{ config, lib, pkgs, ... }:

let
  cfg = config.homelab.users.deploy;
in {
  options.homelab.users.deploy.enable = lib.mkEnableOption "user Deploy";

  config = lib.mkIf cfg.enable {
    users = {
      groups.deploy = { };

      # The user used to deploy rebuilds without password authentication
      users.deploy = {
        group = config.users.groups.deploy.name;
        isSystemUser = true;
        home = "/var/empty";
        shell = pkgs.bashInteractive;
        openssh.authorizedKeys.keys = [
          "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPrG+ldRBdCeHEXrsy/qHXIJYg8xQXVuiUR0DxhFjYNg"
        ];
      };
    };

    security.sudo.extraRules = [
      {
        groups = [
          config.users.groups.deploy.name
        ];
        commands = [
          {
            command = "/nix/store/*-nix-*/bin/nix-env -p /nix/var/nix/profile/system --set /nix/store/*-*";
            options = [ "NOPASSWD" ];
          }
        ];
      }
      {
        groups = [
          config.users.groups.deploy.name
        ];
        commands = [
          {
            command = "/nix/store/*/bin/switch-to-configuration";
            options = [ "NOPASSWD" ];
          }
        ];
      }
    ];
  };
}