diff --git a/modules/default.nix b/modules/default.nix
new file mode 100644
index 0000000..596ea40
--- /dev/null
+++ b/modules/default.nix
@@ -0,0 +1,7 @@
+{ dgn-lib, ... }:
+
+{
+  imports = dgn-lib.mkImports ./. [
+    "dgn-access-control"
+  ];
+}
diff --git a/modules/dgn-access-control.nix b/modules/dgn-access-control.nix
new file mode 100644
index 0000000..f04e71d
--- /dev/null
+++ b/modules/dgn-access-control.nix
@@ -0,0 +1,35 @@
+{ config, lib, dgn-lib, meta, name, ... }:
+
+let
+  nodeMeta = meta.nodes.${name};
+  admins = meta.members.groups.root ++ nodeMeta.admins
+    ++ (builtins.concatMap (g: meta.members.groups.${g}) nodeMeta.adminGroups);
+
+  cfg = config.dgn-access-control;
+in
+
+with lib;
+
+{
+  options.dgn-access-control = {
+    enable = mkEnableOption "DGNum access control." // { default = true; };
+
+    users = mkOption {
+      type = with types; attrsOf (listOf str);
+      default = { };
+      description = ''
+        Attribute set describing which member has access to which user on the node.
+      '';
+    };
+  };
+
+  config = mkIf cfg.enable {
+    # Admins have root access to the node
+    dgn-access-control.users.root = mkDefault admins;
+
+    users.users = builtins.mapAttrs
+      (u: members: { openssh.authorizedKeys.keys = dgn-lib.getKeyFiles members; })
+      cfg.users;
+
+  };
+}