# Navi / remote-deploy identity: push closures + activate system profiles over SSH.
{ ... }: {
  flake.nixosModules.systemDeployBuilder =
    { config, lib, pkgs, ... }:
    let
      cfg = config.chiasson.system.deploy.builder;
    in
    {
      options.chiasson.system.deploy.builder = {
        enable = lib.mkEnableOption ''
          Fleet deploy user for Navi (and similar tools).

          Creates the `builder` catalog user, trusts it with the Nix daemon for
          `nix copy`, and grants passwordless sudo for non-interactive activation.
          SSH inbound is limited to the deploy machine key (see catalog `builder.ssh`).
        '';
      };

      config = lib.mkIf cfg.enable {
        chiasson.users.enabled = lib.mkAfter [ "builder" ];

        users.users.builder = {
          password = "!";
          # nix copy / navi push opens an SSH session; nologin breaks the store protocol.
          shell = pkgs.bash;
        };

        nix.settings.trusted-users = lib.mkAfter [ "builder" ];

        # Navi wraps remote steps in `sudo -H --` (nix-env, switch-to-configuration,
        # provenance under /etc/navi, readlink, …). Scoped store-path rules are fragile;
        # this account has no wheel; SSH/key-only in practice (password locked).
        security.sudo.extraRules = [
          {
            users = [ "builder" ];
            commands = [
              {
                command = "ALL";
                options = [
                  "NOPASSWD"
                  "SETENV"
                ];
              }
            ];
          }
        ];
      };
    };
}