{
  conf,
  config,
  ...
}: {
  users.mutableUsers = false;
  users.users = {
    ${conf.user} = {
      isNormalUser = true;
      uid = conf.uid;
      extraGroups = ["wheel" "networkmanager"];
      hashedPasswordFile = config.sops.secrets."user/password".path;
    };
  };

  home-manager.users = let
    hm = import ../home;
  in {
    ${conf.user} = {
      imports = hm.user;
      home.username = conf.user;
      home.stateVersion = "24.11";
    };
  };

  sops.secrets."user/password" = {
    sopsFile = ../hosts/${conf.hostname}/secrets/default.yaml;
    neededForUsers = true;
  };

  sops.secrets."user/ssh/private" = {
    sopsFile = ../hosts/${conf.hostname}/secrets/default.yaml;
    path = "/home/lilith/.ssh/id_ed25519";
    owner = "lilith";
  };
  sops.secrets."user/ssh/public" = {
    sopsFile = ../hosts/${conf.hostname}/secrets/default.yaml;
    path = "/home/lilith/.ssh/id_ed25519.pub";
    owner = "lilith";
  };
}