{
  pkgs,
  lib,
  config,
  ...
}:
let
  inherit (lib) mkEnableOption mkIf mkOption;
  inherit (lib.types) str nullOr pathWith;
  absPath = pathWith {
    inStore = false;
    absolute = true;
  };
  cfg = config.xyno.services.kanidm;
in
{
  options.xyno.services.kanidm.enable = mkEnableOption "enables kanidm";
  options.xyno.services.kanidm.domain = mkOption {
    default = "idm.xyno.systems";
    type = str;
  };
  options.xyno.services.kanidm.isReplica = mkEnableOption "replica";
  options.xyno.services.kanidm.setupTraefik = mkEnableOption "traefik";

  options.xyno.services.kanidm.tls = {
    keyPem = mkOption {
      type = nullOr absPath;
      default = null;
      description = "autogenerated if unset";
    };
    certPem = mkOption {
      default = "/run/generated/kanidm-tls/cert.pem";
      type = absPath;
    };
  };
  config = mkIf cfg.enable {
    services.kanidm = {
      enableServer = true;
      enableClient = true;
      adminPasswordFile = config.sops.secrets."kanidm.password".path;
      provision = {
        adminPasswordFile = config.sops.secrets."kanidm.password".path;
      };
      serverSettings = {
        tls_key = if cfg.tls.keyPem != null then cfg.tls.keyPem else "/run/generated/key.pem";
        tls_chain = cfg.tls.certPem;
        bindaddress = "127.0.0.3:8443";
      };
    };
    xyno.services.traefik.simpleProxy = mkIf cfg.setupTraefik {
      host = cfg.domain;
      internal = "https://127.0.0.3:8443";
      transport = "kanidm-https";
    };
    services.traefik.dynamicConfigOptions.http = mkIf cfg.setupTraefik {
      serversTransports."kanidm-https" = {
        serverName = cfg.domain;
        certificates = [
          cfg.certPem
        ];
      };
    };

    systemd.services.generate-kanidm-tls = mkIf (cfg.tls.keyPem == null) {
      serviceConfig = {
        User = "root";
        Group = "kanidm";
      };
      wantedBy = [
        "kanidm.service"
        "traefik.service"
      ];
      script = ''
        mkdir -p /run/generated/kanidm-tls
        ${pkgs.openssl}/bin/openssl req -x509 -newkey ed25519 -noenc -subj "/CN=generated.${cfg.domain}" -addext "subjectAltName=DNS:${cfg.domain}" -keyout /run/generated/key.pem -out /run/generated/cert.pem
      '';
    };
    sops.secrets."kanidm.password" = {
      sopsFile = ../../instances/${config.networking.hostName}/secrets/kanidm.yaml;
    };
    # sops.templates."kanidm.env".content = ''
    #   DESEC_TOKEN=${config.sops.placeholder.desec_token}
    #   DESEC_PROPAGATION_TIMEOUT=1200
    # '';
    # sops.templates."kanidm.env".reloadUnits = [ "kanidm.service" ];

  };
}