{ config, lib, pkgs, ... }:
{
  services.kanidm = {
    package = pkgs.kanidmWithSecretProvisioning_1_8;
    enableServer = true;
    serverSettings = {
      domain = "home.2rjus.net";
      origin = "https://auth.home.2rjus.net";
      bindaddress = "0.0.0.0:443";
      ldapbindaddress = "0.0.0.0:636";
      tls_chain = "/var/lib/acme/auth.home.2rjus.net/fullchain.pem";
      tls_key = "/var/lib/acme/auth.home.2rjus.net/key.pem";
      online_backup = {
        path = "/var/lib/kanidm/backups";
        schedule = "00 22 * * *";
        versions = 7;
      };
    };

    # Provisioning - initial users/groups
    provision = {
      enable = true;
      idmAdminPasswordFile = config.vault.secrets.kanidm-idm-admin.outputDir;

      groups = {
        admins = { };
        users = { };
        ssh-users = { };
      };

      persons.torjus = {
        displayName = "Torjus";
        groups = [ "admins" "users" "ssh-users" ];
      };
    };
  };

  # Grant kanidm access to ACME certificates
  users.users.kanidm.extraGroups = [ "acme" ];

  # ACME certificate from internal CA
  security.acme.certs."auth.home.2rjus.net" = {
    listenHTTP = ":80";
    reloadServices = [ "kanidm" ];
  };

  # Vault secret for idm_admin password
  vault.secrets.kanidm-idm-admin = {
    secretPath = "kanidm/idm-admin-password";
    extractKey = "password";
  };

  # Monitoring scrape target
  homelab.monitoring.scrapeTargets = [
    {
      job_name = "kanidm";
      port = 443;
      scheme = "https";
    }
  ];
}