];
    etc."kanidm/config".text = ''
      uri="${cfg.serverSettings.origin}"
    '';
  };
 }