{
  config,
  pkgs,
  lib,
  ...
}: let
  cfg = config.soispha.users;
in {
  options.soispha.users = {
    enable = lib.mkEnableOption "user set-up for soispha";
    hashedPassword = lib.mkOption {
      type = lib.types.str;
      example = lib.literalExpression "$y$jFT$ONrCqZIJKB7engmfA4orD/$0GO58/wV5wrYWj0cyONhyujZPjFmbT0XKtx2AvXLG0B";
      description = "The hashed password of the user";
    };
    groups = lib.mkOption {
      type = lib.types.listOf lib.types.str;
      default = ["wheel"];
      description = "The groups the soispha user should be part of";
    };

    # Although deprecated, this helps with old udev rules, that still use this group.
    # TODO: Try to find a way to remove this option (i.e. set it always to false).
    enableDeprecatedPlugdev = lib.mkEnableOption "the deprecated plugdev group for the user";
  };

  config = lib.mkIf cfg.enable {
    # Ensure that the default shell of the user is actually enabled.
    programs.zsh.enable = true;

    users = {
      mutableUsers = false;

      users.soispha = {
        isNormalUser = true;
        home = "/home/soispha";
        createHome = true;
        shell = pkgs.zsh;
        initialHashedPassword = cfg.hashedPassword;
        extraGroups = cfg.groups ++ lib.optional cfg.enableDeprecatedPlugdev "plugdev";

        uid = 1000;
        openssh.authorizedKeys.keys = [
          # TODO: This should be parameterized. <2024-05-16>
          "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIME4ZVa+IoZf6T3U08JG93i6QIAJ4amm7mkBzO14JSkz"
        ];
      };
    };
  };
}