{ lib, self, ... }:
let
  users = [
    {
      name = "error";
      options.admin = true;
    }
    {
      name = "javalsai";
      options.admin = true;
    }
    {
      name = "max";
      options.admin = true;
    }
    {
      name = "vectorum";
    }
  ];

  adminGroups = [
    "adm"
    "named"
    "networkmanager"
    "nginx"
    "tuxcord"
    "wheel"
  ];

  mkUser = name: uid: options: {
    users.users.${name} = {
      isNormalUser = true;
      extraGroups = lib.optionals (options.admin or false) adminGroups;
      inherit uid;

      openssh.authorizedKeys.keys =
        let
          keys = import "${self}/lib/ssh/keys.nix";
        in
        if (builtins.hasAttr name keys) then
          [ keys.${name} ]
        else
          lib.warn "user ${name} declared without ssh key" [ ];
    };

    systemd.slices."user-${builtins.toString uid}".sliceConfig = {
      CPUQuota = "50%";
      CPUWeight = "10";
      IOAccounting = true;
      IOWeight = "10";
      MemoryMax = "2G";
      MemorySwapMax = "1G";
      TasksMax = "100";
    };
  };
in
lib.recursiveUpdate
  (builtins.foldl'
    (attrs: user: {
      options = lib.recursiveUpdate attrs.options (mkUser user.name attrs.uid (user.options or { }));
      uid = attrs.uid + 1;
    })
    {
      options = { };
      uid = 1000;
    }
    users
  ).options
  {
    users.users.root.initialPassword = "tuxcord";
  }