{ pkgs, ... }: let
  systemUsers = {
    gitea = {
      uid = 2001;
      extraGroups = [ "git" ];
    };
    # timetagger = 2002;
    pocket-id = 2003;
    bookstack = 2004;
    mariadb = 2005;
    focalboard = 2006;
    offen = 2007;
    public-html = {
      uid = 2008;
      shell = "${pkgs.git}/bin/git-shell";
      authorizedKeys = [
        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKPiqbLAXpBkjXnHLvz3VCd5i+VmYdd9dAcRt+8E1OQX drew@vega"
      ];
      home = "/tank/web";
    };
  };

  mkUser = name: value: {
    uid = value.uid or value;
    isSystemUser = true; # only affects UID allocation, but required
    description = "System User for ${name}";
    group = "${name}";
    shell = value.shell or null;
    extraGroups = value.extraGroups or [];
    openssh.authorizedKeys.keys = value.authorizedKeys or [];
    home = value.home or "/var/empty";
  };
  mkGroup = name: value: let
    # 1. Value if int
    # 2. "gid" if present
    # 3. "uid"
    gid =
      if builtins.isInt value
      then value
      else if builtins.hasAttr "gid" value
        then value.gid
        else value.uid;
  in {
    inherit gid;
  };
in {
  users.users = builtins.mapAttrs mkUser systemUsers;
  users.groups = (builtins.mapAttrs mkGroup systemUsers) // {
    # Legacy groups.
    git = {
      gid = 992;
    };
  };
}