{ config, lib, pkgs, inputs, ... }:


let
  cfg = config.users.blake;
in
{
  options.users.blake = {
    enable = lib.mkEnableOption "enable blake user";
    username = lib.mkOption {
      default = "blake";
      description = ''
        username
      '';
    };
  };


  config = lib.mkIf cfg.enable {
    # create blake user
    users.users.${cfg.username} = {
      isNormalUser = true;
      extraGroups = [ "wheel" "networkmanager" "docker" "media" ]; # Enable ‘sudo’ for the user.
      uid = 1000;
      shell = pkgs.zsh;
      group = "blake";
      hashedPasswordFile = config.sops.secrets."blake_passwd".path;
      openssh.authorizedKeys.keys = [
        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBK0AGJfZGyqW8/krvQV+PL7axcDW/EnKyHy9M8wryQx klefki"
        "ecdsa-sha2-nistp384 AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBPdC9cCX8awvA19Ri65fvbYjZYe8X1Ef+nOZAIv92AS6u4SkJYqOvPYfqRHXORNDpbzjTV6nackyCKvV5EO4niv4MFIgdkEQwuVHcYX32/dOsWdDoeXBT/l2sFFM7JESwQ== blake@zygarde"
      ];
    };

    # define home-manager user
    home-manager = {
      useUserPackages = true;
      useGlobalPkgs = true;      
      extraSpecialArgs = { inherit inputs; };
      users = {
        "blake" = import ./home.nix;
      };
    };

    # define blake group
    users.groups.blake = {
      gid = 1000;
    };

  # passwordless rebuild
    security.sudo.extraRules = [
      {
        users = [ "blake" ];
        commands = [
          {
           command = "/run/current-system/sw/bin/nixos-rebuild";
           options = [ "NOPASSWD" ];
          }
          {
           command = "/run/current-system/sw/bin/systemctl";
           options = [ "NOPASSWD" ];
          }
          {
           command = "/run/current-system/sw/bin/journalctl";
           options = [ "NOPASSWD" ];
          }
          {
           command = "/run/current-system/sw/bin/tailscale";
           options = [ "NOPASSWD" ];
          }
        ];
      }
    ];
  };
}