{
  pkgs,
  lib,
  config,
  ...
}: let
  cfg = config.services.power;
in {
  options.services.power = {
    target.enable = lib.mkEnableOption "power management through some controller";
  };

  config = lib.mkIf cfg.target.enable {
    users.users.power-target = {
      isNormalUser = true;
      openssh.authorizedKeys.keyFiles = [../secrets/pub/yubikey.pub ../secrets/pub/power-management-key.pub];
      group = "power-target";
      packages = [pkgs.pmutils];
    };
    users.groups.power-target = {};

    security.sudo.extraRules = lib.mkAfter [
      {
        users = [config.users.users.power-target.name];
        commands = lib.singleton {
          command = "/etc/profiles/per-user/${config.users.users.power-target.name}/bin/pm-suspend";
          options = lib.singleton "NOPASSWD";
        };
      }
    ];
  };
}