{ config, lib, pkgs, ... }:

with lib;
let
  hostname = config.instance.hostname;
  domain-name = config.instance.local-domain;
  site-name = config.instance.local-site;
  fqdn = "${hostname}.${domain-name}";

  # same as genAttr, but takes back attrsets and merges them
  concatGenAttrs = lst: f:
    foldr (a0: a1: a0 // a1) {} (map f lst);

  passwd = import ../../../lib/passwd.nix { inherit lib; };

  secrets = config.fudo.secrets.host-secrets.${hostname};

  cfg = config.fudo.france;

in {
  options.fudo.france = with types; {
    ldap = {
      ssl-certificate = mkOption {
        type = str;
        description = "SSL certificate to use for the LDAP server.";
      };
      ssl-private-key = mkOption {
        type = str;
        description = "SSL private key to use for the LDAP server.";
      };
      ssl-ca-certificate = mkOption {
        type = str;
        description = "SSL certificate authority to use for the LDAP server.";
      };
      keytab = mkOption {
        type = str;
        description = "Path to the LDAP service keytab.";
      };
      root-password-file = mkOption {
        type = str;
        description = "Path to the file containing the LDAP root password.";
      };
    };

    kdc = {
      state-directory = mkOption {
        type = str;
        description = "Path at which to store kerberos state.";
        default = "/state/kerberos";
      };

      master-key-file = mkOption {
        type = str;
        description = "Heimdal database master key file.";
      };

      listen-ips = mkOption {
        type = listOf str;
        description = "IP addresses on which to listen for connections.";
      };
    };
  };
  
  config = {
    fudo = {
      secrets.host-secrets.${hostname}.kdc-master-key = {
        source-file = cfg.kdc.master-key-file;
        target-file = "/run/kerberos/kdc/master.key";
        user = config.fudo.auth.kdc.user;
      };

      auth = {
        ldap-server = {
          enable = true;
          base = "dc=fudo,dc=org";
          organization = "Fudo";
          rootpw-file = cfg.ldap.root-password-file;
          kerberos-host = fqdn;
          kerberos-keytab = cfg.ldap.keytab;
          ssl-certificate = cfg.ldap.ssl-certificate;
          ssl-private-key = cfg.ldap.ssl-private-key;
          ssl-ca-certificate = cfg.ldap.ssl-ca-certificate;

          listen-uris = [ "ldap:///" "ldaps:///" "ldapi:///" ];

          users = config.fudo.users;
          groups = config.fudo.groups;
          system-users = config.fudo.system-users;
        };

        # TODO: let build hosts create keys?
        kdc = {
          enable = true;
          realm = config.fudo.domains.${domain-name}.gssapi-realm;
          state-directory = cfg.kdc.state-directory;
          master-key-file = secrets.kdc-master-key.target-file;
          acl = let
            admin-entries = concatGenAttrs
              config.instance.local-admins
              (admin: {
                "${admin}" = { perms = [ "add" "list" "change-password" ]; };
                "${admin}/root" = { perms = [ "all" ]; };
              });
          in {
            "host/*.fudo.org" = { perms = [ "add" ]; };
            "pam_migrate/*.fudo.org" = { perms = [ "add" "change-password" ]; };
          } // admin-entries;
          bind-addresses = cfg.kdc.listen-ips;
        };
      };
    };
  };
}