{
  services.lldap = {
    enable = true;
    settings = {
      ldap_base_dn = "dc=stuce,dc=ch";
      # forces localhost only !
      ldap_host = "127.0.0.1";
      http_host = "127.0.0.1";
      ldap_user_email = "admin@example.com";
      ldap_user_dn = "stuce_admin";
      ldap_key = ""; # so warning shuts up !
      # NOTE: this is in case of oopsies !
      force_ldap_user_pass_reset = false;
      # TODO: jwt file + user password + key seed script to gen

    };
    environment = {
      LLDAP_JWT_SECRET_FILE = "/var/lib/lldap/jwt_secret";
      LLDAP_LDAP_USER_PASS_FILE = "/var/lib/lldap/user_password";
      LLDAP_KEY_SEED = "/var/lib/lldap/key_seed";
    };
  };
}