{ config, pkgs, lib, ... }:
let
  admins = [
    {
      name = "superq";
      github = "SuperQ";
      description = "Ben Kochie";
    }
    {
      name = "rizend";
      description = "rizend";
      extraKeys = [
        "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDWvlc3+qDxhKE3jCCxKKU1h9QJyhCqLgHAwkiokvSPig6dXZW9f8uS/1CNMEmB5avrZhT6S3V00NExqZMldJechROhQoZb6YrUzakaeJCHrbThotQ/TlDuRWCCEh+y/qowk261X4Rbdx/KMwPuROP0p+pw2u3CVoLC7ejnsCwzTMZJ450QtZau0nvP7PY1vnehg2npA4HOqtwjOABJlMMpSZfaQdddwQJ7YE01GLpXF73Lwcnyue51fWFdjsQwIeQM2feO0yf1r1fjoLyMfWCVLK2GI0ONXVFWKQ52kfzr4QQ7Tq+Xi12qr7KGlHZ8yl7tw3MUoyU7k0HrUea1F8WF"
        "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCvHlZKV8yBsJOkeu2FkWZ1UDY/uTS8bBUbqh1W0pJ3BMec55uvRLNv1AT5Z7RHKbwdjiZTBm6sP0CRVjsOxeGRCVeddHx1SxsXeihZIRQLHX+Z7M1YwYdzmzRDIEhuZhp+RnGH71ESVEHlmUhNPYsNmlgE3nyNbbDatYRZQqC204pal6cz4CHRUWYIozAQvpO8BF+cNDbNgT1yR5DWflwHErlv8yltmxNjh+gQQgp7RzI+05uzpRgumLCIqdHIKUflDJGvZXnUNAr5nv8Xe3W77AZz348nK2SYoD7dOBw23LpEzmy0mENL+/d3ZCuricslc1eBqCpVxJiF7s/RCtix"
      ];
    }
    {
      name = "bfb";
      github = "kevinjos";
      description = "bfb";
    }
    {
      name = "jof";
      github = "jof";
      description = "Jonathan Lassoff";
    }
    {
      name = "mcint";
      github = "mcint";
      description = "Loren McIntyre";
    }
  ];

  mkAdmin = { name, github ? null, description, extraKeys ? [] }: {
    inherit name;
    value = {
      isNormalUser = true;
      inherit description;
      extraGroups = [ "wheel" ];
      openssh.authorizedKeys.keys = extraKeys;
      openssh.authorizedKeys.keyFiles =
        lib.optionals (github != null) [
          (builtins.fetchurl {
            url = "https://github.com/${github}.keys";
          })
        ];
    };
  };

  # Collect all GitHub key files for root access (deploy-rs needs root SSH)
  adminKeyFiles = lib.concatMap
    ({ github ? null, ... }:
      lib.optionals (github != null) [
        (builtins.fetchurl { url = "https://github.com/${github}.keys"; })
      ])
    admins;

  adminExtraKeys = lib.concatMap
    ({ extraKeys ? [], ... }: extraKeys)
    admins;
in
{
  users.mutableUsers = false;

  users.users = builtins.listToAttrs (map mkAdmin admins);

  # Root gets all admin keys so deploy-rs can SSH in
  users.users.root.openssh.authorizedKeys = {
    keyFiles = adminKeyFiles;
    keys = adminExtraKeys;
  };

  security.sudo.wheelNeedsPassword = false;
}