{ lib, config, pkgs, ... }:
let
  cfg = config.homelab.kanidm;
in
{
  options.homelab.kanidm = {
    enable = lib.mkEnableOption "Kanidm PAM/NSS client for central authentication";

    server = lib.mkOption {
      type = lib.types.str;
      default = "https://auth.home.2rjus.net";
      description = "URI of the Kanidm server";
    };

    allowedLoginGroups = lib.mkOption {
      type = lib.types.listOf lib.types.str;
      default = [ "ssh-users" ];
      description = "Groups allowed to log in via PAM";
    };
  };

  config = lib.mkIf cfg.enable {
    services.kanidm = {
      package = pkgs.kanidm_1_8;
      enablePam = true;

      clientSettings = {
        uri = cfg.server;
      };

      unixSettings = {
        pam_allowed_login_groups = cfg.allowedLoginGroups;
        # Use short names (torjus) instead of SPN format (torjus@home.2rjus.net)
        # This prevents "PAM user mismatch" errors with SSH
        uid_attr_map = "name";
        gid_attr_map = "name";
        # Create symlink /home/torjus -> /home/torjus@home.2rjus.net
        home_alias = "name";
      };
    };
  };
}