{
  config,
  inputs,
  lib,
  pkgs,
  ...
}:

with lib;

let
  cfg = config.custom.settings.users;
in
{
  options.custom.settings.users = {
    enable = mkOption { default = false; };
    shell = mkOption { default = pkgs.fish; };

    ${config.custom.username} = {
      groups = mkOption {
        default =
          if config.custom.full then
            [
              "input"
              "video"
            ]
          else
            [ ];
      };
      linger = mkOption { default = false; };
      packages = mkOption { default = [ ]; };
    };
  };

  config = mkIf cfg.enable {
    age.secrets =
      let
        secret = filename: {
          file = "${inputs.self}/secrets/${filename}";
        };
      in
      {
        "${config.custom.profile}/users/${config.custom.username}.pass" = secret "${config.custom.profile}/users/${config.custom.username}.pass";
        "${config.custom.profile}/users/root.pass" = secret "${config.custom.profile}/users/root.pass";
      };

    users = {
      defaultUserShell = cfg.shell;
      mutableUsers = false; # !! Immutable users

      users = {
        #!! secrets/PROFILE/users/USERNAME.pass hashedPasswordFile is required

        root.hashedPasswordFile = config.age.secrets."${config.custom.profile}/users/root.pass".path;

        ${config.custom.username} = {
          isNormalUser = true;
          extraGroups = [ "wheel" ] ++ cfg.${config.custom.username}.groups;
          hashedPasswordFile =
            config.age.secrets."${config.custom.profile}/users/${config.custom.username}.pass".path;
          linger = cfg.${config.custom.username}.linger;
          packages = cfg.${config.custom.username}.packages;
        };
      };
    };
  };
}