{ config, ... }: {
  sops.secrets = let
    keyConfig = file: {
      sopsFile = ./secrets/keys.yaml;
      owner = config.users.users.jawz.name;
      inherit (config.users.users.jawz) group;
      path = "/home/jawz/.ssh/${file}";
    };
  in {
    jawz-password.neededForUsers = true;
    "private_keys/age" = keyConfig "ed25519_age";
    "public_keys/age" = keyConfig "ed25519_age.pub";
    "private_keys/${config.networking.hostName}" =
      keyConfig "ed25519_${config.networking.hostName}";
    "git_private_keys/${config.networking.hostName}" = keyConfig "ed25519_git";
  };
  users.users.jawz = {
    linger = true;
    isNormalUser = true;
    hashedPasswordFile = config.sops.secrets.jawz-password.path;
    extraGroups = [
      "wheel"
      "networkmanager"
      "scanner"
      "lp"
      "piracy"
      "kavita"
      "video"
      "docker"
      "libvirt"
      "rslsync"
    ];
    openssh.authorizedKeys.keys = [
      (builtins.readFile ./secrets/ssh/ed25519_deacero.pub)
      (builtins.readFile ./secrets/ssh/ed25519_workstation.pub)
      (builtins.readFile ./secrets/ssh/ed25519_server.pub)
      (builtins.readFile ./secrets/ssh/ed25519_miniserver.pub)
      (builtins.readFile ./secrets/ssh/ed25519_galaxy.pub)
    ];
  };
}