{ lib, pkgs, config, ... }:
let
  cfg = config.myServices.databases.openldap;
  ldapConfig = let
    eldiron_schemas = pkgs.callPackage ./eldiron_schemas.nix {};
  in ''
    ${eldiron_schemas}

    pidfile         ${cfg.pids.pid}
    argsfile        ${cfg.pids.args}

    moduleload      back_hdb
    backend         hdb

    moduleload      memberof
    database        hdb
    suffix          "${cfg.baseDn}"
    rootdn          "${cfg.rootDn}"
    include         ${config.secrets.location}/ldap/password
    directory       ${cfg.dataDir}
    overlay         memberof

    moduleload      syncprov
    overlay         syncprov
    syncprov-checkpoint 100 10

    TLSCertificateFile    ${config.security.acme.directory}/ldap/cert.pem
    TLSCertificateKeyFile ${config.security.acme.directory}/ldap/key.pem
    TLSCACertificateFile  ${config.security.acme.directory}/ldap/fullchain.pem
    TLSCACertificatePath  ${pkgs.cacert.unbundled}/etc/ssl/certs/
    #This makes openldap crash
    #TLSCipherSuite        DEFAULT

    sasl-host kerberos.immae.eu
    include ${config.secrets.location}/ldap/access
    '';
in
{
  options.myServices.databases = {
    openldap = {
      enable = lib.mkOption {
        default = false;
        example = true;
        description = "Whether to enable ldap";
        type = lib.types.bool;
      };
      baseDn = lib.mkOption {
        type = lib.types.str;
        description = ''
          Base DN for LDAP
        '';
      };
      rootDn = lib.mkOption {
        type = lib.types.str;
        description = ''
          Root DN
        '';
      };
      rootPw = lib.mkOption {
        type = lib.types.str;
        description = ''
          Root (Hashed) password
        '';
      };
      accessFile = lib.mkOption {
        type = lib.types.path;
        description = ''
          The file path that defines the access
        '';
      };
      dataDir = lib.mkOption {
        type = lib.types.path;
        default = "/var/lib/openldap";
        description = ''
          The directory where Openldap stores its data.
        '';
      };
      socketsDir = lib.mkOption {
        type = lib.types.path;
        default = "/run/slapd";
        description = ''
          The directory where Openldap puts sockets and pid files.
          '';
      };
      # Output variables
      pids = lib.mkOption {
        type = lib.types.attrsOf lib.types.path;
        default = {
          pid  = "${cfg.socketsDir}/slapd.pid";
          args = "${cfg.socketsDir}/slapd.args";
        };
        readOnly = true;
        description = ''
          Slapd pid files
          '';
      };
    };
  };

  config = lib.mkIf cfg.enable {
    secrets.keys = [
       {
        dest = "ldap/password";
        permissions = "0400";
        user = "openldap";
        group = "openldap";
        text = "rootpw          ${cfg.rootPw}";
      }
      {
        dest = "ldap/access";
        permissions = "0400";
        user = "openldap";
        group = "openldap";
        text = builtins.readFile "${cfg.accessFile}";
      }
    ];
    users.users.openldap.extraGroups = [ "keys" ];
    networking.firewall.allowedTCPPorts = [ 636 389 ];

    security.acme.certs."ldap" = config.myServices.databasesCerts // {
      user = "openldap";
      group = "openldap";
      plugins = [ "fullchain.pem" "key.pem" "cert.pem" "account_key.json" ];
      domain = "ldap.immae.eu";
      postRun = ''
        systemctl restart openldap.service
      '';
    };

    services.filesWatcher.openldap = {
      restart = true;
      paths = [ "${config.secrets.location}/ldap/" ];
    };

    services.openldap = {
      enable = true;
      dataDir = cfg.dataDir;
      urlList = [ "ldap://" "ldaps://" ];
      extraConfig = ldapConfig;
    };
  };
}