nix-config/modules/nixos/user/default.nix

{
  config,
  lib,
  pkgs,
  namespace,
  ...
}:
with lib;
let
  inherit (lib.mjallen) mkOpt mkBoolOpt;
  cfg = config.${namespace}.user;

  # Common SSH keys used across systems
  commonSshKeys = [
    # MacBook
    "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCw9zq8DLGByI5v2gAn95hKNyOsm3g61a2buxu2BBMFysQJgmZPCCLUqRJKhSM5Vm/JOgsAmdpRBRZQoHD+6S844CJHb4v4VIbjkyQgYCuM7Rst2IOZ5QybvsA2/D0nwytZ+HXQqDj2AagUYDbz0gyyIHkDQ5YGBMkvkWz/h1Vci6aoBM7VihEDM4KlWoTVuPeASGM8r5IZ2FS83Djbqo4ov6AYvLMrKB9Z7hmFgH6R3LE0gxOkzbGVXtSuvJyrjvgytoT22UhATjjxSQ9D+YJXXkQoB3lUdg8OoIquUPjMZpl4mR8ffvseWPfcvD1XlD5t+TOHFqKpESO547tlOBYhdpew+NSgAXpamCU6oyV8tDCywLQu2ucxHRn78u6WXzWHkDtffdhzmk6TZaPhWqVHuTGjR4higBgGqUfSaKOMszt+FDRZAr3HtuQ2+zJ8bowK9fW5OqilTtK2HtQqroD9ApegDNbqOz6kGy5IycSXvqPURy/M4lxZxbtBPuemcJs= mattjallen@MacBook-Pro.local"
    # Desktop Windows
    "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDZ2PYPjZddOzR8OJj16G88KcUhCDLkvrEmpUQP0wKHDUuA27HQQ2ORo66asadwGHY3k1VDZ1ei9l9H++SIIeKOaaUr5yZdktvj4POUNtbd9ZhcS7sZU7BSF+NMDM+h3tImh6z0S7mWvRQOUv3ZM+ZER+5xTWJVG1OOJEpb1drxJk6Qz0wbZKSR7TPNFBLLXlVy7hkNYf07RtDyhCCxNB3hJfa8c+oztnWumwDhDQWLqiUXWIU2QH6iRLGl/WYnujtNvVVaV/Hn3JJkS6MM9dnV3cpoIO0+J7+WfsN9rZ0wXt5yY3GhiGXwmcO5eYVli8lHlLWtK7aYSETyry6CBsLbojzOQO5rSqhpwfF2njAAFAQU0UjLc8PahisIuFKCwHH4iyXXOagiv5K1Mc/0Ak+WhhMPee6vV2p7NTyNpXRvouDbWy5cSRH31WgQ9fK5mIGe5v8nGGqtEhUubUkiOgP+H3UbT2V/nTv/TFKdJcKw+WmizvTrxBmaMjWALlkYl+s= mattl@Jallen-PC"
    # Desktop NixOS
    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPTBMydhOc6SnOdB5WrEd7X07DrboAtagCUgXiOJjLov matt@matt-nixos"
    # Yubikey
    "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCuzZfywCSde/3J1zRWH0s7OMEhHIwZeNWdKHUxMAYE/5hzFRtl5LYuNU68zxj7Aj67VF8VGwBbMEU6X/ebiNAxahmjf4mtioby5b4TIy+0Xvdbayoch938bP7UhskzobaJF6epg3vyATnJGr6i0EOXiDSkJU8vL1oeue0HN7WmwzIqxw0BTaSh6HJvjhhFhs20dBHc2x9behIfSmKFe9gBlPcIriUtpXNgasm14QCMk537dlSgGUFxPGIzZRAUSn5wqFjbiNK0rP/1MJzhGtXhHFJ8irI4TiVEk3cOm5nMoJxTP4KScfmHU+niU1Al+d0KOBsHb71AWutazRudKvsqrPsbG6vT4gGMVjOCTN9e89jcapz5GEQsVQR6s1HUjh4G+2PFbHOFmR8Mks+TIumqHIWsXgQnFBadblDRGPwrSH3zulvRzghyfTyU/bX28iGvpli2ckso5nJmG8D1LO7Y/E8U8ZGW4hC75+iP90cu9G1Ff1hETkrv6xpbNTGL61U= cardno:33_720_987"
  ];

  defaultPasswordFile = config.sops.secrets."matt_password".path;
in
{
  options.${namespace}.user = with types; {
    email = mkOpt str "jalle008@proton.me" "The email of the user.";

    extraGroups = mkOpt (listOf str) [ ] "Groups for the user to be assigned.";

    extraOptions = mkOpt attrs { } "Extra options passed to <option>users.users.<name></option>.";

    fullName = mkOpt str "Matt Jallen" "The full name of the user.";

    name = mkOpt str "matt" "The name to use for the user account.";

    sshKeys = mkOpt (listOf str) [ ] "List of SSH public keys for the user.";

    enableCommonSshKeys = mkBoolOpt true "Whether to include common SSH keys used across systems.";

    uid = mkOpt int 1000 "The user ID for the user account.";

    group = mkOpt str "wheel" "Group of the user";

    gid = mkOpt int 1000 "gid of the group";

    packages = mkOpt (listOf package) [ ] "List of packages to install for this user.";

    linger = mkBoolOpt false "Whether to enable systemd user service persistence.";

    password = mkOpt (nullOr str) null "Plain text password for the user (development only).";

    hashedPassword = mkOpt (nullOr str) null "Hashed password for the user.";

    hashedPasswordFile =
      mkOpt (nullOr path) defaultPasswordFile
        "Path to the password file for this user account";

    mutableUsers = mkBoolOpt false "Whether users are mutable (can be modified after creation).";
  };

  config = {
    users = {
      mutableUsers = cfg.mutableUsers;
      groups.${cfg.group}.gid = lib.mkForce cfg.gid;
      users.${cfg.name} = {
        inherit (cfg)
          name
          uid
          linger
          packages
          password
          hashedPassword
          hashedPasswordFile
          ;

        extraGroups = [
          "wheel"
          "keys"
          "networkmanager"
          "ratbagd"
          "scanner"
          "systemd-journal"
          "mpd"
          "audio"
          "video"
          "input"
          "plugdev"
          "lp"
          "tss"
          "power"
          "nix"
          "i2c"
          "media"
          "nscd"
          "avahi"
          "podman"
          "libvirtd"
        ]
        ++ cfg.extraGroups;

        group = cfg.group;
        home = "/home/${cfg.name}";
        isNormalUser = true;
        shell = lib.mkForce pkgs.zsh;

        # SSH keys - combine user-specific and common keys
        openssh.authorizedKeys.keys = cfg.sshKeys ++ (lib.optionals cfg.enableCommonSshKeys commonSshKeys);
      }
      // cfg.extraOptions;
    };
    assertions = [
      {
        assertion =
          (cfg.password != null) || (cfg.hashedPassword != null) || (cfg.hashedPasswordFile != null);
        message = "User '${cfg.name}' requires at least one password method (password, hashedPassword, or hashedPasswordFile).";
      }
      {
        assertion =
          let
            passwordMethods = lib.count (x: x != null) [
              cfg.password
              cfg.hashedPassword
              cfg.hashedPasswordFile
            ];
          in
          passwordMethods <= 1;
        message = "User '${cfg.name}' can only use one password method at a time. Found multiple: ${
          lib.concatStringsSep ", " (
            lib.filter (x: x != null) [
              (if cfg.password != null then "password" else null)
              (if cfg.hashedPassword != null then "hashedPassword" else null)
              (if cfg.hashedPasswordFile != null then "hashedPasswordFile" else null)
            ]
          )
        }";
      }
    ];
  };
}