{
  pkgs,
  inputs,
  config,
  lib,
  ...
}: let
  username = "media";
  pubKeys = lib.filesystem.listFilesRecursive ../keys;
  hostname = config.networking.hostName;
  sopsHashedPasswordFile = lib.optionalString (lib.hasAttr "sops-nix" inputs) config.sops.secrets."passwords/${username}".path;
  secretsDirectory = builtins.toString inputs.nix-secrets;
  secretsFile = "${secretsDirectory}/secrets.yaml";
in {
  users.users.${username} = {
    isNormalUser = true;
    shell = pkgs.zsh; # default shell
    hashedPasswordFile = sopsHashedPasswordFile;
    openssh.authorizedKeys.keys = lib.lists.forEach pubKeys (key: builtins.readFile key);

    extraGroups = [
      "scanner"
      "lp"
      "wheel"
    ];

    packages = with pkgs; [
      flatpak
      gnome.gnome-software
    ];
  };

  environment.persistence."/persist" = {
    hideMounts = true;
    users.${username} = {
      directories = [
        "Sync"
        "Keep"
        ".ssh"
        ".config"
        ".mozilla"
        ".local"
        ".zotero"
        ".var"
        ".steam"
      ];
      files = [
      ];
    };
  };

  sops.secrets = {
    "passwords/${username}" = {
      sopsFile = "${secretsFile}";
      neededForUsers = true;
    };
    "ssh_keys/${username}/id_ed25519" = {
      path = "/home/${username}/.ssh/id_ed25519";
      mode = "0600";
      owner = "${username}";
    };
    "ssh_keys/${username}/id_ed25519.pub" = {
      path = "/home/${username}/.ssh/id_ed25519.pub";
      mode = "0644";
      owner = "${username}";
    };
  };

  # The containing ssh folders are created as root and if this is the first ~/.ssh/ entry when writing keys,
  # the ownership is busted and home-manager can't target because it can't write into .ssh...
  # FIXME: We might not need this depending on how https://github.com/Mic92/sops-nix/issues/381 is fixed
  system.activationScripts.sopsSetSshOwnwership = let
    sshFolder = "/home/${username}/.ssh";
    user = config.users.users.${username}.name;
    group = config.users.users.${username}.group;
  in ''
    mkdir -p ${sshFolder} || true
    chown -R ${user}:${group} /home/${username}/.ssh
  '';

  services.flatpak.enable = true;

  programs.zsh.enable = true;
  programs.fuse.userAllowOther = true;

  home-manager = {
    extraSpecialArgs = {inherit inputs;};
    users = {
      ${username} = import ../../../../home/${hostname}.nix;
    };
  };
}