diff --git a/src/ssh.nix b/src/ssh.nix
index 8d5d5766ae3b30c4801b6ce200fa58c1460f6ca7..da4579b0334e867430191c6bebbc80f61f821ca6 100644
--- a/src/ssh.nix
+++ b/src/ssh.nix
@@ -1,27 +1,34 @@
 # A NixOS module which configures SSH access to a system.
+# Inspired from some previous commits from Jean-Paul in PrivateStorageio
+# https://whetstone.private.storage/privatestorage/PrivateStorageio/-/commit/cb3c46694e693ca658920746418418efd208ca45
+# https://whetstone.private.storage/privatestorage/PrivateStorageio/-/commit/ba7502bb616095586a9b68dddbc3195346b22e42
+{ config, lib, ... }:
 {
-  lib,
-  config,
-  ...
-}: {
+  # An attempt at a properly secure SSH configuration.  This is informed by
+  # personal experience as well as various web resources:
+  #
+  # https://www.cyberciti.biz/tips/linux-unix-bsd-openssh-server-best-practices.html
+
+  # Declare our ssh options
   options = {
-    services.private-storage.sshUsers = lib.mkOption {
+    # To configure the users, starting with their public keys
+    ssh.users = lib.mkOption {
       type = lib.types.attrsOf (lib.types.listOf lib.types.str);
-      example = { root = "ssh-ed25519 AAA..."; };
-      description = ''
-        Users to configure on the issuer server and the storage servers and
+      example = { root = [ "ssh-ed25519 AAA..." "ssh-ed25519 BBB..." ]; };
+      description = lib.mdDoc ''
+        Users to configure on the servers and
         the SSH public keys to use to authenticate them.
       '';
     };
   };
+
+  # Define our ssh configuration
   config =
   let
-     cfg = config.services."private-storage";
+    # Alias our options for convenience
+    cnf = config.ssh;
   in {
-    # An attempt at a properly secure SSH configuration.  This is informed by
-    # personal experience as well as various web resources:
-    #
-    # https://www.cyberciti.biz/tips/linux-unix-bsd-openssh-server-best-practices.html
+    # Configure the server
     services.openssh = {
       enable = true;
 
@@ -33,21 +40,24 @@
       passwordAuthentication = false;
 
       extraConfig = ''
-        # Possibly this is superfluous considering we don't allow
-        # password-based authentication at all.
-        PermitEmptyPasswords no
-
-        # Agent forwarding is fraught.  It can be used by an attacker to
-        # leverage one compromised system into more.  Discourage its use.
+        # Agent forwarding is fraught. It can be used by an attacker to
+        # leverage one compromised system into more. Discourage its use.
+        # From man page: Note that disabling agent forwarding does NOT
+        # improve security unless users are also denied shell access,
+        # as they can always install their own forwarders.
         AllowAgentForwarding no
       '';
     };
 
-    users.users =
-      let makeUserConfig = username: sshPublicKeys: {
+    # Configure the users
+    # Iterate through the attribute set option,
+    # and authorized each user with its keys
+    users.users = builtins.mapAttrs (
+      username: keys: {
+        openssh.authorizedKeys.keys = keys;
+        # This is required for regular users
         isNormalUser = username != "root";
-        openssh.authorizedKeys.keys = sshPublicKeys;
-      };
-      in builtins.mapAttrs makeUserConfig cfg.sshUsers;
+      }
+    ) cnf.users;
   };
 }