# Configuration for the pwdutils suite of tools: passwd, useradd, etc.
{ config, lib, utils, pkgs, ... }:
let
  cfg = config.security.loginDefs;
in
{
  options = {

    security.shadow.enable = lib.mkEnableOption "" // {
      default = true;
      description = ''
        Enable the shadow authentication suite, which provides critical programs such as su, login, passwd.

        Note: This is currently experimental. Only disable this if you're
        confident that you can recover your system if it breaks.
      '';
    };

    security.loginDefs = {
      package = lib.mkPackageOption pkgs "shadow" { };

      chfnRestrict = lib.mkOption {
        description = ''
          Use chfn SUID to allow non-root users to change their account GECOS information.
        '';
        type = lib.types.nullOr lib.types.str;
        default = null;
      };

      settings = lib.mkOption {
        description = ''
          Config options for the /etc/login.defs file, that defines
          the site-specific configuration for the shadow password suite.
          See login.defs(5) man page for available options.
        '';
        type = lib.types.submodule {
          freeformType = (pkgs.formats.keyValue { }).type;
          /* There are three different sources for user/group id ranges, each of which gets
             used by different programs:
             - The login.defs file, used by the useradd, groupadd and newusers commands
             - The update-users-groups.pl file, used by NixOS in the activation phase to
               decide on which ids to use for declaratively defined users without a static
               id
             - Systemd compile time options -Dsystem-uid-max= and -Dsystem-gid-max=, used
               by systemd for features like ConditionUser=@system and systemd-sysusers
              */
          options = {
            DEFAULT_HOME = lib.mkOption {
              description = "Indicate if login is allowed if we can't cd to the home directory.";
              default = "yes";
              type = lib.types.enum [ "yes" "no" ];
            };

            ENCRYPT_METHOD = lib.mkOption {
              description = "This defines the system default encryption algorithm for encrypting passwords.";
              # The default crypt() method, keep in sync with the PAM default
              default = "YESCRYPT";
              type = lib.types.enum [ "YESCRYPT" "SHA512" "SHA256" "MD5" "DES"];
            };

            SYS_UID_MIN = lib.mkOption {
              description = "Range of user IDs used for the creation of system users by useradd or newusers.";
              default = 400;
              type = lib.types.int;
            };

            SYS_UID_MAX = lib.mkOption {
              description = "Range of user IDs used for the creation of system users by useradd or newusers.";
              default = 999;
              type = lib.types.int;
            };

            UID_MIN = lib.mkOption {
              description = "Range of user IDs used for the creation of regular users by useradd or newusers.";
              default = 1000;
              type = lib.types.int;
            };

            UID_MAX = lib.mkOption {
              description = "Range of user IDs used for the creation of regular users by useradd or newusers.";
              default = 29999;
              type = lib.types.int;
            };

            SYS_GID_MIN = lib.mkOption {
              description = "Range of group IDs used for the creation of system groups by useradd, groupadd, or newusers";
              default = 400;
              type = lib.types.int;
            };

            SYS_GID_MAX = lib.mkOption {
              description = "Range of group IDs used for the creation of system groups by useradd, groupadd, or newusers";
              default = 999;
              type = lib.types.int;
            };

            GID_MIN = lib.mkOption {
              description = "Range of group IDs used for the creation of regular groups by useradd, groupadd, or newusers.";
              default = 1000;
              type = lib.types.int;
            };

            GID_MAX = lib.mkOption {
              description = "Range of group IDs used for the creation of regular groups by useradd, groupadd, or newusers.";
              default = 29999;
              type = lib.types.int;
            };

            TTYGROUP = lib.mkOption {
              description = ''
                The terminal permissions: the login tty will be owned by the TTYGROUP group,
                and the permissions will be set to TTYPERM'';
              default = "tty";
              type = lib.types.str;
            };

            TTYPERM = lib.mkOption {
              description = ''
                The terminal permissions: the login tty will be owned by the TTYGROUP group,
                and the permissions will be set to TTYPERM'';
              default = "0620";
              type = lib.types.str;
            };

            # Ensure privacy for newly created home directories.
            UMASK = lib.mkOption {
              description = "The file mode creation mask is initialized to this value.";
              default = "077";
              type = lib.types.str;
            };
          };
        };
        default = { };
      };
    };

    users.defaultUserShell = lib.mkOption {
      description = ''
        This option defines the default shell assigned to user
        accounts. This can be either a full system path or a shell package.

        This must not be a store path, since the path is
        used outside the store (in particular in /etc/passwd).
      '';
      example = lib.literalExpression "pkgs.zsh";
      type = lib.types.either lib.types.path lib.types.shellPackage;
    };
  };

  ###### implementation

  config = lib.mkMerge [
    {
      assertions = [
        {
          assertion = config.security.shadow.enable || config.services.greetd.enable;
          message = "You must enable at least one VT login method, either security.shadow.enable or services.greetd.enable";
        }
      ];
    }
    (lib.mkIf config.security.shadow.enable {
      assertions = [
        {
          assertion = cfg.settings.SYS_UID_MIN <= cfg.settings.SYS_UID_MAX;
          message = "SYS_UID_MIN must be less than or equal to SYS_UID_MAX";
        }
        {
          assertion = cfg.settings.UID_MIN <= cfg.settings.UID_MAX;
          message = "UID_MIN must be less than or equal to UID_MAX";
        }
        {
          assertion = cfg.settings.SYS_GID_MIN <= cfg.settings.SYS_GID_MAX;
          message = "SYS_GID_MIN must be less than or equal to SYS_GID_MAX";
        }
        {
          assertion = cfg.settings.GID_MIN <= cfg.settings.GID_MAX;
          message = "GID_MIN must be less than or equal to GID_MAX";
        }
      ];

      security.loginDefs.settings.CHFN_RESTRICT = lib.mkIf (cfg.chfnRestrict != null) cfg.chfnRestrict;

      environment.systemPackages = lib.optional config.users.mutableUsers cfg.package
        ++ lib.optional (lib.types.shellPackage.check config.users.defaultUserShell) config.users.defaultUserShell
        ++ lib.optional (cfg.chfnRestrict != null) pkgs.util-linux;

      environment.etc =
        # Create custom toKeyValue generator
        # see https://man7.org/linux/man-pages/man5/login.defs.5.html for config specification
        let
          toKeyValue = lib.generators.toKeyValue {
            mkKeyValue = lib.generators.mkKeyValueDefault { } " ";
          };
        in {
          # /etc/login.defs: global configuration for pwdutils.
          # You cannot login without it!
          "login.defs".source = pkgs.writeText "login.defs" (toKeyValue cfg.settings);

          # /etc/default/useradd: configuration for useradd.
          "default/useradd".source = pkgs.writeText "useradd" ''
            GROUP=100
            HOME=/home
            SHELL=${utils.toShellPath config.users.defaultUserShell}
          '';
        };

      security.pam.services = {
        chsh.rootOK = true;
        chfn.rootOK = true;
        su = {
          rootOK = true;
          forwardXAuth = true;
          logFailures = true;
        };
        passwd = { };
        # Note: useradd, groupadd etc. aren't setuid root, so it
        # doesn't really matter what the PAM config says as long as it
        # lets root in.
        useradd.rootOK = true;
        usermod.rootOK = true;
        userdel.rootOK = true;
        groupadd.rootOK = true;
        groupmod.rootOK = true;
        groupmems.rootOK = true;
        groupdel.rootOK = true;
        login = {
          startSession = true;
          allowNullPassword = true;
          showMotd = true;
          updateWtmp = true;
        };
        chpasswd.rootOK = true;
      };

      security.wrappers =
        let
          mkSetuidRoot = source: {
            setuid = true;
            owner = "root";
            group = "root";
            inherit source;
          };
        in
          {
            su = mkSetuidRoot "${cfg.package.su}/bin/su";
            sg = mkSetuidRoot "${cfg.package.out}/bin/sg";
            newgrp = mkSetuidRoot "${cfg.package.out}/bin/newgrp";
            newuidmap = mkSetuidRoot "${cfg.package.out}/bin/newuidmap";
            newgidmap = mkSetuidRoot "${cfg.package.out}/bin/newgidmap";
          }
          // lib.optionalAttrs config.users.mutableUsers {
            chsh = mkSetuidRoot "${cfg.package.out}/bin/chsh";
            passwd = mkSetuidRoot "${cfg.package.out}/bin/passwd";
          };
    })
  ];
}