{ lib, config, ... }:

with lib;

let
  baseDN = concatMapStringsSep ","
    (part: "dc=${part}")
    (splitString "." config.networking.domain);

in
{
  users.mutableUsers = false;

  users.users."root" = {
    hashedPassword = "$y$j9T$tz8ojZ2gVOQ5AUp6GMhoj.$mAeE0eTGGsKNGddC7ebk/zFr5IMDyIpOpMP/6o.GI6D";

    openssh.authorizedKeys.keys = [
      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIK2nkarN0+uSuP5sGwDCb9KRu+FCjO/+da4VypGanPUZ fooker@k-2so"
    ];
  };

  security.pam.services = {
    sshd = {
      makeHomeDir = true;
      sssdStrictAccess = true;
      unixAuth = lib.mkForce true;
    };
    login = {
      makeHomeDir = true;
      sssdStrictAccess = true;
      unixAuth = lib.mkForce true;
    };
    lightdm = {
      makeHomeDir = true;
      sssdStrictAccess = true;
      unixAuth = lib.mkForce true;
    };
    systemd-user = {
      makeHomeDir = true;
      sssdStrictAccess = true;
      unixAuth = lib.mkForce true;
    };
  };

  security.pam.loginLimits = [
    {
      domain = "@cluster";
      item = "memlock";
      type = "-";
      value = "unlimited";
    }
  ];

  services.sssd = {
    enable = true;

    environmentFile = config.sops.secrets."ldap/login/environment".path;

    config = ''
      [sssd]
      config_file_version = 2
      services = nss, pam, ssh, ifp
      domains = hsfd

      debug_level = 8

      [nss]
      override_homedir = /home/%u
      override_shell = /run/current-system/sw/bin/bash

      filter_users = root
      filter_groups = root

      reconnection_retries = 3
  
      [pam]
  
      [domain/hsfd]
      id_provider = ldap
      access_provider = ldap
      auth_provider = ldap

      cache_credentials = true

      ldap_uri = ldaps://ldap.${config.networking.domain}/
      ldap_search_base = ou=users,${baseDN}

      ldap_tls_reqcert = demand
      ldap_id_use_start_tls = true

      ldap_default_bind_dn = cn=login,${baseDN}
      ldap_default_authtok_type = password
      ldap_default_authtok = $SSSD_LDAP_DEFAULT_AUTHTOK

      ldap_access_order = filter
      ldap_access_filter = (objectClass=*)

      ldap_user_object_class = posixAccount
      ldap_user_name = cn

      ldap_search_timeout = 10
      ldap_network_timeout = 10

      ldap_deref_threshold = 0

      ignore_group_members = true
      subdomain_inherit = ignore_group_members

      entry_negative_timeout = 3

      override_gid = ${toString config.users.groups."cluster".gid}

      cache_credentials = true

      min_id = 1000
      enumerate = true
    '';
  };

  users.groups."cluster" = {
    gid = 1000; # Fixed, becaused it is used for LDAP users
  };

  sops.secrets."ldap/login/environment" = {
    sopsFile = ./secrets.yaml;
  };
}