# SPDX-FileCopyrightText: 2024 Tom Hubrecht <tom.hubrecht@dgnum.eu>
#
# SPDX-License-Identifier: EUPL-1.2

let
  _sources = import ../npins;

  inherit (import _sources.nixos-unstable { }) lib;

  meta = import ../meta lib;

  inherit (import ../lib/nix-lib) setDefault unique;

  getAttr = lib.flip builtins.getAttr;

in

rec {
  _memberKeys = builtins.mapAttrs (_: v: v.sshKeys) meta.organization.members;
  _nodeKeys = builtins.mapAttrs (_: v: v.sshKeys) meta.nodes;

  # Get keys of the users
  getMemberKeys = name: builtins.concatLists (builtins.map (getAttr _memberKeys) name);

  # Get keys of the ssh server
  getNodeKeys = name: builtins.concatLists (builtins.map (getAttr _nodeKeys) name);

  # List of keys for the root group
  rootKeys = getMemberKeys meta.organization.groups.root;

  # All keys that can access a node
  getNodeKeys' =
    node:
    let
      names = [ node ] ++
      meta.nodes.${node}.admins
      ++ (builtins.concatMap (g: meta.organization.groups.${g}) meta.nodes.${node}.adminGroups);
    in
    unique (getMemberKeys names ++ getNodeKeys [ node ]);

  # List of keys for all machines wide secrets
  machineKeys = rootKeys ++ (getNodeKeys (builtins.attrNames meta.nodes));

  mkSecrets = nodes: setDefault { publicKeys = unique (builtins.concatMap getNodeKeys' nodes); };

  machineKeysBySystem = system:
    rootKeys
    ++ (getNodeKeys (builtins.attrNames (lib.filterAttrs (_: v: v.nixpkgs.system == system) meta.nodes)));
}