nixcfg/shared/users.nix

{ lib, config, ... }:

with lib;

let
  baseDN = concatMapStringsSep ","
    (part: "dc=${part}")
    (splitString "." config.networking.domain);
in
{
  users.mutableUsers = false;

  users.users."root" = {
    hashedPassword = "$y$j9T$tz8ojZ2gVOQ5AUp6GMhoj.$mAeE0eTGGsKNGddC7ebk/zFr5IMDyIpOpMP/6o.GI6D";

    openssh.authorizedKeys.keys = [
      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIK2nkarN0+uSuP5sGwDCb9KRu+FCjO/+da4VypGanPUZ fooker@k-2so"
    ];
  };

  users.ldap = {
    enable = true;

    server = "ldap://ldap.${config.networking.domain}/";
    base = baseDN;

    daemon.enable = true;

    bind = {
      distinguishedName = "cn=root,${baseDN}";
      passwordFile = config.sops.secrets."ldap/login/password".path;
    };
  };

  users.groups."cluster" = {
    gid = 1000; # Fixed, becaused it is used for LDAP users
  };

  security.pam.services."login".makeHomeDir = true;
  security.pam.services."sshd".makeHomeDir = true;
  security.pam.services."systemd-user".makeHomeDir = true;

  sops.secrets."ldap/login/password" = {
    owner = "nslcd";
    key = "ldap/root/password";
  };
}