{
  config,
  pkgs,
  ...
}:
let
  baseDomain = "vimium.com";
  domain = "auth.${baseDomain}";
in
{
  services.kanidm =
    let
      uri = "https://${domain}";
    in
    {
      package = pkgs.unstable.kanidm;
      enableClient = true;
      enableServer = true;
      clientSettings = {
        inherit uri;
      };
      serverSettings = {
        bindaddress = "127.0.0.1:3013";
        ldapbindaddress = "100.64.0.1:636";
        domain = baseDomain;
        origin = uri;
        tls_chain = "${config.security.acme.certs.${domain}.directory}/full.pem";
        tls_key = "${config.security.acme.certs.${domain}.directory}/key.pem";
      };
    };

  services.nginx.virtualHosts = {
    "${domain}" = {
      useACMEHost = "${domain}";
      forceSSL = true;
      locations."/" = {
        proxyPass = "https://127.0.0.1:3013";
      };
    };
  };

  users.extraGroups.acme.members = [
    "kanidm"
    "nginx"
  ];

  security.acme.certs."${domain}" = {
    postRun = "systemctl restart kanidm.service";
    group = "acme";
  };
}