{ pkgs, config, ... }:
let
  lib = pkgs.lib;
  domain = "auth.donsz.nl";
  port = 3013;
  backupsDir = "/var/lib/kanidm/backup";
in
{
  services.kanidm.enableServer = true;
  services.kanidm.package = pkgs.kanidm_1_6;
  services.kanidm.serverSettings = {
    tls_chain = "/var/lib/acme/${domain}/fullchain.pem";
    tls_key = "/var/lib/acme/${domain}/key.pem";
    bindaddress = "[::1]:${toString port}";
    ldapbindaddress = "[::1]:3636";
    inherit domain;
    origin = "https://${domain}";
    trust_x_forward_for = true;

    online_backup = {
      path = backupsDir;
      schedule = "0 0 * * *";
    };
  };

  systemd.services.kanidm = {
    preStart = lib.mkBefore ''
      mkdir -p "${backupsDir}"
    '';
    serviceConfig = {
      SupplementaryGroups = [ config.security.acme.certs.${domain}.group ];
    };
  };

  environment.systemPackages = [ pkgs.kanidm ];

  services.nginx.virtualHosts.${domain} = {
    forceSSL = true;
    http2 = true;
    enableACME = true;

    locations."/" = {
      proxyPass = "https://[::1]:${toString port}";
    };
  };
}