{
  pkgs,
  lib,
  config,
  ...
}:
let
  allowManageGroups = [
    "root"
    "wheel"
    "lpadmin"
  ];
  polkitAllowGroups = builtins.concatStringsSep "||" (
    builtins.map (group: ''subject.isInGroup("${group}")'') allowManageGroups
  );
in
{
  services.printing = {
    enable = true;
    drivers = [
      pkgs.brlaser
      pkgs.gutenprint
    ];

    extraFilesConf = ''
      SystemGroup ${builtins.concatStringsSep " " allowManageGroups}
    '';
  };

  security.polkit = {
    enable = true;

    extraConfig = ''
      polkit.addRule(function(action, subject) {
        var actionMatchs = (
          action.id.indexOf('org.opensuse.cupspkhelper.mechanism.') === 0
        );
        if (actionMatchs) {
          if (${polkitAllowGroups}) {
            return polkit.Result.YES
          }
        }
      });
    '';
  };

  hardware.sane = {
    enable = true;
  };

  users.groups.lpadmin.members = lib.pipe config.users.users [
    (lib.attrsets.filterAttrs (name: value: value.isNormalUser))
    (lib.attrsets.attrsToList)
    (lib.map (user: user.name))
  ];

  users.groups.lp.members = lib.pipe config.users.users [
    (lib.attrsets.filterAttrs (name: value: value.isNormalUser))
    (lib.attrsets.attrsToList)
    (lib.map (user: user.name))
  ];

  users.groups.scanner.members = lib.map (user: user.name) (
    lib.attrsets.attrsToList (
      lib.attrsets.filterAttrs (name: value: value.isNormalUser) config.users.users
    )
  );

}