{ config, pkgs, lib, ... }:
let
  cfg = config.services.kanidm;
  authDomain = "auth.${config.networking.domain}";
  certsDir = config.security.acme.certs."${authDomain}".directory;
in
{
  # TODO: Pull in the appropriate sops-nix secrets and get this baby rolling.
  # https://github.com/search?q=language%3ANix+services.kanidm&type=code
  services.kanidm = {
    # NOTE: Pin a specific kanidm version, we don't want issues from auto-updating.
    package = pkgs.kanidm_1_6;
    enableServer = true;

    # TODO: Initial kanidm setup.
    # I sort of want users to be able to create their own accounts and what I
    # don't want is for any of their account information to be leaked here as
    # it can be used for remote logins.
    # So kanidm accounts aside from the administration will be "impure".
    # I vastly prefer people being able to set their own credentials:
    # https://kanidm.github.io/kanidm/stable/accounts/authentication_and_credentials.html#onboarding-a-new-person--resetting-credentials
    provision = {
      enable = true;
      autoRemove = false;
      # TODO: Add secrets from `sops-nix`.
      adminPasswordFile = "TODO!SETME";
      idmAdminPasswordFile = "TODO!SETME";

      persons = {
        # https://kanidm.github.io/kanidm/stable/accounts/authentication_and_credentials.html#resetting-person-account-credentials
        # Needs to be a member of idm_people_admins and idm_high_privilege to prevent idm_service_desk from tampering.
        zenware = {
          displayName = "zenware";
          legalName = "zenware";
          mailAddresses = [ "zenware@${config.networking.domain} "];
          groups = [
            "idm_high_privilege"
            "git.users"
            "git.admins"
          ];
        };
        # TODO: Make an idm_service_desk account.
      };
      groups = {
        # This group is `git` because it could be forgejo, gitea, etc.
        "git.users" = {};
        "git.admins" = {};
      };
      systems.oauth2 = {
        forgejo = {
          displayName = "forgejo";
          originUrl = "TODO!SETME";
          originLanding = "TODO!SETME";
          basicSecretFile = "TODO!SETME";
          scopeMaps."git.users" = [
            "openid"
            "email"
            "profile"
          ];
          # WARNING: PKCE is currently not supported by gitea/forgejo,
          # see https://github.com/go-gitea/gitea/issues/21376
          allowInsecureClientDisablePkce = true;
          preferShortUsername = true;
          claimMaps.groups = {
            joinType = "array";
            valuesByGroup."git.admins" = [ "admin" ];
          };
        };
      };
    };

    #enableClient = false;
    clientSettings = {
      uri = "https://${authDomain}";
      verify_hostnames = true;
      verify_ca = true;
    };
  };
}