infrastructure/modules/nixos/dgn-access-control.nix

# SPDX-FileCopyrightText: 2024 Tom Hubrecht <tom.hubrecht@dgnum.eu>
#
# SPDX-License-Identifier: EUPL-1.2

{
  config,
  lib,
  dgn-keys,
  meta,
  nodeMeta,
  ...
}:

let
  inherit (lib)
    mkDefault
    mkEnableOption
    mkIf
    mkOption
    optionalAttrs

    types
    ;

  admins =
    meta.organization.groups.root
    ++ nodeMeta.admins
    ++ (builtins.concatMap (g: meta.organization.groups.${g}) nodeMeta.adminGroups);

  cfg = config.dgn-access-control;
in

{
  options.dgn-access-control = {
    enable = mkEnableOption "DGNum access control." // {
      default = true;
    };

    users = mkOption {
      type = with types; attrsOf (listOf str);
      default = { };
      description = ''
        Attribute set describing which member has access to which user on the node.
        Members must be declared in `meta/members.nix`.
      '';
      example = ''
        {
          user1 = [ "member1" "member2" ];
        }
      '';
    };
  };

  config = mkIf cfg.enable {
    # Admins have root access to the node
    dgn-access-control.users.root = mkDefault admins;
    users.mutableUsers = false;
    users.users = builtins.mapAttrs (
      username: members:
      {
        openssh.authorizedKeys.keys = dgn-keys.getKeys members;
      }
      // optionalAttrs (username == "root") { inherit (nodeMeta) hashedPassword; }
    ) cfg.users;
  };
}