{ config, pkgs, ... }:
{
  imports =  [
    ./hardware-configuration.nix
    ../../modules/common_vm.nix
  ];

  age.secrets = {
    dbPassword = {
      file = ../../secrets/idm/keycloak_db_password.age;
      owner = "keycloak";
      group = "keycloak";
    };
    adminPassword = {
      file = ../../secrets/idm/ldap_admin_password.age;
      owner = "openldap";
      group = "openldap";
    };
  };

  boot.loader.grub.enable = true;
  boot.loader.grub.device = "/dev/sda";
  boot.loader.grub.useOSProber = true;

  networking.hostName = "idm";
  networking.firewall.allowedTCPPorts = [ 80 8080 636 ];


  services.openldap = {
    enable = true;

    urlList = [ "ldaps:///" ];

    settings = {
      attrs = {
        olcLogLevel = "conns config";

        olcTLSCACertificateFile = "/var/lib/acme/idm.example.com/full.pem";
        olcTLSCertificateFile = "/var/lib/acme/idm.example.com/cert.pem";
        olcTLSCertificateKeyFile = "/var/lib/acme/idm.example.com/key.pem";
        olcTLSCipherSuite = "HIGH:MEDIUM:+3DES:+RC4:+aNULL";
        olcTLSCRLCheck = "none";
        olcTLSVerifyClient = "never";
        olcTLSProtocolMin = "3.1";
      };

      children = {
        "cn=schema".includes = [
          "${pkgs.openldap}/etc/schema/core.ldif"
          "${pkgs.openldap}/etc/schema/cosine.ldif"
          "${pkgs.openldap}/etc/schema/inetorgperson.ldif"
        ];

        "olcDatabase={1}mdb" = {
          attrs = {
            objectClass = [ "olcDatabaseConfig" "olcMdbConfig" ];

            olcDatabase = "{1}mdb";
            olcDbDirectory = "/var/lib/openldap/data";

            olcSuffix = "dc=example,dc=com";

            /* your admin account, do not use writeText on a production system */
            olcRootDN = "cn=admin,dc=example,dc=com";
            olcRootPW.path = config.age.secrets.adminPassword.path;


            olcAccess = [
              /* custom access rules for userPassword attributes */
              ''{0}to attrs=userPassword
                  by self write
                  by dn="uid=keycloak,ou=service_accounts,dc=ecample,dc=com" write
                  by anonymous auth
                  by * none''

              /* allow read on anything else */
              ''{1}to *
                  by * read''
            ];
          };

          children = {
            "olcOverlay={2}ppolicy".attrs = {
              objectClass = [ "olcOverlayConfig" "olcPPolicyConfig" "top" ];
              olcOverlay = "{2}ppolicy";
              olcPPolicyHashCleartext = "TRUE";
            };

            "olcOverlay={3}memberof".attrs = {
              objectClass = [ "olcOverlayConfig" "olcMemberOf" "top" ];
              olcOverlay = "{3}memberof";
              olcMemberOfRefInt = "TRUE";
              olcMemberOfDangling = "ignore";
              olcMemberOfGroupOC = "groupOfNames";
              olcMemberOfMemberAD = "member";
              olcMemberOfMemberOfAD = "memberOf";
            };

            "olcOverlay={4}refint".attrs = {
              objectClass = [ "olcOverlayConfig" "olcRefintConfig" "top" ];
              olcOverlay = "{4}refint";
              olcRefintAttribute = "memberof member manager owner";
            };
          };
        };
      };
    };
  };

  systemd.services.openldap = {
    wants = [ "acme-idm.example.com.service" ];
    after = [ "acme-idm.example.com.service" ];
  };

  security.acme.acceptTerms = true;
  security.acme.defaults.email = "admin@pfzetto.de";

  /* make acme certificates accessible by openldap */
  security.acme.defaults.group = "certs";
  users.groups.certs.members = [ "openldap" ];

  /* trigger the actual certificate generation for your hostname */
  security.acme.certs."idm.example.com" = {
    listenHTTP = "[::]:80";
    extraDomainNames = [];
  };

  services.mysql = {
    enable = true;
    package = pkgs.mariadb;
    ensureDatabases = [ "keycloak" ];
    ensureUsers = [{
      name = "keycloak";
      ensurePermissions = {
        "keycloak.*" = "ALL PRIVILEGES";
      };
    }];
  };

  services.keycloak = {
    enable = true;
    package = pkgs.keycloak;
    database = {
      createLocally = false;
      name = "keycloak";
      type = "mariadb";
      host = "[::1]";
      port = 3306;
      useSSL = false;
      username = "keycloak";
      passwordFile = config.age.secrets.dbPassword.path;
    };
    settings = {
      hostname = "idm.example.com";
      http-host = "[::]";
      http-port = 8080;
      proxy = "edge";
    };
  };


  users.groups.keycloak = {};
  users.users.keycloak = {
    isSystemUser = true;
    group = "keycloak";
  };

  environment.persistence."/nix/persist" = {
    hideMounts = true;
    directories = [
      "/etc/nixos"
      "/etc/openldap"
      "/var/log"
      "/var/lib"
    ];
    files = [
      "/etc/machine-id"
      "/etc/ssh/ssh_host_ed25519_key"
      "/etc/ssh/ssh_host_ed25519_key.pub"
      "/etc/ssh/ssh_host_rsa_key"
      "/etc/ssh/ssh_host_rsa_key.pub"
    ];
  };

  # This value determines the NixOS release from which the default
  # settings for stateful data, like file locations and database versions
  # on your system were taken. It‘s perfectly fine and recommended to leave
  # this value at the release version of the first install of this system.
  # Before changing this value read the documentation for this option
  # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
  system.stateVersion = "23.05"; # Did you read the comment?
}