nixcfg/machines/manager/users.nix

{ pkgs, lib, config, ... }:

with lib;

{
  nixpkgs.overlays = [
    (self: super: {
      openssh = super.openssh.overrideAttrs (final: prev: {
        patches = prev.patches ++ [
          ../../patches/openssh-keysign-check-remove.patch
        ];
      });
    })
  ];

  programs.ssh = {
    extraConfig = ''
      EnableSSHKeysign yes

      Host node-*.${config.networking.domain} node-*
        HostbasedAuthentication yes
    '';
  };

  security.wrappers."ssh-keysign" = {
    source = "${pkgs.openssh}/libexec/ssh-keysign";
    setuid = true;
    owner = "root";
    group = "root";
  };

  users.users."root".packages = [
    pkgs.usermgr
  ];

  systemd.tmpfiles.rules = [
    ''L+ /opt/usermgr - - - - ${pkgs.usermgr}''
  ];
}