{ config, lib, ... }: 
let
  allUsers = lib.concatMap (peer: if peer.syscfg ? users then peer.syscfg.users else []) config.syscfg.peers;
  groupedUsers = lib.groupBy (u: u.username) allUsers;
  allowedUsernames = map (u: u.username) config.syscfg.users;
  activeUsers = lib.filterAttrs (name: _: lib.elem name allowedUsernames) groupedUsers;
in {
  config = lib.mkIf (config.syscfg.server ? nftables.enable) {
    services.openssh = {
        enable = true;
        ports = [ 422 ];
        banner = "";
        settings = {
        PasswordAuthentication = false;
        PermitRootLogin = "no";
        ClientAliveInterval = 60;
        ClientAliveCountMax = 3;
        TCPKeepAlive = true;
        };
    };
    users.users = lib.mapAttrs (name: userList: {
        openssh.authorizedKeys.keys = lib.unique (
        lib.concatMap (u: if u ? pubssh then [ u.pubssh ] else []) userList
        );
    }) activeUsers;
    };
}