{ lib, config, ... }:
{
  imports = [ ../ssh.nix ];

  options.admin = {
    disable = lib.mkOption {
      default = false;
      type = lib.types.bool;
      description = "disable admin user";
    };
  };

  # named this way to reduce the attack surface of my servers
  config = lib.mkIf (!config.admin.disable) {
    sops.secrets."users/crown".neededForUsers = true;
    users.mutableUsers = false; # required for sops to touch the password

    users.users.crown = {
      description = "wikipedia.org/wiki/Root_crown";
      home = "/home/crown";
      createHome = true;
      group = "crown";
      extraGroups = [ "wheel" ];
      useDefaultShell = true;
      isNormalUser = true;
      hashedPasswordFile = config.sops.secrets."users/crown".path;
      openssh.authorizedKeys.keys = config.ssh.keys;
    };

    users.groups.crown = {};
  };
}