{ lib, config, pkgs, userDetails, ... }: let
	cfg = config._archetypes.tjkeller.setPasswords;
	hashedPasswordFile = config.sops.secrets.hashed-root-password.path;
in {
	options._archetypes.tjkeller.setPasswords = {
		enable = lib.mkEnableOption "set users password. requires hashed root password from sops";
	};

	config = lib.mkIf cfg.enable {
		# Load hashed root password secret
		sops.secrets.hashed-root-password = {
			sopsFile = ./resources/secrets/hashed-root-password.yaml;
			neededForUsers = true;
		};

		# Apply password file
		users.users = {
			root = { inherit hashedPasswordFile; };
			${userDetails.username} = lib.mkIf config._archetypes.users.primary.enable { inherit hashedPasswordFile; };
		};
	};
}