{
  config,
  pkgs,
  lib,
  ...
}: let
  keys = import ../../../variables/keys.nix;
  inherit
    (import ../../lib/default.nix {
      inherit (pkgs) lib;
      inherit config;
    })
    mkUser
    ;

  inherit (lib) types;

  cfg = config.users.commonUsers;
in {
  options.users.commonUsers = {
    enable = lib.mkOption {
      default = true;
      type = types.bool;
    };

    enableNonRoot = lib.mkOption {
      default = true;
      type = types.bool;
    };

    rootPasswordFile = lib.mkOption {
      default = config.sops.secrets.sharedUsers-root.path;
      type = types.path;
    };
  };
  config = lib.mkIf cfg.enable {
    sops.secrets.sharedUsers-root = {
      sopsFile = ../../../../secrets/shared-users.yaml;
      neededForUsers = true;
      format = "yaml";
    };

    sops.secrets.sharedUsers-steveej = lib.mkIf cfg.enableNonRoot {
      sopsFile = ../../../../secrets/shared-users.yaml;
      neededForUsers = true;
      format = "yaml";
    };

    sops.secrets.sharedSshKeys-steveej = lib.mkIf cfg.enableNonRoot {
      sopsFile = ../../../../secrets/shared-users.yaml;
      # neededForUsers = true;
      format = "yaml";
    };

    users.mutableUsers = lib.mkForce false;

    users.extraUsers.root = {
      passwordFile = cfg.rootPasswordFile;
      openssh.authorizedKeys.keys = keys.users.steveej.openssh;

      # TODO: investigate why this secret cannot be found
      # openssh.authorizedKeys.keyFiles = [
      #   config.sops.secrets.sharedSshKeys-steveej.path
      # ];
    };

    users.extraUsers.steveej = lib.mkIf cfg.enableNonRoot (mkUser {
      uid = 1000;
      passwordFile = config.sops.secrets.sharedUsers-steveej.path;
    });
  };
}