{ config, lib, dgn-lib, meta, name, ... }:

let
  nodeMeta = meta.nodes.${name};
  admins = meta.members.groups.root ++ nodeMeta.admins
    ++ (builtins.concatMap (g: meta.members.groups.${g}) nodeMeta.adminGroups);

  cfg = config.dgn-access-control;
in

with lib;

{
  options.dgn-access-control = {
    enable = mkEnableOption "DGNum access control." // { default = true; };

    users = mkOption {
      type = with types; attrsOf (listOf str);
      default = { };
      description = ''
        Attribute set describing which member has access to which user on the node.
        Members must be declared in `meta/members.nix`.
      '';
      example = ''
        {
          user1 = [ "member1" "member2" ];
        }
      '';
    };
  };

  config = mkIf cfg.enable {
    # Admins have root access to the node
    dgn-access-control.users.root = mkDefault admins;

    users.users = builtins.mapAttrs
      (u: members: { openssh.authorizedKeys.keys = dgn-lib.getAllKeys members; })
      cfg.users;

  };
}