{
  lib,
  pkgs,
  ...
}: let
  users = [
    {
      username = "ca-test";
      key = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDglSLU9AUtbU0fCN0eByi/EHyo1QiPPLiscN5RAR+wq";
    }
  ];

  userList = lib.concatStringsSep "," (map (u: u.username) users);
in {
  environment.etc = {
    # our single user+key file
    "cloonar_assistant_ssh/sftp_users_keys" = {
      text = lib.concatStringsSep "\n"
        (map (u: "${u.username} ${u.key}") users);
      mode  = "0600";
      user = "root";
      group = "root";
    };

    # the little awk script to extract the key for $1
    "ssh/sftp-fetch-key.sh" = {
      text = ''
        #!/usr/bin/env bash
        awk -v u="$1" '$1==u { $1=""; sub(/^ +/, ""); print }' /etc/cloonar_assistant_ssh/sftp_users_keys
      '';
      mode  = "0700";
      user = "root";
      group = "root";
    };
  };

  systemd.tmpfiles.rules = map (u:
    # Type 'd' = create directory if missing
    # Mode 0755, owner root:root
    "d /home/cloonar-assistant-configs/${u.username} 0755 root root -"
  ) users;

  services.openssh.extraConfig = ''
    Match User ${userList}
       X11Forwarding no
       AllowTcpForwarding no
       ChrootDirectory /home/cloonar-assistant-configs/%u
       ForceCommand internal-sftp

       # ← only for those matched users:
       AuthorizedKeysCommand /etc/cloonar_assistant_ssh/sftp-fetch-key.sh %u
       AuthorizedKeysCommandUser root
  '';
}