{
  config,
  pkgs,
  ...
}:
{
  sops.secrets."user/password" = {
    neededForUsers = true;
    sopsFile = ./secrets/home.yaml;
  };
  sops.secrets."root/password" = {
    neededForUsers = true;
    sopsFile = ./secrets/home.yaml;
  };
  users = {
    mutableUsers = false;

    users = {
      root = {
        homeMode = "700";
        hashedPasswordFile = config.sops.secrets."root/password".path;
      };
      user = {
        uid = 1000;
        homeMode = "700";
        shell = pkgs.fish;
        isNormalUser = true;
        group = "user";
        extraGroups = [ "libvirt" ];
        hashedPasswordFile = config.sops.secrets."user/password".path;
      };
    };
    groups = {
      user.gid = 1000;
    };
  };
}