{ config, lib, pkgs, ... }:
{
  services.kanidm = {
    package = pkgs.kanidmWithSecretProvisioning_1_8;
    enableServer = true;
    serverSettings = {
      domain = "home.2rjus.net";
      origin = "https://auth.home.2rjus.net";
      bindaddress = "0.0.0.0:443";
      ldapbindaddress = "0.0.0.0:636";
      tls_chain = "/var/lib/acme/auth.home.2rjus.net/fullchain.pem";
      tls_key = "/var/lib/acme/auth.home.2rjus.net/key.pem";
      online_backup = {
        path = "/var/lib/kanidm/backups";
        schedule = "00 22 * * *";
        versions = 7;
      };
    };

    # Provision base groups only - users are managed via CLI
    # See docs/user-management.md for details
    provision = {
      enable = true;
      idmAdminPasswordFile = config.vault.secrets.kanidm-idm-admin.outputDir;

      groups = {
        admins = { };
        users = { };
        ssh-users = { };
      };

      # Regular users (persons) are managed imperatively via kanidm CLI
    };
  };

  # Grant kanidm access to ACME certificates
  users.users.kanidm.extraGroups = [ "acme" ];

  # ACME certificate from internal CA
  # Include both the CNAME (auth) and A record (kanidm01) for Prometheus scraping
  security.acme.certs."auth.home.2rjus.net" = {
    listenHTTP = ":80";
    reloadServices = [ "kanidm" ];
    extraDomainNames = [ "${config.networking.hostName}.home.2rjus.net" ];
  };

  # Vault secret for idm_admin password (used for provisioning)
  vault.secrets.kanidm-idm-admin = {
    secretPath = "kanidm/idm-admin-password";
    extractKey = "password";
    services = [ "kanidm" ];
    owner = "kanidm";
    group = "kanidm";
  };

  # Note: Kanidm does not expose Prometheus metrics
  # If metrics support is added in the future, uncomment:
  # homelab.monitoring.scrapeTargets = [
  #   {
  #     job_name = "kanidm";
  #     port = 443;
  #     scheme = "https";
  #   }
  # ];
}