{ config, lib, pkgs, ... }:

with lib;

let
  administrators = user: {
    name = user.name;
    value = let
      cfg = config.services;
      passPath = "${config.machine.secretPath}/${user.name}";
    in {
      isNormalUser = true;
      name = user.name;
      uid  = user.id;
      home = builtins.toPath "/home/${user.name}";
      createHome = true;
      description = "Administrative user ${user.name}.";
      group = user.name;
      extraGroups = [ "audio" "wheel" "network" ]
        ++ (optionals cfg.xserver.enable ["input" "video"])
        ++ (optionals cfg.printing.enable [ "cups" "lp" ])
        ++ (optional config.virtualisation.docker.enable "docker");
      shell = "${pkgs.zsh}/bin/zsh";
      passwordFile = passPath;
      openssh.authorizedKeys.keyFiles = optional
        (cfg.openssh.enable && (builtins.pathExists "${passPath}.pub"))
        "${passPath}.pub";
    };
  };

   mkusergroup = user: {
     name = user.name;
     value = {
       name = user.name;
       gid = user.id;
       members = [ user.name ];
     };
   };

in {
  users = {
    mutableUsers = false;
    users = listToAttrs (map administrators config.machine.administrators);
    groups = listToAttrs (map mkusergroup config.machine.administrators);
  };
}