{ pkgs, lib, config, ... }:

with lib;

let
  baseDN = concatMapStringsSep ","
    (part: "dc=${part}")
    (splitString "." config.networking.domain);

in
{
  users.mutableUsers = false;

  users.users."root" = {
    hashedPassword = "$y$j9T$tz8ojZ2gVOQ5AUp6GMhoj.$mAeE0eTGGsKNGddC7ebk/zFr5IMDyIpOpMP/6o.GI6D";

    openssh.authorizedKeys.keys = [
      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIK2nkarN0+uSuP5sGwDCb9KRu+FCjO/+da4VypGanPUZ fooker@k-2so"
    ];
  };

  users.ldap = {
    enable = true;

    useTLS = true;

    server = "ldaps://ldap.${config.networking.domain}/";
    base = "ou=users,${baseDN}";

    daemon.enable = true;

    bind = {
      distinguishedName = "cn=login,${baseDN}";
      passwordFile = config.sops.secrets."ldap/login/password".path;
    };
  };

  users.groups."cluster" = {
    gid = 1000; # Fixed, becaused it is used for LDAP users
  };

  security.pam.services."login".makeHomeDir = true;
  security.pam.services."sshd".makeHomeDir = true;
  security.pam.services."systemd-user".makeHomeDir = true;

  security.pam.loginLimits = [
    {
      domain = "@cluster";
      item = "memlock";
      type = "-";
      value = "unlimited";
    }
  ];

  sops.secrets."ldap/login/password" = {
    owner = "nslcd";
    sopsFile = ./secrets.yaml;
  };
}