{
  config,
  lib,
  pkgs,
  namespace,
  ...
}:
with lib;
let
  inherit (lib.${namespace}) mkOpt mkBoolOpt;
  cfg = config.${namespace}.user;

  # Reference the sops-managed password file only when the secret has been
  # declared somewhere in the configuration.  Checking the attrset with ?
  # avoids forcing evaluation of the secret path on hosts that don't use sops.
  sopsMattPassword =
    let
      secretName = cfg.sopsPasswordSecret;
    in
    if secretName != null && builtins.hasAttr secretName config.sops.secrets then
      config.sops.secrets.${secretName}.path
    else
      null;

  # Fall back to the sops-managed password file only when no explicit password
  # method has been set by the caller.
  resolvedPasswordFile =
    if cfg.hashedPassword == null && cfg.hashedPasswordFile == null && cfg.password == null then
      sopsMattPassword
    else
      cfg.hashedPasswordFile;

  # Common SSH keys used across systems
  commonSshKeys = [
    # MacBook
    "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCw9zq8DLGByI5v2gAn95hKNyOsm3g61a2buxu2BBMFysQJgmZPCCLUqRJKhSM5Vm/JOgsAmdpRBRZQoHD+6S844CJHb4v4VIbjkyQgYCuM7Rst2IOZ5QybvsA2/D0nwytZ+HXQqDj2AagUYDbz0gyyIHkDQ5YGBMkvkWz/h1Vci6aoBM7VihEDM4KlWoTVuPeASGM8r5IZ2FS83Djbqo4ov6AYvLMrKB9Z7hmFgH6R3LE0gxOkzbGVXtSuvJyrjvgytoT22UhATjjxSQ9D+YJXXkQoB3lUdg8OoIquUPjMZpl4mR8ffvseWPfcvD1XlD5t+TOHFqKpESO547tlOBYhdpew+NSgAXpamCU6oyV8tDCywLQu2ucxHRn78u6WXzWHkDtffdhzmk6TZaPhWqVHuTGjR4higBgGqUfSaKOMszt+FDRZAr3HtuQ2+zJ8bowK9fW5OqilTtK2HtQqroD9ApegDNbqOz6kGy5IycSXvqPURy/M4lxZxbtBPuemcJs= mattjallen@MacBook-Pro.local"
    # MacBook NixOS
    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBOhX3ds1QBC5qqqtPJDZgyGr8gfGjCGnGCiIhWZNNi4 matt@macbook-pro-nixos"
    # Desktop Windows
    "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDZ2PYPjZddOzR8OJj16G88KcUhCDLkvrEmpUQP0wKHDUuA27HQQ2ORo66asadwGHY3k1VDZ1ei9l9H++SIIeKOaaUr5yZdktvj4POUNtbd9ZhcS7sZU7BSF+NMDM+h3tImh6z0S7mWvRQOUv3ZM+ZER+5xTWJVG1OOJEpb1drxJk6Qz0wbZKSR7TPNFBLLXlVy7hkNYf07RtDyhCCxNB3hJfa8c+oztnWumwDhDQWLqiUXWIU2QH6iRLGl/WYnujtNvVVaV/Hn3JJkS6MM9dnV3cpoIO0+J7+WfsN9rZ0wXt5yY3GhiGXwmcO5eYVli8lHlLWtK7aYSETyry6CBsLbojzOQO5rSqhpwfF2njAAFAQU0UjLc8PahisIuFKCwHH4iyXXOagiv5K1Mc/0Ak+WhhMPee6vV2p7NTyNpXRvouDbWy5cSRH31WgQ9fK5mIGe5v8nGGqtEhUubUkiOgP+H3UbT2V/nTv/TFKdJcKw+WmizvTrxBmaMjWALlkYl+s= mattl@Jallen-PC"
    # Desktop NixOS
    "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDSbGJHZKrraJYwF4hehqmSd/cFOPyLUuWUECEA7qH2Rv5zrL50Pey3o1L0pKlypxjrrNgkCsn53lP6jgF7GHDo0TICsE1jgVAUKhVL+h6+o/8A509ZVb/ZhItZmbc7mtif59FTF+RiIS11f6RFNdKy6XoosdIXPhxHRqKb40GoVdEmgqSqb77nePQPZQiBhosI0KmJ8UsCn+z6lLAX+hQ9CT7rQDuW18MbAYcc2DI4aug35npngys4m3RMA2IlzF5SRMxmPLpN8HHXkLlliDGjvFHxJbAAlkDvjFETrPjgKQqKcVOhEP42Qg/ywcGfqKQTig2r13AgJE2NSON7VtHu554RiQ+Ob52aN7PvxzsEWwXO01ot7PHB1nnKeFGkRAGQfm6nAZ/So0JOraWL35MKmBmlbIXR3uT8WMJrbCq1YYJ88PbAE8l1LOJSshHRcXFgnrllywO5+6S7cLpKKXu9L4xTisJMbGlq3yVSTfXiysXRa+tfgQy6GdSIyEeQHJs= matt@matt-nixos"
    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPTBMydhOc6SnOdB5WrEd7X07DrboAtagCUgXiOJjLov matt@matt-nixos"
    # Yubikey
    "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCuzZfywCSde/3J1zRWH0s7OMEhHIwZeNWdKHUxMAYE/5hzFRtl5LYuNU68zxj7Aj67VF8VGwBbMEU6X/ebiNAxahmjf4mtioby5b4TIy+0Xvdbayoch938bP7UhskzobaJF6epg3vyATnJGr6i0EOXiDSkJU8vL1oeue0HN7WmwzIqxw0BTaSh6HJvjhhFhs20dBHc2x9behIfSmKFe9gBlPcIriUtpXNgasm14QCMk537dlSgGUFxPGIzZRAUSn5wqFjbiNK0rP/1MJzhGtXhHFJ8irI4TiVEk3cOm5nMoJxTP4KScfmHU+niU1Al+d0KOBsHb71AWutazRudKvsqrPsbG6vT4gGMVjOCTN9e89jcapz5GEQsVQR6s1HUjh4G+2PFbHOFmR8Mks+TIumqHIWsXgQnFBadblDRGPwrSH3zulvRzghyfTyU/bX28iGvpli2ckso5nJmG8D1LO7Y/E8U8ZGW4hC75+iP90cu9G1Ff1hETkrv6xpbNTGL61U= cardno:33_720_987"
    "ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBGdwsYDOkjd17rKdpjKN+3Yx1rRHT/Fiv2erc2JdE6ibHKBxLSEZ4kCOFCyGyc5ZO6Cmb09GfAe9FugkD4titns= cardno:33_720_987"
  ];

in
{
  options.${namespace}.user = with types; {
    email = mkOpt str "jalle008@proton.me" "The email of the user.";

    extraGroups = mkOpt (listOf str) [ ] "Groups for the user to be assigned.";

    extraOptions = mkOpt attrs { } "Extra options passed to <option>users.users.<name></option>.";

    fullName = mkOpt str "Matt Jallen" "The full name of the user.";

    name = mkOpt str "matt" "The name to use for the user account.";

    sshKeys = mkOpt (listOf str) [ ] "List of SSH public keys for the user.";

    enableCommonSshKeys = mkBoolOpt true "Whether to include common SSH keys used across systems.";

    uid = mkOpt int 1000 "The user ID for the user account.";

    group = mkOpt str "wheel" "Group of the user";

    gid = mkOpt int 1000 "gid of the group";

    packages = mkOpt (listOf package) [ ] "List of packages to install for this user.";

    linger = mkBoolOpt false "Whether to enable systemd user service persistence.";

    password = mkOpt (nullOr str) null "Plain text password for the user (development only).";

    hashedPassword = mkOpt (nullOr str) null "Hashed password for the user.";

    hashedPasswordFile = mkOpt (nullOr path) null "Path to the password file for this user account";

    sopsPasswordSecret =
      mkOpt (nullOr str) "matt_password"
        "Name of the sops secret to use as the hashed password file when no explicit password method is set. Set to null to disable the sops fallback.";

    mutableUsers = mkBoolOpt false "Whether users are mutable (can be modified after modification).";
  };

  config = {
    users = {
      inherit (cfg) mutableUsers;
      groups.${cfg.group}.gid = lib.mkForce (if cfg.group != "wheel" then cfg.gid else 1);
      users = {
        root = {
          isSystemUser = true;
          isNormalUser = false;
          shell = lib.mkForce pkgs.zsh;
        };
        ${cfg.name} = {
          inherit (cfg)
            name
            group
            uid
            linger
            packages
            password
            hashedPassword
            ;
          hashedPasswordFile = resolvedPasswordFile;

          extraGroups = [
            "dialout"
            "uucp"
            "wheel"
            "keys"
            "networkmanager"
            "ratbagd"
            "scanner"
            "systemd-journal"
            "mpd"
            "audio"
            "video"
            "input"
            "plugdev"
            "lp"
            "tss"
            "power"
            "nix"
            "i2c"
            "media"
            "nscd"
            "avahi"
            "podman"
            "libvirtd"
            "fuse"
          ]
          ++ cfg.extraGroups;

          home = "/home/${cfg.name}";
          isNormalUser = true;
          shell = lib.mkForce pkgs.zsh;
          description = cfg.fullName;

          # SSH keys - combine user-specific and common keys
          openssh.authorizedKeys.keys = cfg.sshKeys ++ (lib.optionals cfg.enableCommonSshKeys commonSshKeys);
        }
        // cfg.extraOptions;
      };
    };
    assertions = [
      {
        assertion =
          (cfg.password != null) || (cfg.hashedPassword != null) || (resolvedPasswordFile != null);
        message = "User '${cfg.name}' requires at least one password method (password, hashedPassword, hashedPasswordFile, or a sops 'matt_password' secret).";
      }
      {
        assertion =
          let
            passwordMethods = lib.count (x: x != null) [
              cfg.password
              cfg.hashedPassword
              resolvedPasswordFile
            ];
          in
          passwordMethods <= 1;
        message = "User '${cfg.name}' can only use one password method at a time.";
      }
    ];
  };
}