{ config, ... }:

{
  users.ldap = {
    enable = true;
    base = "dc=crans,dc=org";
    server = "ldaps://ldap-adm.adm.crans.org/";
    daemon = {
      enable = true;
      extraConfig = ''
        ldap_version 3
          tls_reqcert allow
          map passwd loginShell /run/current-system/sw/bin/bash
      '';
    };
  };

  security.sudo = {
    enable = true;
    extraConfig = ''
      Defaults	passprompt_override
      Defaults	passprompt="[sudo] mot de passe pour %p sur %h: "
    '';
    extraRules = [
      {
        groups = [ "_user" ];
        runAs = "root:ALL";
        commands = [ "NOPASSWD:/usr/bin/qm list" ];
      }
      {
        groups = [ "_nounou" ];
        commands = [ "ALL" ];
      }
    ];
  };

  sops.secrets.root-passwd-hash = {
    sopsFile = ../../secrets/common.yaml;
  };

  users.users.root = {
    hashedPasswordFile = config.sops.secrets.root-passwd-hash.path;
  };

  services.openssh.settings.PermitRootLogin = "yes";
}