{ config, lib, ... }:
with lib;
let
  cfg = config.eboskma.users.builder;
  authorizedKeys = builtins.map (key: (builtins.readFile (./keys/${key}))) (
    builtins.attrNames (builtins.readDir ./keys)
  );
in
{
  options.eboskma.users.builder = {
    enable = mkEnableOption "builder";
  };

  config = mkIf cfg.enable {
    users.users.builder = {
      isSystemUser = true;
      group = "builder";
      useDefaultShell = true;
      home = "/var/lib/builder";
      createHome = true;
      openssh.authorizedKeys.keys = authorizedKeys;
    };

    users.groups.builder = { };

    nix.settings.trusted-users = [ "builder" ];
  };
}