{ config, lib, inputs, ... }: 
let
  allUsers = lib.concatMap (peer: if peer.syscfg ? users then peer.syscfg.users else []) config.syscfg.peers;
  groupedUsers = lib.groupBy (u: u.username) allUsers;
  allowedUsernames = map (u: u.username) config.syscfg.users;
  activeUsers = lib.filterAttrs (name: _: lib.elem name allowedUsernames) groupedUsers;

in {
  imports = [ ./hardware.nix ];

  services.openssh.enable = true;
  services.openssh.ports = [ 422 ];
  users.users = lib.mapAttrs (name: userList: {
    openssh.authorizedKeys.keys = lib.unique (map (u: u.pubssh) userList);
  }) activeUsers
  // {
    root = {openssh.authorizedKeys.keys = [];};
  };
}