{ lib
, config
, pkgs
, ...
}:
let
  cfg = config.my.utils.serverNodeUsers;
  gitlabUsername = "pazpi";
  sshKeys =
    let
      localKeys = [
        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDhiGLc/whCY3lCmDiRlYnMJOLiO/gvcRj/sKVEFVAhQ pazpi@deadbeef"
        # Add more local keys as needed
      ];
      gitlabKeys = pkgs.lib.splitString "\n" (
        builtins.readFile (
          pkgs.fetchurl {
            url = "https://gitlab.com/${gitlabUsername}.keys";
            sha256 = "tHC4DBRO8mXBLFBqGiZlgyY5Pzpl4AMeURCni6H7IjI=";
          }
        )
      );
    in
    localKeys ++ gitlabKeys;
in
{
  options.my.utils.serverNodeUsers = {
    enable = lib.mkEnableOption "Set users for server hosts";
  };

  config = lib.mkIf cfg.enable {
    users = {

      # If set to false, the contents of the user and group files will simply
      # be replaced on system activation.
      # This also holds for the user passwords.
      # All changed passwords will be reset according
      # to the `users.users` configuration on activation.
      mutableUsers = false;

      users.root = {
        hashedPassword = "!";
        openssh.authorizedKeys.keys = sshKeys;
      };

      users.pazpi = {
        isNormalUser = true;
        hashedPassword = "$y$j9T$oWLCV1hnGPyOGabMfAS3p1$/iwouRZGwQXcv6IHnLuT3I9.pmeXNpcHxq.b8xfitr1";
        shell = pkgs.bash;
        extraGroups = [ "wheel" ];
        openssh.authorizedKeys.keys = sshKeys;
      };

    };
  };

}