{ config, lib, pkgs, ... }:

let
  cfg = config.homelab.users.deploy;
in {
  options.homelab.users.deploy = {
    enable = lib.mkEnableOption "user Deploy";

    authorizedKeys = lib.mkOption {
      type = lib.types.listOf lib.types.str;
      default = [];
      description = ''
        Additional SSH public keys authorized for the deploy user.
        The CI runner key should be provided as a base key; personal
        workstation keys can be appended here per host or globally.
      '';
    };
  };

  config = lib.mkIf cfg.enable {
    users = {
      groups.deploy = { };

      # The user used to deploy rebuilds without password authentication
      users.deploy = {
        group = config.users.groups.deploy.name;
        isSystemUser = true;
        home = "/var/empty";
        shell = pkgs.bashInteractive;
        openssh.authorizedKeys.keyFiles = [
          config.sops.secrets.user_keys_deploy.path
        ];
      };
    };

    # Allow the deploy user to push closures to the nix store
    nix.settings.trusted-users = [ "deploy" ];

    security.sudo.extraRules = [
      {
        groups = [
          config.users.groups.deploy.name
        ];
        commands = [
          {
            command = "/nix/store/*-nix-*/bin/nix-env -p /nix/var/nix/profile/system --set /nix/store/*-*";
            options = [ "NOPASSWD" ];
          }
        ];
      }
      {
        groups = [
          config.users.groups.deploy.name
        ];
        commands = [
          {
            command = "/nix/store/*/bin/switch-to-configuration";
            options = [ "NOPASSWD" ];
          }
        ];
      }
    ];
  };
}