{
  pkgs,
  config,
  ...
}:
let
  passwordFile = config.sops.secrets."jallen-nas/admin_password".path;
in
{
  # Define a user account. Don't forget to set a password with ‘passwd’.
  users = {
    groups.nut.name = "nut";
    groups."jallen-nas".name = "jallen-nas";
    # Nix app account
    users = {
      nix-apps = {
        isSystemUser = true;
        uid = 911;
        group = "jallen-nas";
        extraGroups = [
          "jallen-nas"
          "docker"
          "podman"
          "keys"
        ];
        hashedPasswordFile = passwordFile;
      };
      nextcloud = {
        isNormalUser = true;
        extraGroups = [
          "jallen-nas"
          "nix-apps"
        ];
        hashedPasswordFile = passwordFile;
      };
      upsuser = {
        group = "nut";
        isNormalUser = false;
        isSystemUser = true;
        createHome = true;
        home = "/var/lib/nut";
        homeMode = "750";
        hashedPasswordFile = passwordFile;
      };
      root.shell = pkgs.zsh;

      # The NixOS nextcloud exporter runs as 'nextcloud-exporter' (the default
      # generated by the exporter base module).  Add it to 'keys' so it can
      # read the SOPS-managed adminpassword secret.
      nextcloud-exporter = {
        isSystemUser = true;
        group = "nextcloud-exporter";
        extraGroups = [ "keys" ];
      };

      # Prometheus reads bearer_token_file for the Gitea scrape job at runtime.
      prometheus = {
        extraGroups = [ "keys" ];
      };
    };

    groups.nextcloud-exporter = { };
  };
}