{ self, ... }: {
  flake.nixosModules.sshInbound = {
    config,
    lib,
    ...
  }:
  let
    cfg = config.chiasson.ssh.inbound;
    inventory = self.lib.sshInventory;
    resolveSelection =
      selection:
      if selection == "all" then
        inventory.authorizedKeys
      else
        let
          missing = builtins.filter (name: !(builtins.hasAttr name inventory.hosts)) selection;
        in
        if missing != [ ] then
          throw "ssh.inbound: unknown host keys: ${builtins.concatStringsSep ", " missing}"
        else
          lib.unique (
            builtins.filter (key: key != null) (
              builtins.map (hostName: inventory.hosts.${hostName}.publicKey) selection
            )
          );
  in
  {
    options.chiasson.ssh.inbound = {
      enable = lib.mkEnableOption "Apply `authorizedKeys` from the SSH inventory.";
      userAuthorizedHosts = lib.mkOption {
        type = lib.types.attrsOf (lib.types.either (lib.types.enum [ "all" ]) (lib.types.listOf lib.types.str));
        default = { };
        example = {
          olivier = "all";
          admin = [ "14900k" "t2mbp" ];
        };
        description = ''
          Per user: `"all"` or a list of inventory host names whose keys land in `authorized_keys`.
        '';
      };
    };

    config = lib.mkIf cfg.enable {
      users.users = lib.mapAttrs
        (_user: selection: {
          openssh.authorizedKeys.keys = resolveSelection selection;
        })
        cfg.userAuthorizedHosts;
    };
  };
}