{ config, lib, ... }:

let
  cfg = config.crans.users;

  inherit (lib)
    mkEnableOption
    mkOption
    types
    ;
in

{
  options.crans.users = {
    ldap = {
      enable = mkEnableOption "Authentification par le LDAP adm.";
    };

    root = {
      passwordFile = mkOption {
        type = types.path;
        default = ../../secrets/common/root.age;
        example = ../../secrets/apprentix/root.age;
        description = "Fichier chiffré par age contenant le mot de passe root.";
      };
    };
  };

  config = {
    age.secrets.root-passwd-hash = {
      file = cfg.root.passwordFile;
    };

    users = {
      mutableUsers = false;

      users.root = {
        hashedPasswordFile = config.age.secrets.root-passwd-hash.path;
      };

      ldap = {
        enable = cfg.ldap.enable;
        base = "dc=crans,dc=org";
        server = "ldaps://ldap-adm.adm.crans.org/";
        daemon = {
          enable = true;
          extraConfig = ''
            ldap_version 3
              tls_reqcert allow
              map passwd loginShell /run/current-system/sw/bin/bash
          '';
        };
      };
    };

    security.sudo = {
      enable = true;
      extraConfig = ''
        Defaults	passprompt_override
        Defaults	passprompt="[sudo] mot de passe pour %p sur %h: "
      '';
      extraRules = [
        {
          groups = [ "_user" ];
          runAs = "root:ALL";
          commands = [ "NOPASSWD:/usr/bin/qm list" ];
        }
        {
          groups = [ "_nounou" ];
          commands = [ "ALL" ];
        }
      ];
    };
  };
}