{
  pkgs,
  lib,
  primaryUser,
  ...
}:
{
  imports = [
    ./common.nix
  ];

  home.homeDirectory = lib.mkDefault "/Users/${primaryUser}";

  home.packages = with pkgs; [
    secretive
    vlc-bin

    # Faster and more feature-rich than Terminal.
    # TODO: https://iterm2.com/shell_integration/zsh
    iterm2

    # Newer OpenSSH client to support FIDO2 keys.
    openssh
    libfido2
  ];

  targets.darwin.defaults."com.googlecode.iterm2" = {
    # $ defaults read ~/Library/Preferences/com.googlecode.iterm2.plist

    # Allow tmux (and others) to use OSC 52 to set clipboard.
    AllowClipboardAccess = true;
    # Allow programs to clear scrollback.
    PreventEscapeSequenceFromClearingHistory = false;

    TripleClickSelectsFullWrappedLines = true;
    WordChars = "/-._~";
    PromptOnQuit = false;

    # Use system browser to open links.
    NoSyncBrowserUpsell = 1;
    NoSyncBrowserUpsell_selection = 1;
  };
  home.file."Library/Application Support/iTerm2/DynamicProfiles/nix-profile.json".text =
    builtins.toJSON
      {
        Profiles = [
          {
            Name = "Nix-Managed";
            Guid = "17DF2CCB-C7CD-4BCC-AC28-666DD6C8AF4A";
            "Normal Font" = "Menlo-Regular 13";

            Columns = 160;
            Rows = 45;
            "Scrollback Lines" = 1000000;

            # For tmux selection and moving borders.
            "Mouse Reporting" = true;
          }
        ];
      };

  programs.zsh.envExtra = ''
    # Can't use ssh-agent-mux to mux Secretive and yubikey-agent:
    # https://github.com/overhacked/ssh-agent-mux/issues/56
    # export SSH_AUTH_SOCK=~/.ssh/ssh-agent-mux.sock

    # Can't use Secretive to SSH using PIV from Yubikey:
    # https://github.com/maxgoedjen/secretive/issues/330
    #
    # If PIV entry was generated by yubikey-agent, Secretive may not see it at
    # all. Running 'ykman piv objects generate chuid' should fix that.
    # https://github.com/maxgoedjen/secretive/issues/333

    # See README.md "Security" section to learn how we create keys.

    # Setting IdentityAgent in SSH config achieves a similar result, but doesn't
    # work with commit signing.
    export SSH_AUTH_SOCK=~/Library/Containers/com.maxgoedjen.Secretive.SecretAgent/Data/socket.ssh
  '';

  # TODO: defaults read NSGlobalDomain
  #       https://nix-darwin.github.io/nix-darwin/manual/index.html
  #       -> set system.defaults.NSGlobalDomain
  #          or  system.defaults.CustomSystemPreferences

  programs.vscode.enable = true;
}