{
  config,
  lib,
  pkgs,
  inputs,
  ...
}:
let
  inherit (lib) types;
  cfg = config.mtxyz.user;
in {
  options.mtxyz.user = {
    extraGroups = lib.mkOption {
      type = (types.listOf types.str);
      default = [ ];
    };
    extraOptions = lib.mkOption {
      type = types.attrs;
      default = { };
    };
    name = lib.mkOption {
      type = types.str;
      default = "mtxyz";
    };
  };

  config = {
    users.users.${cfg.name} = {
      openssh.authorizedKeys.keyFiles = [
        "${inputs.self}/secrets/authorized_keys"
      ];
      isNormalUser = true;
      extraGroups = [ "wheel" "dialout" ] ++ cfg.extraGroups;
      initialPassword = "";
      linger = true;
    } // cfg.extraOptions;

    users.defaultUserShell = pkgs.fish;
    programs.fish.enable = true;
  };
}