{
  config,
  pkgs,
  ...
}: let
  keys = import ../../../variables/keys.nix;
  inherit (import ../../lib/default.nix {inherit (pkgs) lib;}) mkUser;
in {
  sops.secrets.sharedUsers-root = {
    sopsFile = ../../../../secrets/shared-users.yaml;
    neededForUsers = true;
  };

  sops.secrets.sharedUsers-steveej = {
    sopsFile = ../../../../secrets/shared-users.yaml;
    neededForUsers = true;
    format = "yaml";
  };

  users.mutableUsers = false;

  users.extraUsers.root = {
    passwordFile = config.sops.secrets.sharedUsers-root.path;
    openssh.authorizedKeys.keys = keys.users.steveej.openssh;
  };

  users.extraUsers.steveej = mkUser {
    uid = 1000;
    passwordFile = config.sops.secrets.sharedUsers-steveej.path;
  };

  security.pam.u2f.enable = true;
  security.pam.services.steveej.u2fAuth = true;
}