{
  config,
  lib,
  ...
}: let
  cfg = config.services.lldap;
in {
  imports = [
    ./bootstrap/lldap-bootstrap.nix
  ];

  sops.secrets = {
    "lldap/jwt_secret".owner = "lldap";
    "lldap/key_seed".owner = "lldap";
    "lldap/admin_password".owner = "lldap";
  };

  networking.firewall.allowedTCPPorts = [
    cfg.settings.http_port
    cfg.settings.ldap_port
  ];

  services.lldapBootstrap.enable = true;

  services.lldap = {
    enable = true;
    settings = {
      ldap_base_dn = "dc=procopius,dc=dk";
      ldap_user_email = "admin@procopius.dk";

      database_url = "postgresql://lldap@localhost/lldap?host=/run/postgresql";
    };
    environment = {
      LLDAP_JWT_SECRET_FILE = config.sops.secrets."lldap/jwt_secret".path;
      LLDAP_KEY_SEED_FILE = config.sops.secrets."lldap/key_seed".path;
      LLDAP_LDAP_USER_PASS_FILE = config.sops.secrets."lldap/admin_password".path;
    };
  };

  systemd.services.lldap = let
    dependencies = [
      "postgresql.service"
    ];
  in {
    # LLDAP requires PostgreSQL to be running
    after = dependencies;
    requires = dependencies;
    # DynamicUser screws up sops-nix ownership because
    # the user doesn't exist outside of runtime.
    serviceConfig.DynamicUser = lib.mkForce false;
  };

  # Setup a user and group for LLDAP
  users = {
    users.lldap = {
      group = "lldap";
      isSystemUser = true;
    };
    groups.lldap = {};
  };
}