{ config, lib, pkgs, ... }:
{
  services.kanidm = {
    package = pkgs.kanidmWithSecretProvisioning_1_8;
    enableServer = true;
    serverSettings = {
      domain = "home.2rjus.net";
      origin = "https://auth.home.2rjus.net";
      bindaddress = "0.0.0.0:443";
      ldapbindaddress = "0.0.0.0:636";
      tls_chain = "/var/lib/acme/auth.home.2rjus.net/fullchain.pem";
      tls_key = "/var/lib/acme/auth.home.2rjus.net/key.pem";
      online_backup = {
        path = "/var/lib/kanidm/backups";
        schedule = "00 22 * * *";
        versions = 7;
      };
    };

    # Provision base groups only - users are managed via CLI
    # See docs/user-management.md for details
    provision = {
      enable = true;
      idmAdminPasswordFile = config.vault.secrets.kanidm-idm-admin.outputDir;

      groups = {
        admins = { };
        users = { };
        ssh-users = { };
      };

      # Regular users (persons) are managed imperatively via kanidm CLI

      # OAuth2/OIDC clients for service authentication
      systems.oauth2.grafana = {
        displayName = "Grafana";
        originUrl = "https://grafana-test.home.2rjus.net/login/generic_oauth";
        originLanding = "https://grafana-test.home.2rjus.net/";
        basicSecretFile = config.vault.secrets.grafana-oauth2.outputDir;
        preferShortUsername = true;
        scopeMaps.users = [ "openid" "profile" "email" "groups" ];
      };

      systems.oauth2.openbao = {
        displayName = "OpenBao Secrets";
        # Web UI callback only (CLI localhost not supported with confidential clients)
        originUrl = "https://vault.home.2rjus.net:8200/ui/vault/auth/oidc/oidc/callback";
        originLanding = "https://vault.home.2rjus.net:8200/";
        basicSecretFile = config.vault.secrets.openbao-oauth2.outputDir;
        preferShortUsername = true;
        # Allow groups scope for role binding
        scopeMaps.admins = [ "openid" "profile" "email" "groups" ];
        scopeMaps.users = [ "openid" "profile" "email" "groups" ];
      };
    };
  };

  # Grant kanidm access to ACME certificates
  users.users.kanidm.extraGroups = [ "acme" ];

  # ACME certificate from internal CA
  # Include both the CNAME (auth) and A record (kanidm01) for Prometheus scraping
  security.acme.certs."auth.home.2rjus.net" = {
    listenHTTP = ":80";
    reloadServices = [ "kanidm" ];
    extraDomainNames = [ "${config.networking.hostName}.home.2rjus.net" ];
  };

  # Vault secret for idm_admin password (used for provisioning)
  vault.secrets.kanidm-idm-admin = {
    secretPath = "kanidm/idm-admin-password";
    extractKey = "password";
    services = [ "kanidm" ];
    owner = "kanidm";
    group = "kanidm";
  };

  # Vault secret for Grafana OAuth2 client secret
  vault.secrets.grafana-oauth2 = {
    secretPath = "services/grafana/oauth2-client-secret";
    extractKey = "password";
    services = [ "kanidm" ];
    owner = "kanidm";
    group = "kanidm";
  };

  # Vault secret for OpenBao OAuth2 client secret
  vault.secrets.openbao-oauth2 = {
    secretPath = "services/openbao/oauth2-client-secret";
    extractKey = "password";
    services = [ "kanidm" ];
    owner = "kanidm";
    group = "kanidm";
  };

  # Note: Kanidm does not expose Prometheus metrics
  # If metrics support is added in the future, uncomment:
  # homelab.monitoring.scrapeTargets = [
  #   {
  #     job_name = "kanidm";
  #     port = 443;
  #     scheme = "https";
  #   }
  # ];
}