{ config, lib, ... }:

{
  imports = [ ./module.nix ];

  services.k-radius = {
    enable = true;

    settings = {
      # URL to the Kanidm server
      uri = "https://sso.dgnum.eu";

      # verify the hostname of the Kanidm server
      verify_hostnames = "true";

      # Strict CA verification
      verify_ca = "false";
      verify_certificate = "false";

      # Path to the kanidm ca

      # Default vlans for groups that don't specify one.
      radius_default_vlan = 99;

      # A list of Kanidm groups which must be a member
      # before they can authenticate via RADIUS.
      radius_required_groups = [ "radius_access@sso.dgnum.eu" ];

      # A mapping between Kanidm groups and VLANS
      radius_groups = [
        {
          spn = "dgnum_members@sso.dgnum.eu";
          vlan = 1;
        }
        {
          spn = "dgnum_clients@sso.dgnum.eu";
          vlan = 2;
        }
      ];
    };

    authTokenFile = config.age.secrets."radius-auth_token_file".path;
    privateKeyPasswordFile = config.age.secrets."radius-private_key_password_file".path;

    certs = builtins.listToAttrs (
      builtins.map (name: lib.nameValuePair name config.age.secrets."radius-${name}_pem_file".path) [
        "ca"
        "cert"
        "dh"
        "key"
      ]
    );

    radiusClients = { };
  };

  age-secrets.matches."^radius-.*$" = {
    owner = "radius";
  };

  networking.firewall.allowedTCPPorts = [ 1812 ];
  networking.firewall.allowedUDPPorts = [ 1812 ];
}