{ config, lib, pkgs, ... }:

with lib;
let
  cfg = config.fudo.auth.kdc;

  initialize-db = realm: key-file:
    pkgs.writeShellScript "initialize-heimdal-db.sh" ''
      if [ ! -e ${key-file} ]; then
        ${pkgs.heimdalFull}/bin/kadmin -l init --realm=${realm} --realm-max-ticket-life=1d --realm-max-renewable-life=2w ${realm}
      fi
    '';

in {

  options.fudo.auth.kdc = with types; {
    enable = mkEnableOption "Fudo KDC";

    realm = mkOption {
      type = str;
      description = "The realm for which we are the acting KDC.";
    };

    config-file = mkOption {
      type = str;
      description = "Path to configuartion file.";
      default = "/etc/krb5.conf";
    };

    master-key-file = mkOption {
      type = str;
      description = "The path to the master key file.";
      default = "/var/heimdal/master.key";
    };

    acl-file = mkOption {
      type = str;
      description = "The path to the Access Control file.";
    };

    bind-addresses = mkOption {
      type = listOf str;
      description = "A list of IP addresses on which to bind.";
      default = [ ];
    };

    user = mkOption {
      type = str;
      description = "User as which to run Heimdal servers.";
      default = "kerberos";
    };

    group = mkOption {
      type = str;
      description = "Group as which to run Heimdal servers.";
      default = "kerberos";
    };

    state-directory = mkOption {
      type = str;
      description = "Path at which to store kerberos database.";
      default = "/srv/kerberos";
    };
  };

  config = mkIf cfg.enable {
    users = {
      users.${cfg.user} = {
        isSystemUser = true;
        home = "/var/heimdal";
        group = cfg.group;
      };

      groups.${cfg.group} = { members = [ cfg.user ]; };
    };

    environment = {
      systemPackages = [ pkgs.heimdalFull ];

      etc."krb5.conf" = {
        text = mkAfter ''
          [kdc]
            database = {
              realm = ${cfg.realm}
              mkey_file = ${cfg.master-key-file}
              acl_file = ${cfg.acl-file}
            }
            addresses = ${concatStringsSep " " cfg.bind-addresses}

            # Binds to port 80!
            enable-http = false
        '';
      };
    };

    systemd = {
      tmpfiles.rules = [ "L /var/heimdal - - - - ${cfg.state-directory}" ];
    };

    fudo.system = {
      ensure-directories = {
        "${cfg.state-directory}" = {
          user = cfg.user;
          group = cfg.group;
        };
      };

      services = {
        heimdal-kdc = {
          wantedBy = [ "multi-user.target" ];
          after = [ "network.target" ];
          description =
            "Heimdal Kerberos Key Distribution Center (ticket server).";
          execStart =
            "${pkgs.heimdalFull}/libexec/heimdal/kdc --config-file=${cfg.config-file}";
          privateNetwork = false;
          user = cfg.user;
          group = cfg.group;
          workingDirectory = cfg.state-directory;
          preStart = "${initialize-db cfg.realm cfg.master-key-file}";
        };

        heimdal-admin-server = {
          wantedBy = [ "multi-user.target" ];
          after = [ "network.target" ];
          description = "Heimdal Kerberos Remote Administration Server.";
          execStart =
            "${pkgs.heimdalFull}/libexec/heimdal/kadmind --config-file=${cfg.config-file} --key-file=${cfg.master-key-file}";
          privateNetwork = false;
          user = cfg.user;
          group = cfg.group;
          workingDirectory = cfg.state-directory;
          preStart = "${initialize-db cfg.realm cfg.master-key-file}";
        };
      };
    };
  };
}