{
  config,
  lib,
  pkgs,
  namespace,
  ...
}:
with lib;
let
  cfg = config.${namespace}.user;

  isRoot = (cfg.name == "root");

  # Common SSH keys used across systems
  commonSshKeys = [
    # MacBook
    "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCw9zq8DLGByI5v2gAn95hKNyOsm3g61a2buxu2BBMFysQJgmZPCCLUqRJKhSM5Vm/JOgsAmdpRBRZQoHD+6S844CJHb4v4VIbjkyQgYCuM7Rst2IOZ5QybvsA2/D0nwytZ+HXQqDj2AagUYDbz0gyyIHkDQ5YGBMkvkWz/h1Vci6aoBM7VihEDM4KlWoTVuPeASGM8r5IZ2FS83Djbqo4ov6AYvLMrKB9Z7hmFgH6R3LE0gxOkzbGVXtSuvJyrjvgytoT22UhATjjxSQ9D+YJXXkQoB3lUdg8OoIquUPjMZpl4mR8ffvseWPfcvD1XlD5t+TOHFqKpESO547tlOBYhdpew+NSgAXpamCU6oyV8tDCywLQu2ucxHRn78u6WXzWHkDtffdhzmk6TZaPhWqVHuTGjR4higBgGqUfSaKOMszt+FDRZAr3HtuQ2+zJ8bowK9fW5OqilTtK2HtQqroD9ApegDNbqOz6kGy5IycSXvqPURy/M4lxZxbtBPuemcJs= mattjallen@MacBook-Pro.local"
    # Desktop Windows
    "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDZ2PYPjZddOzR8OJj16G88KcUhCDLkvrEmpUQP0wKHDUuA27HQQ2ORo66asadwGHY3k1VDZ1ei9l9H++SIIeKOaaUr5yZdktvj4POUNtbd9ZhcS7sZU7BSF+NMDM+h3tImh6z0S7mWvRQOUv3ZM+ZER+5xTWJVG1OOJEpb1drxJk6Qz0wbZKSR7TPNFBLLXlVy7hkNYf07RtDyhCCxNB3hJfa8c+oztnWumwDhDQWLqiUXWIU2QH6iRLGl/WYnujtNvVVaV/Hn3JJkS6MM9dnV3cpoIO0+J7+WfsN9rZ0wXt5yY3GhiGXwmcO5eYVli8lHlLWtK7aYSETyry6CBsLbojzOQO5rSqhpwfF2njAAFAQU0UjLc8PahisIuFKCwHH4iyXXOagiv5K1Mc/0Ak+WhhMPee6vV2p7NTyNpXRvouDbWy5cSRH31WgQ9fK5mIGe5v8nGGqtEhUubUkiOgP+H3UbT2V/nTv/TFKdJcKw+WmizvTrxBmaMjWALlkYl+s= mattl@Jallen-PC"
    # Desktop NixOS
    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPTBMydhOc6SnOdB5WrEd7X07DrboAtagCUgXiOJjLov matt@matt-nixos"
    # Yubikey
    "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCuzZfywCSde/3J1zRWH0s7OMEhHIwZeNWdKHUxMAYE/5hzFRtl5LYuNU68zxj7Aj67VF8VGwBbMEU6X/ebiNAxahmjf4mtioby5b4TIy+0Xvdbayoch938bP7UhskzobaJF6epg3vyATnJGr6i0EOXiDSkJU8vL1oeue0HN7WmwzIqxw0BTaSh6HJvjhhFhs20dBHc2x9behIfSmKFe9gBlPcIriUtpXNgasm14QCMk537dlSgGUFxPGIzZRAUSn5wqFjbiNK0rP/1MJzhGtXhHFJ8irI4TiVEk3cOm5nMoJxTP4KScfmHU+niU1Al+d0KOBsHb71AWutazRudKvsqrPsbG6vT4gGMVjOCTN9e89jcapz5GEQsVQR6s1HUjh4G+2PFbHOFmR8Mks+TIumqHIWsXgQnFBadblDRGPwrSH3zulvRzghyfTyU/bX28iGvpli2ckso5nJmG8D1LO7Y/E8U8ZGW4hC75+iP90cu9G1Ff1hETkrv6xpbNTGL61U= cardno:33_720_987"
  ];
in
{
  options.${namespace}.user = with types; {
    email = lib.mkOption {
      type = str;
      default = "jalle008@proton.me";
      description = "The email of the user.";
    };
    extraGroups = lib.mkOption {
      type = (listOf str);
      default = [ ];
      description = "Groups for the user to be assigned.";
    };
    extraOptions = lib.mkOption {
      type = attrs;
      default = { };
      description = "Extra options passed to <option>users.users.<name></option>.";
    };
    fullName = lib.mkOption {
      type = str;
      default = "Matt Jallen";
      description = "The full name of the user.";
    };
    name = lib.mkOption {
      type = str;
      default = "matt";
      description = "The name to use for the user account.";
    };
    passwordFile = lib.mkOption {
      type = nullOr path;
      default = null;
      description = "Path to the password file for this user account";
    };
    sshKeys = lib.mkOption {
      type = listOf str;
      default = [ ];
      description = "List of SSH public keys for the user.";
    };
    enableCommonSshKeys = lib.mkOption {
      type = bool;
      default = true;
      description = "Whether to include common SSH keys used across systems.";
    };
    uid = lib.mkOption {
      type = int;
      default = if isRoot then ids.uids.root else 1000;
      description = "The user ID for the user account.";
    };
    packages = lib.mkOption {
      type = listOf package;
      default = [ ];
      description = "List of packages to install for this user.";
    };
    linger = lib.mkOption {
      type = bool;
      default = false;
      description = "Whether to enable systemd user service persistence.";
    };
    password = lib.mkOption {
      type = nullOr str;
      default = null;
      description = "Plain text password for the user (development only).";
    };
    hashedPassword = lib.mkOption {
      type = nullOr str;
      default = null;
      description = "Hashed password for the user.";
    };
    mutableUsers = lib.mkOption {
      type = bool;
      default = false;
      description = "Whether users are mutable (can be modified after creation).";
    };
  };

  config = {
    users.mutableUsers = cfg.mutableUsers;

    users.users.${cfg.name} = {
      inherit (cfg)
        name
        uid
        linger
        packages
        ;

      extraGroups = [
        "wheel"
        "keys"
        "networkmanager"
        "ratbagd"
        "scanner"
        "systemd-journal"
        "mpd"
        "audio"
        "video"
        "input"
        "plugdev"
        "lp"
        "tss"
        "power"
        "nix"
        "i2c"
      ]
      ++ cfg.extraGroups;

      group = "users";
      home = "/home/${cfg.name}";
      isNormalUser = (!isRoot);
      isSystemUser = isRoot;
      shell = lib.mkForce pkgs.zsh;

      # SSH keys - combine user-specific and common keys
      openssh.authorizedKeys.keys = cfg.sshKeys ++ (lib.optionals cfg.enableCommonSshKeys commonSshKeys);

      # Authentication - priority: passwordFile > hashedPassword > password
      hashedPasswordFile = lib.mkIf (cfg.passwordFile != null) cfg.passwordFile;
      hashedPassword = lib.mkIf (
        cfg.passwordFile == null && cfg.hashedPassword != null
      ) cfg.hashedPassword;
      password = lib.mkIf (
        cfg.passwordFile == null && cfg.hashedPassword == null && cfg.password != null
      ) cfg.password;
    }
    // cfg.extraOptions;
  };
}