# Admin User Configuration - sma
# Named after Diziet Sma, pragmatic Special Circumstances agent
# Role: System administration, security oversight, maintenance
{ config, pkgs, ... }:

{
  users.users.sma = {
    description = "Diziet Sma - System Administrator";
    isNormalUser = true;
    uid = 1001;     # Fixed UID for consistency across machines
    group = "sma";  # Primary group
    
    # Admin privileges
    extraGroups = [
      "wheel"          # sudo access
      "networkmanager" # network management
      "libvirt"        # virtualization management
      "incus-admin"    # container management
      "podman"         # container runtime
      "docker"         # docker compatibility (if needed)
    ];

    # Security-focused shell setup
    shell = pkgs.zsh;
    
    # SSH key-based authentication only (no password login)
    openssh.authorizedKeys.keys = [
      # Admin key for server administration
      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPgzKS1N7+7+N1/8U8++1pl4hapDm6TOy0QhrfrYA8mz geir@geokkjer.eu-admin"
    ];

    # Essential admin packages
    packages = with pkgs; [
      # System monitoring and diagnostics
      htop
      iotop
      nethogs
      lsof
      strace
      
      # Network tools
      nmap
      tcpdump
      wireshark-cli
      curl
      wget
      
      # File and disk utilities
      tree
      fd
      ripgrep
      fzf
      ncdu
      
      # Text processing
      jq
      yq
      
      # Version control (for system configs)
      git
      
      # Container management
      podman-compose
      
      # Backup and sync
      rsync
      rclone
      
      # Security tools
      age
      sops
      
      # NixOS specific tools
      nixos-rebuild
      nix-tree
      nix-diff
    ];
  };

  # Admin-specific shell configuration
  programs.zsh = {
    enable = true;
    autosuggestions.enable = true;
    syntaxHighlighting.enable = true;
    
    # Admin-focused aliases
    shellAliases = {
      # System management (use current system configuration)
      "rebuild" = "sudo nixos-rebuild switch";
      "rebuild-test" = "sudo nixos-rebuild test";
      "rebuild-boot" = "sudo nixos-rebuild boot";
      "rebuild-flake" = "cd /tmp/home-lab-config && sudo nixos-rebuild switch --flake .";
      "rebuild-flake-test" = "cd /tmp/home-lab-config && sudo nixos-rebuild test --flake .";
      "rebuild-flake-boot" = "cd /tmp/home-lab-config && sudo nixos-rebuild boot --flake .";
      
      # Container management
      "pods" = "podman ps -a";
      "images" = "podman images";
      "logs" = "podman logs";
      
      # System monitoring
      "disk-usage" = "df -h";
      "mem-usage" = "free -h";
      "processes" = "ps aux | head -20";
      
      # Network
      "ports" = "ss -tulpn";
      "connections" = "ss -tuln";
      
      # Security
      "audit-users" = "cat /etc/passwd | grep -E '/bin/(bash|zsh|fish)'";
      "audit-sudo" = "cat /etc/sudoers.d/*";
    };
  };

  # Sudo configuration for admin user
  security.sudo.extraRules = [
    {
      users = [ "sma" ];
      commands = [
        {
          command = "ALL";
          options = [ "NOPASSWD" ]; # Allow passwordless sudo for admin tasks
        }
      ];
    }
  ];

  # Admin user home directory permissions
  systemd.tmpfiles.rules = [
    "d /home/sma 0755 sma sma -"
    "d /home/sma/.ssh 0700 sma sma -"
  ];

  # Create the sma group
  users.groups.sma = {
    gid = 992;  # Fixed GID for consistency across machines
  };
}