{config, ...}: let
  # temporary url, zum testen auf laptop zuhause
  tld = "moe";
  hostname = "eisvogel";
  domain = "portunus.${hostname}.${tld}";

  portunusUser = "portunus";
  portunusGroup = "portunus";

  ldapUser = "openldap";
  ldapGroup = "openldap";
in {
  users.users."${portunusUser}" = {
    isSystemUser = true;
    group = "${portunusGroup}";
  };

  users.groups."${portunusGroup}" = {
    name = "${portunusGroup}";
    members = ["${portunusUser}"];
  };

  users.users."${ldapUser}" = {
    isSystemUser = true;
    group = "${ldapGroup}";
  };

  users.groups."${ldapGroup}" = {
    name = "${ldapGroup}";
    members = ["${ldapUser}"];
  };

  # TODO: eigenes secrets.yaml für seedfile?
  sops.secrets.portunus_seedfile = {
    owner = "${portunusUser}";
    group = "${portunusGroup}";
  };

  services.portunus = {
    enable = true;
    user = "${portunusUser}";
    group = "${portunusGroup}";
    domain = "${domain}";
    ldap = {
      user = "${ldapUser}";
      group = "${ldapGroup}";
      suffix = "dc=${hostname},dc=${tld}";
      tls = true;
    };

    # TODO: wohin seed file?
    seedPath = "";

    # falls wir das brauchen
    # dex = {
    #   enable = true;
    #   ...
    # };
    # searchUserName = "xxx";
  };

  users.ldap = {
    enable = true;
    server = "ldaps://${domain}";
    base = "dc=${hostname},dc=${tld}";
    # useTLS = true; # nicht nötig weil ldaps domain festgelegt. würde sonst starttls auf port 389 versuchen
  };

  # TODO: acme/letsencrypt oder andere lösung?
  services.nginx = {
    enable = true;
    virtualHosts."${config.services.portunus.domain}" = {
      forceSSL = true;
      enableACME = true;
      locations = {
        "/".proxyPass = "http://localhost:${toString config.services.portunus.port}";
        "/dex".proxyPass = "http://localhost:${toString config.services.portunus.dex.port}";
      };
    };
  };

  networking.firewall.allowedTCPPorts = [
    80 # http
    443 # https
    636 # ldaps
  ];
}