{config, pkgs, ...}:

{
  # let's hope this works
  security.acme.certs."bib3.de".postRun = ''
    install -o openldap -g openldap -m 700 -d /var/lib/acme/bib3.de /var/lib/ssl/openldap
    install -o openldap -g openldap -m 600 /var/lib/acme/bib3.de/* /var/lib/ssl/openldap
  '';

  services.openldap = {
    enable = true;
    dataDir = "/var/lib/openldap";
    rootpwFile = "/etc/nixos/secret/openldaproot.pw";
    suffix = "o=bib3,c=DE";
    rootdn = "cn=admin,o=bib3,c=DE";
    extraConfig = ''
      TLSCipherSuite DEFAULT
      TLSCACertificateFile  /var/lib/ssl/openldap/chain.pem
      TLSCertificateFile    /var/lib/ssl/openldap/cert.pem
      TLSCertificateKeyFile /var/lib/ssl/openldap/key.pem
    '';
    declarativeContents = ''
      dn: o=bib3, c=DE
      objectclass: organization

      dn: ou=users, o=bib3, c=DE
      objectclass: organizationalUnit
      ou: users

      dn: cn=test, ou=users, o=bib3, c=DE
      objectclass: InetOrgPerson
      cn: testcn
      sn: testsn
      givenName: test test
      mail: test@test.de
      userPassword: {CRYPT}$6$ssV7iTyDF7VMB.gx$DKUJgb/M5q.nd0/ilBTQRaR/pw9bMGhbrCp0CSD9Mt1epgoXYu9LA9P4UtWOyVV/QV3LHvJNoiBsfZMcBMAQN.
    '';
  };
  # TODO move users to seperate files
}