{ lib, config, ... }:
let
  types = lib.types;
in
{
  options.maid.masters.nero = {
    enable = lib.mkEnableOption "Nero user";
    groups = lib.mkOption {
      type = types.listOf types.str;
      default = [ "wheel" "docker" "networkmanager" ];
    };
    uid = lib.mkOption {
      type = types.int;
      default = 1337;
    };
    authorizedKeys = lib.mkOption {
      type = types.listOf types.str;
      default = [
        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBaWnT7mpLERhm3zIWglNy094a7F7d7cpEImLZYwwWoS nero@lil-maid"
      ];
    };
  };

  config = lib.mkIf config.maid.masters.nero.enable (
    let
      nero = config.maid.masters.nero;
    in
    {
      sops.secrets."users/nero/password".neededForUsers = true;
      users.users.nero = {
        isNormalUser = true;
        uid = nero.uid;
        openssh.authorizedKeys.keys = nero.authorizedKeys;

        hashedPasswordFile = config.sops.secrets."users/nero/password".path;
      };
    }
  );
}