{ lib, self, ... }:
let
  inherit (self.lib) users;

  adminGroups = [
    "adm"
    "named"
    "networkmanager"
    "nginx"
    "tuxcord"
    "wheel"
  ];

  mkUser =
    name: uid: options:
    let
      admin = options.admin or false;
    in
    {
      users.users.${name} = {
        inherit uid;
        isNormalUser = true;
        extraGroups = lib.optionals admin adminGroups;
        openssh.authorizedKeys.keys = self.lib.getSSHKeys name;
      };

      systemd.slices."user-${builtins.toString uid}".sliceConfig = {
        CPUQuota = "50%";
        CPUWeight = "10";
        IOAccounting = true;
        IOWeight = "10";
        MemoryMax = "2G";
        MemorySwapMax = "1G";
        TasksMax = "100";
      };
    };
in
lib.recursiveUpdate
  (builtins.foldl'
    (attrs: user: {
      options = lib.recursiveUpdate attrs.options (
        mkUser user.name attrs.uid (user.value.options or { })
      );
      uid = attrs.uid + 1;
    })
    {
      options = { };
      uid = 1000;
    }
    (lib.attrsToList users)
  ).options
  {
    users.users.root = {
      initialPassword = "tuxcord";
      openssh.authorizedKeys.keys = self.lib.adminSSHKeys;
    };
  }