{ self, ... }: {
  flake.nixosModules.sshInbound = {
    config,
    lib,
    ...
  }:
  let
    cfg = config.chiasson.ssh.inbound;
    inventory = self.lib.sshInventory;
  in
  {
    options.chiasson.ssh.inbound = {
      enable = lib.mkEnableOption "Apply SSH inventory public keys to `authorized_keys`.";
      userAuthorizedHosts = lib.mkOption {
        type = lib.types.attrsOf (lib.types.either (lib.types.enum [ "all" ]) (lib.types.listOf lib.types.str));
        default = { };
        example = {
          olivier = "all";
          admin = [ "14900k" "t2mbp" ];
        };
        description = ''
          Catalog users that receive the SSH inventory public keys in `authorized_keys`.
        '';
      };
    };

    config = lib.mkIf cfg.enable {
      users.users = lib.mapAttrs
        (_user: _selection: {
          openssh.authorizedKeys.keys = inventory.authorizedKeys;
        })
        cfg.userAuthorizedHosts;
    };
  };
}