{
  lib,
  pkgs,
  ...
}: let
  users = [
    {
      username = "ca-test";
      key = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGzJRWe8hsqAVnGSjPrcheloteWMzORoQ5Gj4IfhCROF";
    }
  ];
in {
  imports = builtins.map create_users users;
  environment.etc = {
    # our single user+key file
    "cloonar_assistant_ssh/sftp_users_keys" = {
      text = lib.concatStringsSep "\n"
        (map (u: "${u.username} ${u.key}") users);
      mode  = "0600";
      owner = "root";
      group = "root";
    };

    # the little awk script to extract the key for $1
    "ssh/sftp-fetch-key.sh" = {
      text = ''
        #!/usr/bin/env bash
        awk -v u="$1" '$1==u { $1=""; sub(/^ +/, ""); print }' /etc/cloonar_assistant_ssh/sftp_users_keys
      '';
      mode  = "0700";
      owner = "root";
      group = "root";
    };
  };

  services.openssh.extraConfig = ''
    Match Exec "/bin/grep -qE '^%u[[:space:]]' /etc/cloonar_assistant_ssh/sftp_users_keys"
       X11Forwarding no
       AllowTcpForwarding no
       ChrootDirectory %h
       ForceCommand internal-sftp

       # ← only for those matched users:
       AuthorizedKeysCommand /etc/cloonar_assistant_ssh/sftp-fetch-key.sh %u
       AuthorizedKeysCommandUser root
  '';
}