{ config, pkgs, ... }:
let
  ldapAuthorizedKeys =
    pkgs.writeShellScript "ldap-authorized-keys" ''
      exec ${pkgs.openldap}/bin/ldapsearch -LLL -ZZ -o ldif-wrap=no -x -H ldap://ldap.cloonar.com \
        -D "cn=linuxbind,ou=system,ou=users,dc=cloonar,dc=com" \
        -y ${config.sops.secrets.linuxbind-password.path} \
        -b "ou=users,dc=cloonar,dc=com" \
        "(uid=$1)" sshPublicKey \
      | sed -n 's/^sshPublicKey: //p'
    '';
in
{
  services.sssd = {
    enable = true;
    config = ''
      [sssd]
      config_file_version = 2
      services = nss, pam
      domains = cloonar.com
      
      [domain/cloonar.com]
      default_shell = /run/current-system/sw/bin/bash
      cache_credentials = true
      enumerate = true

      id_provider = ldap
      auth_provider = ldap

      ldap_uri = ldap://ldap.cloonar.com
      ldap_search_base = dc=cloonar,dc=com
      ldap_user_search_base = ou=users,dc=cloonar,dc=com
      ldap_group_search_base = cn=linux,ou=groups,dc=cloonar,dc=com
      ldap_id_use_start_tls = true
      chpass_provider = ldap
      entry_cache_timeout = 604800
      ldap_network_timeout = 2
      
      ldap_default_bind_dn = cn=linuxbind,ou=system,ou=users,dc=cloonar,dc=com
      ldap_default_authtok = $SSSD_LDAP_DEFAULT_AUTHTOK

      ldap_schema = rfc2307
      ldap_group_member = memberUid
    '';
    environmentFile = config.sops.secrets.sssd-environment.path;
  };

  security.pam.services.login.makeHomeDir = true;
  security.pam.services.systemd-user.makeHomeDir = true;
  systemd.tmpfiles.rules = [
    "L /bin/bash - - - - /run/current-system/sw/bin/bash"
  ];

  services.openssh = {
    settings = {
      AuthorizedKeysCommand      = toString ldapAuthorizedKeys;
      AuthorizedKeysCommandUser  = "nslcd";   # default is “nobody” :contentReference[oaicite:0]{index=0}
      PubkeyAuthentication       = "yes";
    };
  };

  sops.secrets.sssd-environment = {};
  sops.secrets.linuxbind-password = {};
}