{ lib, ... }: {
  flake.lib.sshInventory =
    let
      hosts = {
        "14900k" = {
          hostName = "192.168.2.25";
          aliases = [ "14900k" "nixdesk" ];
          publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILwUevBGnf+Y/sL1ZsB4bt0c50a89iqwPRoYUGP4UHsL 14900k";
        };

        ideapad = {
          hostName = "192.168.2.229";
          aliases = [ "ideapad" ];
          publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIQwaaI90xIMjZ46EcMyO8kBwGCxf7qVL75IYhw8Ssze ideapad";
        };

        t2mbp = {
          hostName = "192.168.2.15";
          aliases = [ "t2mbp" ];
          publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMhVWB9YXl/FuQvufle4VWUas/QM8qCKoRd5a83Tt3S6 t2mbp";
        };

        uConsole = {
          hostName = "192.168.2.99";
          aliases = [ "uConsole" "uconsole" ];
          publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAVPR0lRAcywPR7iTchM3+eO7NCdXAR6NPzYXxalr+dP uConsole";
        };

        test = {
          hostName = "test";
          aliases = [ "test" ];
          publicKey = null;
        };

        nix-server = {
          hostName = "192.168.2.238";
          aliases = [ "nix-server" ];
          publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIL3KDicMjtOFR6LfZrFzfAD1gdYUdwv6ZM4PSgtmIuzd nix-server";
        };
      };

      mkIdentityFileName = hostName: ".ssh/id_ed25519_${lib.strings.toLower hostName}.pub";
      activeHosts = builtins.removeAttrs hosts (
        builtins.filter (name: hosts.${name}.publicKey == null) (builtins.attrNames hosts)
      );

      mkIdentityFiles = selectedHosts:
        builtins.listToAttrs (
          builtins.map
            (hostName: {
              name = mkIdentityFileName hostName;
              value.text = "${selectedHosts.${hostName}.publicKey}\n";
            })
            (builtins.attrNames selectedHosts)
        );

      # Must come before inventory `Host` blocks and before `Host *`: LAN Gitea SSH is not a catalog PC,
      # and `Host *` sets `IdentityAgent none` — without this, git@nix-server never sees rbw keys.
      giteaSshBlock = identityAgent: ''
        Host git.chiasson.cloud gitea nix-server 192.168.2.238
          HostName 192.168.2.238
          Port 222
          User git
          IdentityAgent ${identityAgent}
          IdentitiesOnly no
      '';

      mkSshConfigTemplate =
        {
          selectedHosts ? activeHosts,
          user ? null,
          identityAgent ? "__RBW_SSH_SOCK__",
        }:
        let
          hostBlocks = builtins.map
            (hostName:
              let
                entry = selectedHosts.${hostName};
                hostPatterns = builtins.concatStringsSep " " (entry.aliases ++ [ entry.hostName ]);
                userLine = if user == null then "" else "  User ${user}\n";
              in
              ''
                Host ${hostPatterns}
                  HostName ${entry.hostName}
${userLine}              IdentityFile ~/${mkIdentityFileName hostName}
                  IdentityAgent ${identityAgent}
                  IdentitiesOnly yes
              '')
            (builtins.attrNames selectedHosts);
        in
        builtins.concatStringsSep "\n" (
          [
            (giteaSshBlock identityAgent)
          ]
          ++ hostBlocks
          ++ [
            ''
              Host *
                IdentitiesOnly yes
                IdentityAgent none
            ''
          ]
        );
    in
    {
      inherit hosts activeHosts mkIdentityFiles mkSshConfigTemplate;
      authorizedKeys = lib.unique (
        builtins.map (entry: entry.publicKey) (builtins.attrValues activeHosts)
      );
      identityFiles = mkIdentityFiles activeHosts;
      sshConfigTemplate = mkSshConfigTemplate { };
    };
}