{ ... }:

{
  users.users.ldx = {
    isNormalUser = true;
    extraGroups = [ "wheel" ];
    openssh.authorizedKeys.keys = [
      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKMNHFTC5HMO3IsggHpA+eVSCyhZSmDZz7aV62IFt7sj"
      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEFw6Bsat10YClOV0dQWXRUZlaAork5I1QVNBwkZebOM ldx@skydick"
    ];
  };

  security.sudo.wheelNeedsPassword = true;

  # deploy-rs needs passwordless sudo for system activation
  security.sudo.extraRules = [
    {
      users = [ "ldx" ];
      commands = [
        { command = "/nix/store/*/activate"; options = [ "NOPASSWD" ]; }
        { command = "/nix/store/*/bin/switch-to-configuration"; options = [ "NOPASSWD" ]; }
        { command = "/run/current-system/sw/bin/nix-env"; options = [ "NOPASSWD" ]; }
        { command = "/nix/store/*/bin/nix-env"; options = [ "NOPASSWD" ]; }
        { command = "/run/current-system/sw/bin/systemctl"; options = [ "NOPASSWD" ]; }
        { command = "/nix/store/*/bin/systemctl"; options = [ "NOPASSWD" ]; }
        { command = "/run/current-system/sw/bin/reboot"; options = [ "NOPASSWD" ]; }
      ];
    }
  ];
}