{
  inputs,
  config,
  pkgs,
  ...
}: let
  sopSec = config.sops.secrets;
  secrets = inputs.mysecrets;
in {
  nix.settings.trusted-users = [
    "user"
    "remotebuild"
  ];
  users.mutableUsers = false;
  users.users = {
    user = {
      hashedPasswordFile = sopSec."user-password-hashed".path;
      isNormalUser = true;
      extraGroups = ["wheel" "video" "libvirtd" "dialout"];
      shell = pkgs.fish;
      openssh.authorizedKeys.keyFiles = [
        "${secrets}/ssh/id_ed25519_sarien_user.pub"
        "${secrets}/ssh/id_ed25519_eldrid_user.pub"
      ];
    };
    remotebuild = {
      isNormalUser = true;
      createHome = false;
      group = "remotebuild";
      openssh.authorizedKeys.keyFiles = [
        "${secrets}/ssh/id_ed25519_sarien_user.pub"
        "${secrets}/ssh/id_ed25519_eldrid_user.pub"
        "${secrets}/ssh/id_ed25519_eldrid_rmbuild.pub"
      ];
    };
  };
  users.groups.remotebuild = {};
}