{
  pkgs,
  lib,
  config,
  extraGroups ? [ ],
  ...
}:
{

  # Declarative only optoins.
  # I don't want to allow ad-hoc modifying users on the system.
  # Users must be declared either as part of a package or in this file.
  users.mutableUsers = false;

  age.secrets.noah-password = {
    file = ./secrets/noah-hashed-password.age;
    owner = "root";
    group = "root";
  };

  # Define a user account. Don't forget to set a password with ‘passwd’.
  users.users.noah = {
    isNormalUser = true;
    shell = pkgs.fish;
    extraGroups = [
      "wheel"
      "video"
      "nas"
    ]
    ++ extraGroups; # Enable ‘sudo’ for the user.
    hashedPasswordFile = config.age.secrets.noah-password.path;
    openssh.authorizedKeys.keys = lib.strings.splitString "\n" (
      builtins.readFile (
        builtins.fetchurl {
          url = "https://meta.sr.ht/~chiefnoah.keys";
          name = "chiefnoah.keys";
          # Update this with:
          # `curl https://meta.sr.ht/~chiefnoah.keys | sha256sum`
          sha256 = "0wdnx25blqihbgaa0hzd39mjqwki92ambar097hjfmlrxg1s4lk7";
        }
      )
    );
  };
  users.groups.nas.gid = 1001;
}