{ config, ... }: {
  age.secrets.ldap-bind-password = {
    file = ../secrets/ldap-bind-password.age;
    owner = "nslcd";
    group = "nslcd";
  };

  services.openssh.settings.AllowGroups = [ "root" "ssh" "federezadmin" ];
  security.sudo.extraRules = [
    { groups = [ "sudoldap" ]; commands = [ "ALL" ]; }
  ];

  security.pam.services.login.makeHomeDir = true;
  security.pam.services.passwd.makeHomeDir = true;
  security.pam.services.sshd.makeHomeDir = true;
  security.pam.makeHomeDir = {
    umask = "0022";
  };

  systemd.services.nslcd.serviceConfig.LogsDirectory = "nslcd";
  users.ldap = {
    enable = true;
    nsswitch = true;
    # nslcd daemon
    daemon.enable = true;
    base = "dc=federez,dc=net";
    bind = {
      distinguishedName = "cn=nssauth,ou=service-users,dc=federez,dc=net";
      passwordFile = config.age.secrets.ldap-bind-password.path;
    };
    # ldaps://ldap.federez.net ldaps://ldap-ro.federez.net
    server = "ldaps://ldap.federez.net";
    daemon.extraConfig = ''
      log /var/log/nslcd/debug.log debug

      uri ldaps://ldap-ro.federez.net

      base passwd cn=Utilisateurs,dc=federez,dc=net
      base shadow cn=Utilisateurs,dc=federez,dc=net
      base group ou=posix,ou=groups,dc=federez,dc=net

      map passwd loginShell /run/current-system/sw/bin/bash

      ldap_version 3

      ssl on
      tls_cacertfile /etc/ssl/certs/ca-certificates.crt
      tls_reqcert demand
    '';
  };
}