{
  config,
  pkgs,
  lib,
  ...
}:
let
  inherit (config.serverConfig) vhosts;
  inherit (config.networking) domain;
  inherit (lib) remove concatStringsSep;
in
{
  age.secrets.openldap_admin =
    let
      inherit (config.services.openldap) user group;
    in
    {
      file = ../secrets/openldap_admin.age;
      inherit group;
      owner = user;
      mode = "0444";
    };

  age.secrets.keycloak_db_pass = {
    file = ../secrets/keycloak_db_pass.age;
    group = "keycloak";
    owner = "keycloak";
    mode = "0444";
  };

  users.users.keycloak = {
    isSystemUser = true;
    group = "keycloak";
  };
  users.groups.keycloak = { };

  services.postgresql =
    let
      inherit (config.services.keycloak.database) name username;
    in
    {
      enable = true;
      ensureDatabases = [ name ];
      ensureUsers = [
        {
          name = username;
          passFile = config.age.secrets.keycloak_db_pass.path;
          ensureDBOwnership = true;
        }
      ];
    };

  services.keycloak = {
    enable = true;

    database = {
      type = "postgresql";
      createLocally = false;

      username = "keycloak";
      passwordFile = config.age.secrets.keycloak_db_pass.path;
    };

    settings = {
      hostname = vhosts.auth_host.host;
      http-host = "127.0.0.1";
      http-port = vhosts.auth_host.port;
      proxy = "edge"; # passthrough";
    };
  };

  services.openldap =
    let
      localDc = concatStringsSep "," (map (s: "dc=${s}") (remove [ ] (builtins.split "\\." domain)));
    in
    {
      enable = true;
      urlList = [
        "ldap:///"
        "ldapi:///"
      ];

      #      declarativeContents = {
      #        "${localDc}" = import ./ldapConf.nix { inherit localDc; };
      #      };

      settings = {
        attrs = {
          olcLogLevel = "conns config";
        };

        children = {
          "cn=schema".includes = [
            "${pkgs.openldap}/etc/schema/core.ldif"
            "${pkgs.openldap}/etc/schema/cosine.ldif"
            "${pkgs.openldap}/etc/schema/inetorgperson.ldif"
          ];

          "olcDatabase={1}mdb".attrs = {
            objectClass = [
              "olcDatabaseConfig"
              "olcMdbConfig"
            ];

            olcDatabase = "{1}mdb";
            olcDbDirectory = "/var/lib/openldap/data";

            olcSuffix = localDc;

            olcRootDN = "cn=admin,${localDc}";
            #            olcRootPW.path = config.age.secrets.openldap_admin.path;
            olcRootPW = "{SSHA}D1U1E6Xz07DGYLjke1YcCsVF6ddSLyLr";

            olcAccess = [
              # custom access rules for userPassword attributes
              ''
                {0}to attrs=userPassword
                                by self write
                                by anonymous auth
                                by * none''

              # allow read on anything else
              ''
                {1}to *
                                by * read''
            ];
          };
        };
      };
    };
}