{ config, lib, inputs, ... }: 
let
  allUsers = lib.concatMap (peer: if peer ? users then peer.users else []) config.syscfg.peers;
  groupedUsers = lib.groupBy (u: u.username) allUsers;
  allowedUsernames = map (u: u.username) config.syscfg.users;
  activeUsers = lib.filterAttrs (name: _: lib.elem name allowedUsernames) groupedUsers;
  userConfigs = lib.mapAttrs (name: userList: {
    isNormalUser = true;
    openssh.authorizedKeys.keys = lib.unique (map (u: u.pubssh) userList);
  }) groupedUsers;

in {
  imports = [ ./hardware.nix ];

  services.openssh.enable = true;
  users.users = lib.mapAttrs (name: userList: {
    openssh.authorizedKeys.keys = lib.unique (map (u: u.pubssh) userList);
  }) activeUsers // {
    root = {openssh.authorizedKeys.keys = [];};
  };
}