{ config, ... }: {
  sops.secrets = let
    keyConfig = file: {
      owner = config.users.users.jawz.name;
      inherit (config.users.users.jawz) group;
      path = "/home/jawz/.ssh/${file}";
    };
  in {
    jawz-password.neededForUsers = true;
    "private_keys/age" = keyConfig "ed25519_age";
    "public_keys/age" = keyConfig "ed25519_age.pub";
    "private_keys/${config.networking.hostName}" =
      keyConfig "ed25519_${config.networking.hostName}";
    "git_private_keys/${config.networking.hostName}" = keyConfig "ed25519_git";
  };
  users.users.jawz = {
    isNormalUser = true;
    hashedPasswordFile = config.sops.secrets.jawz-password.path;
    extraGroups = [
      "wheel"
      "networkmanager"
      "scanner"
      "lp"
      "piracy"
      "kavita"
      "video"
      "docker"
      "libvirt"
      "rslsync"
    ];
    openssh.authorizedKeys.keys = [
      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIB5GaQM4N+yGAByibOFQOBVMV/6TjOfaGIP+NunMiK76 gpodeacerocdreyes@100CDREYES"
      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMkpeIV9G26W2/e9PsjBx3sNwPGoicJ807ExRGh4KjhW jawz@server"
      (builtins.readFile ./secrets/ssh/ed25519_workstation.pub)
      (builtins.readFile ./secrets/ssh/ed25519_miniserver.pub)
      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINBEblxSDhWPEo33crSjooeUg4W02ruENxHLmmBqCuIo jawz@galaxy"
    ];
  };
}