{
  lib,
  pkgs,
  config,
  ...
}:
{
  services = {
    lldap = {
      enable = true;
      settings = {
        ldap_base_dn = "dc=tlater,dc=net";
        database_url = "postgres://lldap:@localhost/lldap?host=/var/run/postgresql";
        ldap_host = "127.0.0.1";

        http_host = "127.0.0.1";
        http_url = "https://lldap.${config.services.nginx.domain}";

        force_ldap_user_pass_reset = "always";

        smtp_options.enable_password_reset = false;

        environment = {
          LLDAP_JWT_SECRET_FILE = config.sops.secrets."authelia/jwt-secret".path;
          LLDAP_LDAP_USER_PASS_FILE = config.sops.secrets."lldap/admin-password".path;
          LLDAP_KEY_SEED_FILE = config.sops.secrets."lldap/key".path;
        };
      };
    };

    nginx.virtualHosts = {
      "lldap.${config.services.nginx.domain}" = {
        useACMEHost = "tlater.net";
        forceSSL = true;
        enableHSTS = true;

        locations."/".proxyPass =
          "http://${config.services.lldap.settings.http_host}:${toString config.services.lldap.settings.http_port}";
      };
    };
  };

  systemd.services.lldap.after = [ config.systemd.services.postgresql.name ];

  systemd.services.lldap-provisioning = {
    requisite = [ config.systemd.services.lldap.name ];
    wantedBy = [ config.systemd.services.lldap.name ];
    after = [ config.systemd.services.lldap.name ];

    path = [
      pkgs.nushell
      pkgs.lldap-cli
    ];

    script = "exec nu ${./lldap-provisioning.nu}";

    environment = {
      LLDAP_LDAP_USER_PASS_FILE = config.sops.secrets."lldap/admin-password".path;
      # LLDAP_CONFIG = ((pkgs.formats.toml { }).generate config.services.lldap.settings).outPath;
    };

    serviceConfig.Type = "oneshot";
  };
}