{ self, ... }: {
  flake.homeManagerModules.sshOutboundRbw = {
    config,
    lib,
    pkgs,
    ...
  }:
  let
    cfg = config.chiasson.ssh.outbound.rbw;
    inventory = self.lib.sshInventory;
    selectedHostNames =
      if cfg.hosts == [ "all" ] then
        builtins.attrNames inventory.activeHosts
      else
        cfg.hosts;
    missing = builtins.filter (name: !(builtins.hasAttr name inventory.hosts)) selectedHostNames;
    selectedHosts = builtins.listToAttrs (
      builtins.map (name: {
        inherit name;
        value = inventory.hosts.${name};
      }) selectedHostNames
    );
    sshConfigTemplate = inventory.mkSshConfigTemplate {
      selectedHosts = selectedHosts;
      user = cfg.user;
    };
  in
  {
    options.chiasson.ssh.outbound.rbw = {
      enable = lib.mkEnableOption "Generated `~/.ssh/config` + rbw agent socket.";
      user = lib.mkOption {
        type = lib.types.str;
        default = config.home.username;
        description = "`User` in generated `Host` blocks.";
      };
      hosts = lib.mkOption {
        type = lib.types.listOf lib.types.str;
        default = [ "all" ];
        description = "Inventory hosts to emit (or `[ \"all\" ]`).";
      };
      manageSshConfig = lib.mkOption {
        type = lib.types.bool;
        default = true;
        description = "Write `~/.ssh/config` from the template.";
      };
    };

    config = lib.mkIf cfg.enable (lib.mkMerge [
      {
        assertions = [
          {
            assertion = missing == [ ];
            message = "ssh.outbound.rbw: unknown host keys: ${builtins.concatStringsSep ", " missing}";
          }
        ];
      }
      {
        home.packages = [ pkgs.rbw pkgs.pinentry-qt ];
        home.sessionVariables.SSH_AUTH_SOCK = "$XDG_RUNTIME_DIR/rbw/ssh-agent-socket";
        home.file = inventory.mkIdentityFiles selectedHosts;

        programs.ssh.enable = lib.mkIf cfg.manageSshConfig false;
        home.activation.rbwSshConfig = lib.mkIf cfg.manageSshConfig (lib.hm.dag.entryAfter [ "writeBoundary" ] ''
          mkdir -p "$HOME/.ssh"
          chmod 700 "$HOME/.ssh"
          RBW_SSH_SOCK="/run/user/$(id -u)/rbw/ssh-agent-socket"
          cat > "$HOME/.ssh/config" <<'EOF'
${sshConfigTemplate}
EOF
          sed -i "s|__RBW_SSH_SOCK__|$RBW_SSH_SOCK|g" "$HOME/.ssh/config"
          chmod 600 "$HOME/.ssh/config"
        '');

        systemd.user.services.rbw-agent-bootstrap = {
          Unit = {
            Description = "Bootstrap rbw SSH agent";
            PartOf = [ "graphical-session.target" ];
            After = [ "graphical-session.target" ];
          };
          Service = {
            Type = "oneshot";
            ExecStart = "${pkgs.bash}/bin/bash -lc '${pkgs.rbw}/bin/rbw unlocked >/dev/null 2>&1 || true'";
            RemainAfterExit = true;
          };
          Install = {
            WantedBy = [ "graphical-session.target" ];
          };
        };

        home.activation.rbwPinentryConfig = lib.hm.dag.entryAfter [ "writeBoundary" ] ''
          ${pkgs.rbw}/bin/rbw config set pinentry "${pkgs.pinentry-qt}/bin/pinentry-qt" >/dev/null 2>&1 || true
        '';
      }
    ]);
  };
}