{ lib, config, pkgs, ... }:
let
  cfg = config.homelab.kanidm;
in
{
  options.homelab.kanidm = {
    enable = lib.mkEnableOption "Kanidm PAM/NSS client for central authentication";

    server = lib.mkOption {
      type = lib.types.str;
      default = "https://auth.home.2rjus.net";
      description = "URI of the Kanidm server";
    };

    allowedLoginGroups = lib.mkOption {
      type = lib.types.listOf lib.types.str;
      default = [ "ssh-users" ];
      description = "Groups allowed to log in via PAM";
    };
  };

  config = lib.mkIf cfg.enable {
    services.kanidm = {
      package = pkgs.kanidm_1_8;
      enablePam = true;

      clientSettings = {
        uri = cfg.server;
      };

      unixSettings = {
        version = "2";
        # Use short names (e.g., "torjus") instead of SPN (e.g., "torjus@home.2rjus.net")
        uid_attr_map = "name";
        gid_attr_map = "name";
        # Required by NixOS module (will be in TOML but kanidm section is what matters)
        pam_allowed_login_groups = cfg.allowedLoginGroups;
        # Kanidm provider section (this is what unixd actually reads)
        kanidm = {
          pam_allowed_login_groups = cfg.allowedLoginGroups;
        };
      };
    };
  };
}