{ pkgs
, config
, lib
, ... }:
let
  ldap-auth-sh = pkgs.stdenv.mkDerivation {
    name = "ldap-auth-sh";

    src = pkgs.fetchFromGitHub {
      owner = "efficiosoft";
      repo = "ldap-auth-sh";
      rev = "93b2c00413942908139e37c7432a12bcb705ac87";
      sha256 = "1pymp6ki353aqkigr89g7hg5x1mny68m31c3inxf1zr26n5s2kz8";
    };

    nativeBuildInputs = [ pkgs.makeWrapper ];
    installPhase = ''
      mkdir -p $out/etc
      cat > $out/etc/home-assistant.cfg << 'EOF'
      CLIENT="ldapsearch"
      SERVER="ldaps://ldap.cloonar.com:636"
      USERDN="cn=home-assistant,ou=system,ou=users,dc=cloonar,dc=com"
      PW="$(<${config.sops.secrets.home-assistant-ldap.path})"
      BASEDN="ou=users,dc=cloonar,dc=com"
      SCOPE="one"
      FILTER="(&(objectClass=cloonarUser)(memberOf=cn=HomeAssistant,ou=groups,dc=cloonar,dc=com)(mail=$(ldap_dn_escape "$username")))"
      USERNAME_PATTERN='^[a-z|A-Z|0-9|_|-|.|@]+$'
      on_auth_success() {
        # print the meta entries for use in HA
        if echo "$output" | grep -qE '^(dn|DN):: '; then
            # ldapsearch base64 encodes non-ascii
            output=$(echo "$output" | sed -n -e "s/^\(dn\|DN\)\s*::\s*\(.*\)$/\2/p" | base64 -d)
        else
            output=$(echo "$output" | sed -n -e "s/^\(dn\|DN\)\s*:\s*\(.*\)$/\2/p")
        fi
        name=$(echo "$output" | sed -nr 's/^cn=([^,]+).*/\1/Ip')
        [ -z "$name" ] || echo "name=$name"
      }
      EOF
      install -D -m755 ldap-auth.sh $out/bin/ldap-auth.sh
      wrapProgram $out/bin/ldap-auth.sh \
        --prefix PATH : ${lib.makeBinPath [pkgs.openldap pkgs.coreutils pkgs.gnused pkgs.gnugrep]} \
        --add-flags "$out/etc/home-assistant.cfg"
    '';
  };
in
{
  services.home-assistant.config.homeassistant.auth_providers = [
    {
      type = "command_line";
      command = "${ldap-auth-sh}/bin/ldap-auth.sh";
      meta = true;
    }
  ];


  sops.secrets.home-assistant-ldap = {
    sopsFile = ./secrets.yaml;
    owner = "hass";
  };
}