{config, lib, pkgs, inputs, ...}:
let 
  cfg = config.malobeo.users;
  sshKeys = import ( inputs.self + /machines/ssh_keys.nix);
  inherit (config.networking) hostName; 
in
{
  options.malobeo.users = {
    malobeo = lib.mkOption {
      type = lib.types.bool;
      default = true;
      description = "enable malobeo user, defaults to on, ";
    };
    admin = lib.mkOption {
      type = lib.types.bool;
      default = true;
      description = "enable admin user, defaults to on to prevent lockouts, passwordless sudo access";
    };
    backup = lib.mkOption {
      type = lib.types.bool;
      default = false;
      description = "enable backup user, ";
    };
  };
  config = lib.mkMerge [
    (lib.mkIf cfg.malobeo {
      users.users.malobeo = {
        isNormalUser = true;
        description = "malobeo user, password and ssh access, no root";
        extraGroups = [ "pipewire" "pulse-access" "scanner" "lp" ];
        openssh.authorizedKeys.keys = sshKeys.admins;
        hashedPassword = "$y$j9T$39oJwpbFDeETiyi9TjZ/2.$olUdnIIABp5TQSOzoysuEsomn2XPyzwVlM91ZsEkIz1";
      };
      environment.systemPackages = with pkgs; [];
    })
    (lib.mkIf cfg.admin {
      users.users.admin = {
        isNormalUser = true;
        description = "admin user, passwordless sudo access, only ssh";
        hashedPassword = null;
        openssh.authorizedKeys.keys = sshKeys.admins;
        extraGroups = [ "networkmanager" ];
      };
      environment.systemPackages = with pkgs; [];
      nix.settings.trusted-users = [ "admin" ];
      security.sudo.extraRules = [
        {
          users = [ "admin" ];
          commands = [
            {
              command = "ALL";
              options = [ "NOPASSWD" ];
            }
          ];
        }
      ];
    })
    (lib.mkIf cfg.backup {
      users.users.backup = {
        isNormalUser = true;
        hashedPassword = null;
        openssh.authorizedKeys.keys = sshKeys.backup;
        description = "backup user for pull style backups, can only use zfs commands";
      };
      environment.systemPackages = with pkgs; [];
      security.sudo.extraRules = [
        {
          users = [ "backup" ];
          commands = [
            {
              command = "/run/current-system/sw/bin/zfs";
              options = [ "NOPASSWD" ];
            }
            {
              command = "/run/current-system/sw/bin/zpool";
              options = [ "NOPASSWD" ];
            }
          ];
        }
      ];
    })
    {
      users.mutableUsers = false;
      services.openssh.hostKeys = [
        {
          path = "/etc/ssh/${hostName}";
          type = "ssh-ed25519"; 
        }
      ];
      sops.age.sshKeyPaths = [ "/etc/ssh/${hostName}" ];
      environment.systemPackages = with pkgs; [
        nix-output-monitor
        vim
        htop
        wget
        git
        pciutils
      ];
    }
  ];
}