{ config, lib, pkgs, ... }:

with lib;
let
  hostname = config.instance.hostname;
  domain-name = config.instance.local-domain;
  site-name = config.instance.local-site;
  fqdn = "${hostname}.${domain-name}";

  secrets = config.fudo.secrets.host-secrets.france;

  # same as genAttr, but takes back attrsets and merges them
  concatGenAttrs = lst: f:
    foldr (a0: a1: a0 // a1) {} (map f lst);

in {
  options.france = with types; {
    ldap = {
      ssl-certificate = mkOption {
        type = path;
        description = "SSL certificate to use for the LDAP server.";
      };
      ssl-private-key = mkOption {
        type = path;
        description = "SSL private key to use for the LDAP server.";
      };
      ssl-ca-certificate = mkOption {
        type = path;
        description = "SSL certificate authority to use for the LDAP server.";
      };
    };

    kdc = {
      state-directory = mkOption {
        type = str;
        description = "Path at which to store kerberos state.";
      };

      master-key-file = mkOption {
        type = str;
        description = "Heimdal database master key file.";
      };
    };
  };
  
  config = {
    fudo = {
      secrets.host-secrets.${hostname} = {
        ldap-ssl-certificate = {
          source-file = cfg.ssl-certificate;
          target-file = "/var/run/ldap/ssl-certificate.pem";
          user = config.services.openldap.user;
          group = config.services.openldap.group;
          permissions = "0444";
        };
        ldap-ssl-private-key = {
          source-file = cfg.ssl-private-key;
          target-file = "/var/run/ldap/ssl-private-key.pem";
          user = config.services.openldap.user;
          group = config.services.openldap.group;
          permissions = "0400";
        };
        ldap-ssl-ca-certificate = {
          source-file = cfg.ssl-ca-certificate;
          target-file = "/var/run/ldap/ssl-ca-certificate.pem";
          user = config.services.openldap.user;
          group = config.services.openldap.group;
          permissions = "0400";
        };
      };

      auth = {
        ldap = {
          enable = true;
          base = "dc=fudo,dc=org";
          organization = "Fudo";
          rootpw-file = secrets.ldap-root-passwd;
          kerberos-host = fqdn;
          kerberos-keytab = secrets.ldap-keytab;

          sslCert =
            secrets.ldap-ssl-certificate.target-file;
          sslKey =
            secrets.ldap-ssl-private-key.target-file;
          sslCACert =
            secrets.ldap-ssl-ca-certificate.target-file;

          listen-uris = [ "ldap:///" "ldaps:///" "ldapi:///" ];

          users = config.fudo.users;
          groups = config.fudo.groups;
          system-users = config.fudo.system-users;
        };

        # TODO: let build hosts create keys?
        kdc = {
          enable = true;
          realm = config.domains.${domain-name}.gssapi-realm;
          state-directory = cfg.state-directory;
          master-key-file = cfg.master-key-file;
          acl = let
            admin-entries = concatGenAttrs
              config.instance.local-admins
              (admin: {
                "${admin}" = { perms = [ "add" "list" "change-password" ]; };
                "${admin}/root" = { perms = [ "all" ]; };
              });
          in {
            "host/*.fudo.org" = { perms = [ "add" ]; };
            "pam_migrate/*.fudo.org" = { perms = [ "add" "change-password" ]; };
          } // admin-entries;
          bind-addresses = [ primary-ip "127.0.0.1" "127.0.1.1" "::1" ];
        };
      };
    };
  };
}