diff --git a/flake.nix b/flake.nix
index 63807038..050b1a39 100644
--- a/flake.nix
+++ b/flake.nix
@@ -87,8 +87,9 @@
 
       # We're considering this as the variant since we'll export the custom
       # library as `lib` in the output attribute.
-      lib' =
-        nixpkgs.lib.extend (final: prev: import ./lib { lib = nixpkgs.lib; });
+      lib' = nixpkgs.lib.extend (final: prev:
+        import ./lib { lib = prev; }
+        // import ./lib/private.nix { lib = final; });
 
       mkHost = { system ? defaultSystem, extraModules ? [ ] }:
         (lib'.makeOverridable inputs.nixpkgs.lib.nixosSystem) {
diff --git a/lib/default.nix b/lib/default.nix
index 76953eaa..ec03d2eb 100644
--- a/lib/default.nix
+++ b/lib/default.nix
@@ -60,33 +60,6 @@ rec {
     let paths = lib.collect builtins.isPath attrs;
     in builtins.map (path: import path) paths;
 
-  /* Return an attribute set of valid users from a given list of users.
-     This is a convenience function for getting users from the `./users` directory.
-
-     Signature:
-       list -> attrset
-     Where:
-       - `list` is a list of usernames as strings
-       - `attrset` is a set of valid users with the name as the key and the path as the value.
-     Example:
-       # Assuming only 'foo-dogsquared' is the existing user for 'home-manager'.
-       getUsers "home-manager" [ "foo-dogsquared" "archie" "brad" ]
-       => { foo-dogsquared = /home/foo-dogsquared/projects/nixos-config/users/foo-dogsquared; }
-  */
-  getUsers = type: users:
-    let
-      userModules = filesToAttr ../users/${type};
-      invalidUsernames = [ "config" "modules" ];
-    in lib.filterAttrs (n: _: !lib.elem n invalidUsernames && lib.elem n users) userModules;
-
-
-  # Return the path of `user` from `type`.
-  getUser = type: user:
-    lib.getAttr user (getUsers type [ user ]);
-
-  # Return the path of `secrets` from `../secrets`.
-  getSecret = path: ../secrets/${path};
-
   /* Count the attributes with the given predicate.
 
      Examples:
diff --git a/lib/private.nix b/lib/private.nix
new file mode 100644
index 00000000..85f28159
--- /dev/null
+++ b/lib/private.nix
@@ -0,0 +1,23 @@
+# This is just a library intended solely for this flake.
+# It is expected to use the nixpkgs library with `lib/default.nix`.
+{ lib }:
+
+rec {
+  getSecret = path: ../secrets/${path};
+
+  getUsers = type: users:
+    let
+      userModules = lib.filesToAttr ../users/${type};
+      invalidUsernames = [ "config" "modules" ];
+
+      users' = lib.filterAttrs (n: _: !lib.elem n invalidUsernames && lib.elem n users) userModules;
+      userList = lib.attrNames users';
+
+      nonExistentUsers = lib.filter (name: !lib.elem name userList) users;
+    in lib.trivial.throwIfNot ((lib.length nonExistentUsers) == 0)
+      "there are no users ${lib.concatMapStringsSep ", " (u: "'${u}'") nonExistentUsers} from ${type}"
+      (r: r) users';
+
+  getUser = type: user:
+    lib.getAttr user (getUsers type [ user ]);
+}