{
  config,
  lib,
  ...
}:
let
  homeModules = config.flake.modules.homeManager;

  kiri = {
    name = "kiri";
    realName = "Jelle Spreeuwenberg";
    homeDirectory = "/home/kiri";
    emails = {
      main = {
        address = "mail@jelles.net";
        primary = true;
        type = "mxrouting";
      };
      old = {
        address = "mail@jellespreeuwenberg.nl";
        primary = false;
        type = "mxrouting";
      };
      uni = {
        address = "j.spreeuwenberg@student.tue.nl";
        primary = false;
        type = "office365";
      };
      work = {
        address = "jelle.spreeuwenberg@yookr.org";
        primary = false;
        type = "office365";
      };
    };
  };

  ergon = {
    name = "ergon";
    realName = "Jelle Spreeuwenberg";
    homeDirectory = "/home/ergon";
    emails = {
      work = {
        address = "jelle.spreeuwenberg@yookr.org";
        primary = true;
        type = "office365";
      };
    };
  };

  mkUserModules =
    {
      name,
      extraHomeImports ? [ ],
    }:
    let
      userModuleName = "user-${name}";
      workstationModuleName = "${name}-workstation";
    in
    {
      nixos =
        {
          config,
          pkgs,
          ...
        }:
        let
          account = config.meta.host.users.${name};
          primaryEmails = lib.filter (email: email.primary) (builtins.attrValues account.emails);
          isWorkstation = config.meta.host.kind == "workstation";
          hasWorkstationModule = builtins.hasAttr workstationModuleName homeModules;
        in
        {
          assertions = [
            {
              assertion = builtins.length primaryEmails == 1;
              message = "User ${name} must define exactly one primary email entry.";
            }
          ];

          programs.zsh.enable = true;

          sops.secrets = lib.optionalAttrs isWorkstation {
            "hashed-password-${name}".neededForUsers = true;
          };

          users.users.${name} = {
            name = account.name;
            home = account.homeDirectory;
            isNormalUser = true;
            shell = pkgs.zsh;
            extraGroups = [
              "wheel"
              "networkmanager"
            ];
          }
          // lib.optionalAttrs isWorkstation {
            hashedPasswordFile = config.sops.secrets."hashed-password-${name}".path;
          };

          home-manager.users.${name} = {
            imports = [
              homeModules.${userModuleName}
            ]
            ++ lib.optionals (isWorkstation && hasWorkstationModule) [
              homeModules.${workstationModuleName}
            ];
            meta = {
              host = config.meta.host;
              user = account;
            };
          };
        };

      homeManager =
        { config, ... }:
        let
          account = config.meta.user;
        in
        {
          home = {
            username = account.name;
            homeDirectory = account.homeDirectory;
            stateVersion = "24.05";
          };

          imports = [
            homeModules."user-base"
          ]
          ++ extraHomeImports;
        };
    };

  kiriModules = mkUserModules {
    name = "kiri";
    extraHomeImports = [
      homeModules.syncthing
    ];
  };

  ergonModules = mkUserModules {
    name = "ergon";
  };
in
{
  meta.lib.users = {
    inherit
      ergon
      kiri
      ;
  };

  flake.modules.nixos."user-kiri" = kiriModules.nixos;
  flake.modules.nixos."user-ergon" = ergonModules.nixos;

  flake.modules.homeManager."user-kiri" = kiriModules.homeManager;
  flake.modules.homeManager."user-ergon" = ergonModules.homeManager;
}