{
  lib,
  config,
  ...
}: {
  imports = with lib.nixosModules; [secrets];

  sops.secrets = {
    root-password = {
      sopsFile = lib.secrets.users;
      neededForUsers = true;
    };
    user-password = {
      sopsFile = lib.secrets.users;
      neededForUsers = true;
    };
  };

  users = {
    mutableUsers = false;
    users = {
      root = {
        isSystemUser = true;
        hashedPassword = null;
        hashedPasswordFile = config.sops.secrets.root-password.path;
        openssh.authorizedKeys.keys = with lib.sshKeys; [
          lp1.user
          lp2.user
        ];
      };
      user = {
        isNormalUser = true;
        extraGroups = ["wheel"];
        hashedPassword = null;
        hashedPasswordFile = config.sops.secrets.user-password.path;
        openssh.authorizedKeys.keys = with lib.sshKeys; [
          lp1.user
          lp2.user
        ];
      };
    };
  };
}