diff --git a/nix/modules/shell.nix b/nix/modules/shell.nix
new file mode 100644
index 0000000..0345c08
--- /dev/null
+++ b/nix/modules/shell.nix
@@ -0,0 +1,17 @@
+{ config, lib, ... }:
+let
+  cfg = config.flake;
+  inherit (cfg.lib) forAllUsers';
+  inherit (lib.attrsets) mapAttrs';
+in
+{
+  flake.modules.nixos.default =
+    { pkgs, ... }:
+    {
+      programs = mapAttrs' (name: value: {
+        name = value.shell;
+        value.enable = true;
+      }) cfg.manifest.users;
+      users.users = forAllUsers' (_: value: { shell = pkgs.${value.shell}; });
+    };
+}
diff --git a/nix/modules/users.nix b/nix/modules/users.nix
index 6dd5d4e..471dd15 100644
--- a/nix/modules/users.nix
+++ b/nix/modules/users.nix
@@ -6,13 +6,11 @@ let
 in
 {
   flake.modules.nixos.default =
-    { pkgs, config, ... }:
+    { config, ... }:
     {
       #TODO: move sudo/security options elsewhere
       # security.sudo.wheelNeedsPassword = false;
       # nix.settings.trusted-users = [ "@wheel" ];
-      #TODO: move to shell config
-      # programs.${owner.shell}.enable = true;
       #TODO: move ssh key settings elsewhere
       # users.users.root.openssh.authorizedKeys.keys = [ owner.pubkey ];
       users = {
@@ -22,14 +20,10 @@ in
           _: value: {
             isNormalUser = true;
             extraGroups = optional (value.primary or false) "wheel";
-            # FIXME: remove when we make the shell module
-            ignoreShellProgramCheck = true;
-            shell = pkgs.${value.shell};
             openssh.authorizedKeys.keys = [ value.pubkey ];
           }
         );
       };
-
       home-manager.users = forAllUsers' (
         name: _: {
           home.username = name;