{
  pkgs,
  config,
  ...
}: {
  systemd.services.lldap-bootstrap = {
    description = "Bootstraps LLDAP users";
    requires = ["lldap.service"];
    serviceConfig = {
      DynamicUser = true;
      Type = "oneshot";
      ProtectSystem = "strict";
      ProtectHome = true;
      PrivateUsers = true;
      PrivateTmp = true;
      LoadCredential = "inadyn.conf:${config.sops.templates."inadyn.conf".path}";
      CacheDirectory = "inadyn";
      ExecStart = ''
        export LLDAP_URL=http://localhost:8080
        export LLDAP_ADMIN_USERNAME=admin
        export LLDAP_ADMIN_PASSWORD=changeme
        export USER_CONFIGS_DIR="$(realpath ./configs/user)"
        export GROUP_CONFIGS_DIR="$(realpath ./configs/group)"
        export USER_SCHEMAS_DIR="$(realpath ./configs/user-schema)"
        export GROUP_SCHEMAS_DIR="$(realpath ./configs/group-schema)"
        export LLDAP_SET_PASSWORD_PATH="$(realpath ./lldap_set_password)"
        export DO_CLEANUP=false
        ./bootstrap.sh

        ${pkgs.inadyn}/bin/inadyn \
          --foreground \
          --syslog \
          --once \
          --cache-dir ''${CACHE_DIRECTORY} \
          --config ''${CREDENTIALS_DIRECTORY}/inadyn.conf
      '';
    };
  };
}