{
  config,
  pkgs,
  ...
}:
{
  imports = [
    ./home/user.nix
    ./home/root.nix
    ./home/agents.nix
  ];
  sops.secrets."user/password" = {
    neededForUsers = true;
    sopsFile = ./secrets/home.yaml;
  };
  sops.secrets."root/password" = {
    neededForUsers = true;
    sopsFile = ./secrets/home.yaml;
  };
  users = {
    mutableUsers = true;

    users = {
      root = {
        homeMode = "700";
        hashedPasswordFile = config.sops.secrets."root/password".path;
      };
      # microvm = {
      #   uid = 999;
      #   isSystemUser = true;
      # };
      # work = {
      #   uid = 1001;
      #   homeMode = "770";
      #   home = "/home/work";
      #   isNormalUser = true;
      #   shell = pkgs.fish;
      #   group = "work";
      #   extraGroups = [
      #     "public"
      #   ];
      #   linger = true;
      # };
      agent = {
        uid = 1002;
        homeMode = "770";
        home = "/home/agent";
        shell = pkgs.fish;
        isNormalUser = true;
        group = "agent";
        extraGroups = [ "public" ];
        linger = true;
      };
      # sandbox = {
      #   uid = 1003;
      #   homeMode = "770";
      #   home = "/home/sandbox";
      #   shell = pkgs.fish;
      #   isNormalUser = true;
      #   group = "sandbox";
      #   extraGroups = [ "public" ];
      #   linger = true;
      # };
      user = {
        uid = 1000;
        homeMode = "700";
        home = "/home/user";
        shell = pkgs.fish;
        isNormalUser = true;
        group = "user";
        extraGroups = [
          "libvirt"
          "systemd-journal"
          "kvm"
          "public"
          "agent"
          "sandbox"
          # "work"
        ];
        hashedPasswordFile = config.sops.secrets."user/password".path;
        linger = true;
      };
    };
    groups = {
      user.gid = 1000;
      agent.gid = 1002;
      public.gid = 777;
      # sandbox.gid = 1003;
    };
  };
}