{ config, ... }:

{
  services.openldap = {
    enable = true;
    settings = {
      children = {
        "cn=schema".includes = [
          "${config.services.openldap.package}/etc/schema/core.ldif"
          "${config.services.openldap.package}/etc/schema/cosine.ldif"
          "${config.services.openldap.package}/etc/schema/inetorgperson.ldif"
          "${config.services.openldap.package}/etc/schema/nis.ldif"
        ];
        "olcDatabase={1}mdb" = {
          attrs = {
            objectClass = [ "olcDatabaseConfig" "olcMdbConfig" ];

            olcDatabase = "{1}mdb";
            olcDbDirectory = "/var/lib/openldap/db";
            
            olcSuffix = "dc=sc,dc=informatik,dc=hs-fulda,dc=de";
            
            olcRootDN = "cn=root,dc=sc,dc=informatik,dc=hs-fulda,dc=de";
            olcRootPW.path = config.sops.secrets."ldap/root/password".path;

            olcAccess = [
              # Custom access rules for userPassword attributes
              ''{0}to attrs=userPassword
                  by self write
                  by anonymous auth
                  by * none''

              # Allow read on anything else
              ''{1}to *
                  by * read''
            ];
          };
        };
      };
    };
  };

  sops.secrets."ldap/root/password" = { };
}