{ config, ... }:
{
  services = {
    lldap = {
      enable = true;
      settings = {
        ldap_base_dn = "dc=escapeangle,dc=com";
        ldap_user_email = "lander@escapeangle.com";
        database_url = "postgresql://lldap@db-01.tailnet.escapeangle.com/lldap";
      };
      environment = {
        LLDAP_JWT_SECRET_FILE = config.sops.secrets."lldap/jwt_secret".path;
        LLDAP_KEY_SEED_FILE = config.sops.secrets."lldap/key_seed".path;
        LLDAP_USER_PASS_FILE = config.sops.secrets."lldap/admin_password".path;
      };
    };
  };

  services.nginx.virtualHosts."users.escapeangle.com" = {
    forceSSL = true;
    enableACME = true;
    locations."/" = {
      proxyPass = "http://localhost:${toString config.services.lldap.settings.http_port}";
    };
  };

  users = {
    users.lldap = {
      group = "lldap";
      isSystemUser = true;
    };
    groups.lldap = { };
  };

  sops = {
    defaultSopsFile = ../hosting-01.yaml;
    secrets = {
      "lldap/jwt_secret" = {
        owner = "lldap";
      };
      "lldap/key_seed" = {
        owner = "lldap";
      };
      "lldap/admin_password" = {
        owner = "lldap";
      };
    };
  };
}