{ config, lib, inputs, ... }: 
let
  allUsers = lib.concatMap (peer: if peer.syscfg ? users then peer.syscfg.users else []) config.syscfg.peers;
  groupedUsers = lib.groupBy (u: u.username) allUsers;
  allowedUsernames = map (u: u.username) config.syscfg.users;
  activeUsers = lib.filterAttrs (name: _: lib.elem name allowedUsernames) groupedUsers;
in {
  imports = [ ./hardware.nix ];

  services.openssh = {
    enable = true;
    ports = [ 422 ];
    banner = "";
    settings = {
      PasswordAuthentication = false;
      PermitRootLogin = "prohibit-password";
    };
  };
  users.users = lib.mapAttrs (name: userList: {
    openssh.authorizedKeys.keys = lib.unique (
      lib.concatMap (u: if u ? pubssh then [ u.pubssh ] else []) userList
    );
  }) activeUsers
  // {
    root = {openssh.authorizedKeys.keys = [];};
  };
}