{
  config,
  lib,
  fn,
  pkgs,
  ...
}:
with lib; let
  withDocker = config.virtualisation.docker.enable;
  withPodman = config.virtualisation.podman.enable;
  administrators = user: {
    inherit (user) name;
    value = let
      cfg = config.services;
      passPath = config.sops.secrets."users/${user.name}/password".path;
    in {
      isNormalUser = true;
      inherit (user) name;
      uid = user.id;
      subUidRanges = optional withPodman {
        startUid = 100000;
        count = 65536;
      };
      subGidRanges = optional withPodman {
        startGid = 100000;
        count = 65536;
      };
      home = builtins.toPath "/home/${user.name}";
      createHome = true;
      description = "Administrative user ${user.name}.";
      group = user.name;
      extraGroups =
        ["audio" "wheel" "network"]
        ++ (optionals cfg.xserver.enable ["input" "video"])
        ++ (optionals cfg.printing.enable ["cups" "lp"])
        ++ (optional (withDocker && !withPodman) "docker")
        ++ (optional withPodman "podman");
      shell = "${pkgs.zsh}/bin/zsh";
      passwordFile = passPath;
    };
  };

  mkusergroup = user: {
    inherit (user) name;
    value = {
      inherit (user) name;
      gid = user.id;
      members = [user.name];
    };
  };
in {
  sops.secrets =
    fn.sopsHelper
    (user: "users/${user.name}/password")
    config.machine.administrators
    {neededForUsers = true;};
  users = {
    mutableUsers = false;
    users = listToAttrs (map administrators config.machine.administrators);
    groups = listToAttrs (map mkusergroup config.machine.administrators);
  };
}