{
  config,
  pkgs,
  lib,
  ...
}:
with lib;
{
  options.features.users = {
    enable = mkEnableOption "enable default users";
    name = mkOption {
      type = types.str;
      default = "fw";
      description = "Primary user account name.";
    };
    fullName = mkOption {
      type = types.str;
      default = "Fredrik Wastring";
      description = "Primary user full name.";
    };
    initialPassword = mkOption {
      type = types.str;
      default = "password";
      description = "Initial password for the primary user.";
    };
    extraGroups = mkOption {
      type = types.listOf types.str;
      default = [
        "networkmanager"
        "wheel"
        "audio"
        "docker"
        "input"
      ];
      description = "Additional groups for the primary user.";
    };
    sshAuthorizedKeys = mkOption {
      type = types.listOf types.str;
      default = [
        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFpJBGPIfPB1BwSG7aoKqwfccyZSaU7J3xpJ8behMp9N fw@core"
      ];
      description = "SSH authorized keys for the primary user.";
    };
  };

  config = mkIf config.features.users.enable {
    users = {
      defaultUserShell = pkgs.bash;
      users = {
        ${config.features.users.name} = {
          initialPassword = config.features.users.initialPassword;
          isNormalUser = true;
          description = config.features.users.fullName;
          extraGroups = config.features.users.extraGroups;
          openssh.authorizedKeys = {
            keys = config.features.users.sshAuthorizedKeys;
          };
        };
      };
    };
  };
}