{ lib, config, pkgs, ... }:
let
  ldapAuthorizedKeys =
    pkgs.writeShellScript "ldap-authorized-keys" ''
      exec ${pkgs.openldap}/bin/ldapsearch -LLL -x -H ldap://ldap.cloonar.com \
        -D "cn=linuxbind,ou=system,ou=users,dc=cloonar,dc=com" \
        -y ${config.sops.secrets.linuxbind-password.path} \
        -b "ou=users,dc=cloonar,dc=com" \
        "(uid=$1)" sshPublicKey \
      | sed -n 's/^sshPublicKey: //p'
    '';
in
{
  environment.systemPackages = with pkgs; [ openldap ];

  users.ldap = {
    enable = true;
    daemon.enable = true;
    base = "ou=users,dc=cloonar,dc=com";
    server = "ldap://ldap.cloonar.com/";
    useTLS = true;
    bind = {
      policy = "soft";
      distinguishedName = "cn=linuxbind,ou=system,ou=users,dc=cloonar,dc=com";
      passwordFile = config.sops.secrets.linuxbind-password.path;
    };
    loginPam = true;
    extraConfig = ''
      ldap_version 3
      # pam_password ssha
      pam_filter objectClass=posixAccount
      pam_login_attribute uid
      pam_member_attribute gidNumber
    '';
  };

  security.pam.services.login.makeHomeDir = true;
  security.pam.services.systemd-user.makeHomeDir = true;
  systemd.services.nslcd = {
    after = [ "Network-Manager.service" ];
  };

  # evil, horrifying hack for dysfunctional nss_override_attribute_value
  systemd.tmpfiles.rules = [
    "L /bin/bash - - - - /run/current-system/sw/bin/bash"
  ];

  services.openssh = {
    settings = {
      AuthorizedKeysCommand      = ldapAuthorizedKeys;
      AuthorizedKeysCommandUser  = "nslcd";   # default is “nobody” :contentReference[oaicite:0]{index=0}
      PubkeyAuthentication       = "yes";
    };
  };

  sops.secrets.linuxbind-password.owner = "nslcd";
}