{
  config,
  lib,
  fn,
  pkgs,
  ...
}:
with lib;
let
  withDocker = config.virtualisation.docker.enable;
  withPodman = config.virtualisation.podman.enable;
  administrators = user: {
    inherit (user) name;
    value =
      let
        cfg = config.services;
        passPath = config.sops.secrets."users/${user.name}/password".path;
      in
      {
        isNormalUser = true;
        inherit (user) name;
        uid = user.id;
        subUidRanges = optional withPodman {
          startUid = 100000;
          count = 65536;
        };
        subGidRanges = optional withPodman {
          startGid = 100000;
          count = 65536;
        };
        home = builtins.toPath "/home/${user.name}";
        createHome = true;
        description = "Administrative user ${user.name}.";
        group = user.name;
        extraGroups =
          [
            "audio"
            "wheel"
            "network"
          ]
          ++ (optionals (lib.elem "desktop" config.machine.services) [
            "input"
            "video"
          ])
          ++ (optionals cfg.printing.enable [
            "cups"
            "lp"
          ])
          ++ (optional (withDocker && !withPodman) "docker")
          ++ (optional withPodman "podman");
        shell = "${pkgs.zsh}/bin/zsh";
        hashedPasswordFile = passPath;
      };
  };

  mkusergroup = user: {
    inherit (user) name;
    value = {
      inherit (user) name;
      gid = user.id;
      members = [ user.name ];
    };
  };
in
{
  sops.secrets = fn.sopsHelper (user: "users/${user.name}/password") config.machine.administrators {
    neededForUsers = true;
  };
  users = {
    mutableUsers = false;
    users = listToAttrs (map administrators config.machine.administrators);
    groups = listToAttrs (map mkusergroup config.machine.administrators);
  };
}