{config, ...}: let
  lldapPort = 8089;
in {
  age.secrets = {
    "hidden_service/lldap".file = ../../secrets/hidden_service/lldap;
    "lldap_root_pass" = {
      file = ../../secrets/lldap_root_pass;
      mode = "0440";
      group = "lldap-secrets";
    };
  };

  services.lldap = {
    enable = true;
    settings = {
      http_url = "https://login.distrust.network";
      http_port = lldapPort;
      ldap_user_email = "root@distrust.network";
      ldap_user_dn = "root";
      ldap_base_dn = "dc=distrust,dc=network";
      ldap_user_pass_file = config.age.secrets."lldap_root_pass".path;
      force_ldap_user_pass_reset = "always";
    };
  };

  distrust.services."lldap" = {
    url = "https://login.distrust.network";
    onion = {
      url = "http://i3a47orggn2cebueja2jur66yjgyqd2y7kzthajar4ghuerbx2kzwqyd.onion";
      secretKey = config.age.secrets."hidden_service/lldap".path;
    };
    virtualHostConfig = ''
      reverse_proxy localhost:${toString lldapPort}
    '';
    backup = {
      enable = true;
      paths = [
        "/var/lib/lldap"
      ];
    };
  };

  # Creates a group for the LLDAP DynamicUser to read the secret
  users.groups.lldap-secrets = {};
  systemd.services.lldap.serviceConfig = {
    SupplementaryGroups = ["lldap-secrets"];
  };
}