{ config, lib, ... }:
let
  cfg = config.kropcloud.admin;
in
{
  options.kropcloud.admin = {
    user = lib.mkOption {
      type = lib.types.str;
      default = "krop";
      description = "Name of the admin user to be created.";
    };
    sshKeys = lib.mkOption {
      type = lib.types.listOf lib.types.str;
      default = [ ];
      description = "List of SSH public keys to authorize for the admin user.";
    };
    password = lib.mkOption {
      type = lib.types.nullOr lib.types.str;
      default = null;
      description = "Password for the admin user. Should be used only for initial setup.";
    };
    sudoRequirePassword = lib.mkOption {
      type = lib.types.bool;
      default = true;
      description = "Require password for sudo. Should be used only for initial setup.";
    };
  };

  config = {

    age.secrets.mypassword.file = ../../secrets/mypassword.age;

    security.sudo.wheelNeedsPassword = cfg.sudoRequirePassword;

    # Define the admin user
    users = {
      mutableUsers = false;
      users.${cfg.user} = {
        password = if cfg.password != null then cfg.password else null;
        hashedPasswordFile = if cfg.password != null then null else config.age.secrets.mypassword.path;
        isNormalUser = true;
        extraGroups = [ "wheel" ];
        openssh.authorizedKeys.keys = cfg.sshKeys;
      };
    };
  };
}