{
  config,
  lib,
  pkgs,
  ...
}: let
  cfg = config.services.lldapBootstrap;
in {
  imports = [
    ./user-configs.nix
    ./group-configs.nix
  ];

  options.services.lldapBootstrap = {
    enable = lib.mkEnableOption "LLDAP bootstrapping service.";

    host = lib.mkOption {
      type = lib.types.str;
      default = "http://localhost:17170";
      description = "The LLDAP host and port (e.g., 'localhost:17170').";
    };

    adminUsername = lib.mkOption {
      type = lib.types.str;
      default = "admin";
      description = "The LLDAP admin username.";
    };

    adminPasswordFile = lib.mkOption {
      type = lib.types.path;
      description = "Path to the sops secret file containing the LLDAP admin password.";
      default = "/run/secrets/lldap/admin_password";
      example = "/run/secrets/lldap/admin_password";
    };

    # Add any other environment variables your bootstrap script might need
    extraEnv = lib.mkOption {
      type = lib.types.attrsOf lib.types.str;
      default = {};
      description = "Additional environment variables to pass to the bootstrap script.";
    };

    # Option to control when the bootstrap service runs (e.g., OnUnitActive)
    # Be careful with this, as you generally only want it to run once.
    # We'll default to OneShot and disable unless specifically enabled and configured.
    runOnce = lib.mkOption {
      type = lib.types.bool;
      default = true;
      description = "If true, the service will run once and then disable itself on success.";
    };
  };

  config = lib.mkIf cfg.enable {
    environment.etc."bootstrap/bootstrap.sh" = {
      source = ./bootstrap.sh;
      user = "lldap";
      group = "lldap";
      mode = "0770";
    };

    environment.systemPackages = with pkgs; [
      curl
      jq
      jo
    ];

    systemd.services.lldap-bootstrap = {
      description = "LLDAP Bootstrap Service";
      # type = "oneshot";
      after = ["network.target" "lldap.service"]; # Assuming your LLDAP service is called 'lldap.service'
      wantedBy = ["multi-user.target"];

      # Environment variables. Secrets will be read directly from the sops-nix managed paths.
      environment =
        {
          LLDAP_URL = cfg.host;
          LLDAP_ADMIN_USERNAME = cfg.adminUsername;
          LLDAP_ADMIN_PASSWORD_FILE = cfg.adminPasswordFile;
          LLDAP_SET_PASSWORD_PATH = "${pkgs.lldap}/bin/lldap_set_password";
        }
        // cfg.extraEnv; # Merge with any extra environment variables

      # The command to execute. Ensure your script is executable.
      # We use pkgs.writeScriptBin to embed the script directly into the Nix store
      # This makes the service self-contained and ensures the script path is valid.
      # script = ''
      #   /etc/bootstrap/bootstrap.sh
      # '';

      path = [pkgs.bash pkgs.curl pkgs.jq pkgs.jo];
      # Optional: Control service behavior after successful run.
      # If runOnce is true, disable the service after it successfully completes.
      # This prevents it from running on every reboot if the bootstrap is a one-time operation.
      serviceConfig = lib.mkIf cfg.runOnce {
        Type = "oneshot";
        User = "lldap";
        Group = "lldap";
        DynamicUser = false;
        ExecStart = "/etc/bootstrap/bootstrap.sh";
      };
    };
  };
}