{ lib, pkgs, ... }:

let
  agentcmd = "${ (pkgs.callPackage ./checkmk-agent/default.nix { }) }/bin/check_mk_agent.sshwrapper";
in
{
  users.users.mon = {
    isNormalUser = true;
    extraGroups = [ "wheel" ];
    openssh.authorizedKeys.keys = [
      ''restrict,command="${ agentcmd }" ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGHkivi9Ye/Uj4ZQxrEfarSaz0iLF/XXhY/crNsLoDMu checkmk''
    ];
  };
  security.sudo.extraConfig = ''
    ## Allow the monitor user to run commands as root
    mon       ALL=(ALL)       NOPASSWD: ALL
    '';
}