{ config, pkgs, lib, ... }:
  with lib;
  let
    cfg = config.services.skynet_ldap_client;

    # always ensure the admin group has access
    create_filter_check_admin = (x: if !(builtins.elem "skynet-admins" x) then x ++ ["skynet-admins"] else x);

    # create teh new strings
    create_filter_array = map (x: "(skMemberOf=cn=${x},ou=groups,${cfg.base})");

    create_filter_join = (x: concatStringsSep "" x);

    # thought you could escape racket?
    create_filter = (x: create_filter_join (create_filter_array (create_filter_check_admin x) ) );

  in {

  # these are needed for teh program in question
  imports = [];

  # give users access to this server
  #services.skynet_ldap_client.groups = ["skynet-users-linux"];

  options.services.skynet_ldap_client = {
    # options that need to be passed in to make this work

    enable = mkEnableOption "Skynet LDAP client";

    address = mkOption {
      type = types.str;
      default = "account.skynet.ie";
      description = lib.mdDoc "The domain the ldap is behind";
    };

    base = mkOption {
      type = types.str;
      default = "dc=skynet,dc=ie";
      description = lib.mdDoc "The base address in the ldap server";
    };

    groups = mkOption {
      type = types.listOf types.str;
      default = [
        "skynet-admins-linux"
      ];
      description = lib.mdDoc "Groups we want to allow access to the server";
    };

  };

  config = mkIf cfg.enable {
    # this is athe actual configuration that we need to do

    security.sudo.extraRules = [
      # admin group has sudo access
      { groups = [ "skynet-admins-linux" ]; commands = [ { command = "ALL"; options = [ "NOPASSWD" ]; } ]; }
    ];


    # give users a home dir
    security.pam.services.sshd.makeHomeDir = true;

    services.openssh = {
      # only allow ssh keys
      settings.PasswordAuthentication = false;

      # tell users where tehy cna setup their ssh key
      banner = ''
        If you get 'Permission denied (publickey,keyboard-interactive)' you need to add an ssh key on https://${cfg.address}
        '';
    };

    services.sssd = {
      enable = true;

      sshAuthorizedKeysIntegration = true;

      config = ''
[domain/skynet.ie]
id_provider = ldap
auth_provider = ldap
sudo_provider = ldap

ldap_uri = ldaps://${cfg.address}:636

ldap_search_base = ${cfg.base}
# thank ye https://medium.com/techish-cloud/linux-user-ssh-authentication-with-sssd-ldap-without-joining-domain-9151396d967d
ldap_user_search_base = ou=users,${cfg.base}?sub?(|${create_filter cfg.groups})
ldap_group_search_base = ou=groups,${cfg.base}
ldap_sudo_search_base = cn=skynet-admins-linux,ou=groups,${cfg.base}

ldap_group_nesting_level = 5

cache_credentials = false
entry_cache_timeout = 1

ldap_user_member_of = skMemberOf

[sssd]
config_file_version = 2
services = nss, pam, sudo, ssh
domains = skynet.ie

[nss]
# override_homedir = /home/%u

[pam]

[sudo]

[autofs]
      '';
    };

  };
}