{ config, pkgs, lib, ... }:
let
  kanidmPort = 1888;
in {
  age.secrets.kanidm-admin-password = lib.mkSecret "kanidm";
  age.secrets.kanidm-idm-admin-password = lib.mkSecret "kanidm";
  users.groups.kanidm = {};
  users.users.kanidm.group = "kanidm";
  users.users.kanidm.isSystemUser = true;

  containers.kanidm = {
    autoStart = true;
    bindMounts = {
      "/certs" = { hostPath = "/nix/persist/services/kanidm/certs"; isReadOnly = false; };
      "/var/lib/kanidm" = { hostPath = "/nix/persist/services/kanidm/db"; isReadOnly = false; };
      # "${config.age.secretsDir}" = { hostPath = config.age.secretsDir; isReadOnly = true; };
      "/run/agenix" = { hostPath = "/run/agenix"; isReadOnly = false; };
    };
    # tmpfs = [ "/" ];
    hostAddress = "192.168.101.10";
    localAddress = "192.168.101.11";
    privateNetwork = true;
    # privateNetwork = false;

    config = { lib, ... }: {
      imports = [
        # ../../modules/global/nix.nix
        ../../modules/global/dnscrypt-proxy.nix
      ];

      services.kanidm = {
        enableServer = true;
        package = pkgs.kanidmWithSecretProvisioning;
        enableClient = true;
        serverSettings = {
          domain = "idm.nothing.run";
          origin = "https://idm.nothing.run";
          # bindaddress = "127.0.0.1:${toString kanidmPort}";
          bindaddress = "0.0.0.0:${toString kanidmPort}";
          log_level = "trace";
          trust_x_forward_for = true;

          tls_chain = "/certs/chain.pem";
          tls_key = "/certs/key.pem";
        };
        clientSettings = {
          uri = "https://127.0.0.1:${toString kanidmPort}";
          verify_ca = false;
          verify_hostnames = false;
        };
        provision = lib.mkMerge [
          { enable = lib.mkForce true; }
          config.services.kanidm.provision
        ];
      };

      networking.firewall = {
        enable = true;
        allowedTCPPorts = [ kanidmPort ];
      };
      system.stateVersion = "25.05";
    };
  };

  services.kanidm.provision = {
    acceptInvalidCerts = true;
    instanceUrl = "https://127.0.0.1:${toString kanidmPort}";

    adminPasswordFile = config.age.secrets.kanidm-admin-password.path;
    idmAdminPasswordFile = config.age.secrets.kanidm-idm-admin-password.path;
    groups.admins = {};
    
    persons = {
      "thary" = {
        "displayName" = "Thary";
        "mailAddresses" = [
          "thary@riseup.net"
          "thary@nothing.run"
        ];
        groups = [
          "gitea.access" "gitea.admins"
          "miniflux.access"
        ];
      };
    };
  };

  imp.home.dirs = [ ".cache/kanidm_tokens" ];
  services.kanidm.enableClient = true;
  services.kanidm.clientSettings = {
    uri = "https://idm.nothing.run";
    verify_ca = true;
    verify_hostnames = true;
  };
  
  services.caddy.virtualHosts = {
    "idm.nothing.run".extraConfig = ''
      reverse_proxy https://192.168.101.11:${toString kanidmPort} {
        transport http {
          tls
          tls_insecure_skip_verify
        }
      }
    '';
  };

}