# "secret" consumer
{ config, lib, ... }:
let
  topConfig = config;
in
{
  options.users.users = lib.mkOption {
    type = lib.types.attrsOf (lib.types.submodule ({config, ...}: {
      options.passwordSecret = lib.mkOption {
        type = lib.types.nullOr topConfig.contracts.secret.consumer;
      };
      config = {
        hashedPasswordFile =
          lib.mkIf (config.passwordSecret.provider != null)
            config.passwordSecret.output.path;

        passwordSecret.input =
          lib.mkIf (config.passwordSecret.provider != null) {
            owner = "root";
            group = "root";
            mode = "0400";
          };
      };
    }));
  };
}