{ pkgs, username, ... }:

let
  binPath = "${pkgs.nix}/bin";
in
{
  nix.settings.trusted-users = [ username ];

  # Define a user account. Don't forget to set a password with ‘passwd’.
  users = {
    users."${username}" = {
      # the hashed password with salt is generated by run `mkpasswd`.
      hashedPassword = "$y$j9T$inkrp6FuM46uoPFVrOlbz1$igJed6pECf4AENVaLT4mk.Q4z02MmxjWnGo.OVvCyC.";
      home = "/home/${username}";
      isNormalUser = true;
      description = username;
      extraGroups = [
        "users"
        "wheel"
        "networkmanager"
        "audio"
        "nixbld"
      ];
      openssh.authorizedKeys.keys = [
      ];
    };
  };

  # DO NOT promote the specified user to input password for `nix-store` and `nix-copy-closure`
  security.sudo = {
    # wheelNeedsPassword = false;
    extraRules = [
      {
        users = [ username ];
        commands =
          [
            {
              command = "${binPath}/nix-store";
              options = [ "NOPASSWD" ];
            }
            {
              command = "/run/current-system/sw/bin/nixos-rebuild";
              options = [ "NOPASSWD" "SETENV" ];
            }
            {
              command = "${binPath}/reboot";
              options = [ "NOPASSWD" ];
            }
            {
              command = "${binPath}/poweroff";
              options = [ "NOPASSWD" ];
            }
          ];
      }
    ];
  };
}