{ config, lib, fn, pkgs, ... }:

with lib;

let
  withDocker = config.virtualisation.docker.enable;
  withPodman = config.virtualisation.podman.enable;
  administrators = user: {
    name = user.name;
    value = let
      cfg = config.services;
      passPath = config.sops.secrets."users/${user.name}/password".path;
    in {
      isNormalUser = true;
      name = user.name;
      uid  = user.id;
      subUidRanges = (optional withPodman { startUid = 100000; count = 65536; });
      subGidRanges = (optional withPodman { startGid = 100000; count = 65536; });
      home = builtins.toPath "/home/${user.name}";
      createHome = true;
      description = "Administrative user ${user.name}.";
      group = user.name;
      extraGroups = [ "audio" "wheel" "network" ]
        ++ (optionals cfg.xserver.enable ["input" "video"])
        ++ (optionals cfg.printing.enable [ "cups" "lp" ])
        ++ (optional (withDocker && !withPodman) "docker")
        ++ (optional withPodman "podman");
      shell = "${pkgs.zsh}/bin/zsh";
      passwordFile = passPath;
    };
  };

   mkusergroup = user: {
     name = user.name;
     value = {
       name = user.name;
       gid = user.id;
       members = [ user.name ];
     };
   };
in {
  sops.secrets = (fn.sopsHelper
    (user: "users/${user.name}/password")
    config.machine.administrators
    { neededForUsers = true; });
  users = {
    mutableUsers = false;
    users = listToAttrs (map administrators config.machine.administrators);
    groups = listToAttrs (map mkusergroup config.machine.administrators);
  };
}