{ ... }: {
  flake.nixosModules.usersHomeIntegration =
    { config, options, lib, self, usersLib, selectUsers, ... }:
    let
      cfg = config.chiasson.users;
      selected = selectUsers config;
      missing = usersLib.missingEnabledNames cfg.catalog cfg.enabled;
      stray = usersLib.strayHomeUserKeys cfg.extraModules cfg.enabled;
      names = usersLib.hmWiredNames selected;
      hmAvailable = lib.hasAttrByPath [ "home-manager" "users" ] options;
      hmUsersAttr = lib.listToAttrs (
        map (name: {
          inherit name;
          value = usersLib.mkHmUserModule {
            inherit name;
            user = selected.${name};
            hostExtraModules = cfg.extraModules.${name} or [ ];
          };
        }) names
      );
      inboundUsersAttr = usersLib.inboundHostsAttr selected;
    in
    {
      config = lib.mkMerge [
        {
          assertions = [
            {
              assertion = missing == [ ];
              message = "chiasson.users.enabled references unknown catalog users: ${builtins.concatStringsSep ", " missing}";
            }
            {
              assertion = stray == [ ];
              message = "chiasson.users.extraModules has keys not in chiasson.users.enabled: ${builtins.concatStringsSep ", " stray}";
            }
          ];
        }
        {
          users.users = lib.mapAttrs (name: user: usersLib.mkNixosUser name user) selected;
        }
        (lib.optionalAttrs hmAvailable {
          "home-manager".useGlobalPkgs = lib.mkIf (cfg.homeManager.autoWire && names != [ ]) true;
          "home-manager".sharedModules = lib.mkIf (cfg.homeManager.autoWire && names != [ ]) [ self.homeManagerModules.sshOutboundRbw ];
          "home-manager".users = lib.mkIf (cfg.homeManager.autoWire && names != [ ]) hmUsersAttr;
        })
        (lib.mkIf (inboundUsersAttr != { }) {
          chiasson.ssh.inbound.enable = true;
          chiasson.ssh.inbound.userAuthorizedHosts = inboundUsersAttr;
        })
      ];
    };
}