# Copyright :
# SPDX-FileCopyrightText: 2024 Ryan Lahfa <ryan.lahfa@dgnum.eu>
# SPDX-FileCopyrightText: 2024 Tom Hubrecht <tom.hubrecht@dgnum.eu>
#
# SPDX-License-Identifier: EUPL-1.2

{
  config,
  lib,
  dgn-keys,
  meta,
  nodeMeta,
  ...
}:

let
  inherit (lib)
    mkDefault
    mkEnableOption
    mkIf
    mkOption

    types
    ;

  admins =
    meta.organization.groups.root
    ++ nodeMeta.admins
    ++ (builtins.concatMap (g: meta.organization.groups.${g}) nodeMeta.adminGroups);

  cfg = config.dgn-access-control;
in

{
  options.dgn-access-control = {
    enable = mkEnableOption "DGNum access control." // {
      default = true;
    };

    root = mkOption {
      type = with types; listOf str;
      default = [ ];
      description = ''
        List describing which member has access to root user on the node.
        Members must be declared in `meta/members.nix`.
      '';
      example = ''
        [ "member1" "member2" ]
      '';
    };
  };

  config = mkIf cfg.enable {
    # Admins have root access to the node
    dgn-access-control.root = mkDefault admins;
    system = {
      root-authentication = {
        ssh-keys = dgn-keys.getKeys cfg.root;
        hashedPasswd = nodeMeta.hashedPassword;
      };
      services.ssh.root-login = mkDefault "deny-password";
    };
  };
}