{
  conf,
  config,
  ...
}: {
  users.mutableUsers = false;
  users.users = {
    ${conf.user} = {
      isNormalUser = true;
      uid = conf.uid;
      extraGroups = ["wheel" "networkmanager"];
      hashedPasswordFile = config.sops.secrets."user/hashedPassword".path;
    };
  };

  home-manager.users = let
    hm = import ../home;
  in {
    ${conf.user} = {
      imports = hm.user;
      home.username = conf.user;
      home.homeDirectory = conf.home;
    };
  };

  sops.secrets."user/password" = {
    sopsFile = ../hosts/${conf.hostname}/secrets/default.yml;
    neededForUsers = true;
  };
}