{ config, ... }:
{
  sops.secrets.lldap_user_pass = {
    format = "yaml";
    key = "lldap_user_pass";
    sopsFile = ../../secrets/auth01/secrets.yaml;
    restartUnits = [ "lldap.service" ];
    group = "acme";
    mode = "0440";
  };

  services.lldap = {
    enable = true;
    settings = {
      ldap_base_dn = "dc=home,dc=2rjus,dc=net";
      ldap_user_email = "admin@home.2rjus.net";
      ldap_user_dn = "admin";
      ldap_user_pass_file = config.sops.secrets.lldap_user_pass.path;
      ldaps_options = {
        enabled = true;
        port = 6360;
        cert_file = "/var/lib/acme/auth01.home.2rjus.net/cert.pem";
        key_file = "/var/lib/acme/auth01.home.2rjus.net/key.pem";
      };
    };
  };
  systemd.services.lldap = {
    serviceConfig = {
      SupplementaryGroups = [ "acme" ];
    };
  };
  security.acme.certs."auth01.home.2rjus.net" = {
    listenHTTP = ":80";
    reloadServices = [ "lldap" ];
    extraDomainNames = [ "ldap.home.2rjus.net" ];
    enableDebugLogs = true;
  };
}