{ config, pkgs, lib, ... }:

with lib;
let
  cfg = config.dadada.admin;
in
{
  options.dadada.admin = {
    enable = mkEnableOption "Enable admin access";

    users = mkOption {
      type = with types; attrsOf (listOf path);
      default = [ ];
      description = ''
        List of admin users with root access to all the machine.
      '';
      example = literalExample "\"user1\" = [ /path/to/key1 /path/to/key2 ]";
    };

    rat = mkOption {
      type = types.bool;
      default = false;
      description = ''
        Enable NAT and firewall traversal for SSH via tor hidden service
      '';
    };
  };

  config = mkIf cfg.enable {
    services.sshd.enable = true;
    services.openssh.passwordAuthentication = false;
    security.sudo.wheelNeedsPassword = false;

    users.users = mapAttrs
      (user: keys: (
        {
          extraGroups = [ "wheel" ];
          isNormalUser = true;
          openssh.authorizedKeys.keyFiles = keys;
        }))
      cfg.users;

    users.mutableUsers = mkDefault false;

    networking.firewall.allowedTCPPorts = [ 22 ];

    environment.systemPackages = with pkgs; [
      vim
      tmux
    ];

    services.tor.hiddenServices = {
      "rat" = mkIf cfg.rat.enable {
        name = "rat";
        map = [{ port = 22; }];
      };
    };
  };
}