{ lib, self, ... }:
let
  users = [
    {
      name = "error";
      options.admin = true;
    }
    {
      name = "javalsai";
      options.admin = true;
    }
    {
      name = "max";
      options.admin = true;
    }
    {
      name = "vectorum";
    }
    {
      name = "pickzelle";
    }
  ];

  adminGroups = [
    "adm"
    "named"
    "networkmanager"
    "nginx"
    "tuxcord"
    "wheel"
  ];

  getSSHKeys =
    username:
    let
      sshKeys = import "${self}/lib/ssh/keys.nix";
    in
    if (builtins.hasAttr username sshKeys) then
      lib.lists.toList sshKeys.${username}
    else
      lib.warn "user ${username} declared without ssh key" [ ];

  mkUser =
    name: uid: options:
    let
      admin = options.admin or false;

    in
    {
      users.users.${name} = {
        isNormalUser = true;
        extraGroups = lib.optionals admin adminGroups;
        inherit uid;

        openssh.authorizedKeys.keys = getSSHKeys name;
      };

      systemd.slices."user-${builtins.toString uid}".sliceConfig = {
        CPUQuota = "50%";
        CPUWeight = "10";
        IOAccounting = true;
        IOWeight = "10";
        MemoryMax = "2G";
        MemorySwapMax = "1G";
        TasksMax = "100";
      };
    };
in
lib.recursiveUpdate
  (builtins.foldl'
    (attrs: user: {
      options = lib.recursiveUpdate attrs.options (mkUser user.name attrs.uid (user.options or { }));
      uid = attrs.uid + 1;
    })
    {
      options = { };
      uid = 1000;
    }
    users
  ).options
  {
    users.users.root = {
      initialPassword = "tuxcord";

      openssh.authorizedKeys.keys = lib.lists.concatLists (
        map (user: getSSHKeys user.name) (builtins.filter (user: user.options.admin or false) users)
      );
    };
  }