# MANUAL: Remember to set up root's ssh config with any necessary values. For example:

# Host foo
#   HostName ns1.fizz.buzz
#   Port 65122
#   User nixworker
#   IdentitiesOnly yes
#   IdentityFile /persist/manual/ssh/root/keys/id_ed25519

# Host *
#   Compression yes

{
  config,
  lib,
  pkgs,
  ...
}:

{
  imports = [ ];

  options.me = {
    nix_worker.enable = lib.mkOption {
      type = lib.types.bool;
      default = false;
      example = true;
      description = "Whether this machine should be set up to function as a nix.buildMachines. This does not configure nix.buildMachines, but only does the necessary setup to get the machine ready/capable of being a nix.buildMachines.";
    };
  };

  config = lib.mkIf config.me.nix_worker.enable (
    lib.mkMerge [
      {
        nix.settings.trusted-users = [ "nixworker" ];

        users.users.nixworker = {
          isNormalUser = true;
          createHome = true; # https://github.com/NixOS/nixpkgs/issues/6481
          group = "nixworker";
          # extraGroups = [ "wheel" ];
          # Generate with `mkpasswd -m scrypt`
          hashedPassword = "$7$CU..../....VXvNQ8za3wSGpdzGXNT50/$HcFtn/yvwPMCw4888BelpiAPLAxe/zU87fD.d/N6U48";
          openssh.authorizedKeys.keys = [
            # Normal keys:
            "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGu+k5lrirokdW5zVdRVBOqEOAvAPlIkG/MdJNc9g5ky"
            "sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIEI6mu6I5Jp+Ib0vJxapGHbEShZjyvzV8jz5DnzDrI39AAAABHNzaDo="
            "sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIAFNcSXwvy+brYTOGo56G93Ptuq2MmZsjvRWAfMqbmMLAAAABHNzaDo="
            # Key for nix to connect:
            "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIB/IlYTQ0M5pFN5tdoswh37CDl/gbULI3h+SsKXCansh talexander@odo"
          ];
        };
        users.groups.nixworker = { };
      }
    ]
  );
}