{ config, lib, pkgs, ...}:

{
  users.users.deploy = {
    isNormalUser = true;
    home = "/var/empty";
    group = "deploy";
  };

  users.groups.deploy = {};

  users.users.deploy.openssh.authorizedKeys.keys = [
    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILXwl+UyfeN/9M/z21mlVS3guYEqIjtgAf5pCPkjXhR0"
  ];

  security.sudo.extraRules = [
    {
      users = [ "deploy" ];
      runAs = "root";
      commands = [
        {
          command = "ALL";
          options = [ "NOPASSWD" ];
        }
      ];
    }
  ];
}