infrastructure/modules/krz-access-control.nix

{ config, lib, meta, name, ... }:

let
  inherit (lib)
    mkDefault
    mkEnableOption
    mkIf
    mkOption

    types;

  nodeMeta = meta.nodes.${name};
  inherit (nodeMeta) admins;

  cfg = config.krz-access-control;
in

{
  options.krz-access-control = {
    enable = mkEnableOption "DGNum access control." // { default = true; };

    users = mkOption {
      type = with types; attrsOf (listOf str);
      default = { };
      description = ''
        Attribute set describing which member has access to which user on the node.
        Members must be declared in `meta/members.nix`.
      '';
      example = ''
        {
          user1 = [ "member1" "member2" ];
        }
      '';
    };
  };

  config = mkIf cfg.enable {
    # Admins have root access to the node
    krz-access-control.users.root = mkDefault admins;

    users.users = builtins.mapAttrs
      (u: members: { openssh.authorizedKeys.keys = lib.extra.getAllKeys members; })
      cfg.users;
  };
}