{
  pkgs,
  config,
  ...
}: {
  secrets.ldap-root = {
    file = ./secrets/ldap-root.age;
    mode = "444";
  };

  secrets.ldap-search = {
    file = ./secrets/ldap-search-pw.age;
    mode = "444";
  };
  services.openldap = {
    enable = true;
    urlList = ["ldap:///"];
    # mutableConfig = true;
    settings = {
      attrs = {
        olcLogLevel = "conns config";
      };

      children = {
        "cn=schema".includes = [
          "${pkgs.openldap}/etc/schema/core.ldif"
          "${pkgs.openldap}/etc/schema/cosine.ldif"
          "${pkgs.openldap}/etc/schema/inetorgperson.ldif"
          "${pkgs.openldap}/etc/schema/misc.ldif"
          "${pkgs.openldap}/etc/schema/nis.ldif"
        ];

        "olcDatabase={1}mdb".attrs = {
          objectClass = ["olcDatabaseConfig" "olcMdbConfig"];
          olcDatabase = "{1}mdb";
          olcDbDirectory = "/var/lib/openldap/data";
          olcSuffix = "dc=m4siri,dc=com";
          olcRootDN = "cn=admin,dc=m4siri,dc=com";
          olcRootPW.path = config.secrets.ldap-root.path;
          olcAccess = [
            ''              {0}to attrs=userPassword
                                by dn="cn=searchuser,ou=users,dc=m4siri,dc=com" read
                                by self write
                                by anonymous auth
                                by * none''
            ''              {1}to *
                            by * read''
          ];
        };
      };
    };

    declarativeContents = {
      "dc=m4siri,dc=com" = builtins.readFile ./secrets/ldap-content;
    };
  };
}