diff --git a/.github/workflows/flake.yaml b/.github/workflows/flake.yaml
index 7e4bdc9..4cba552 100644
--- a/.github/workflows/flake.yaml
+++ b/.github/workflows/flake.yaml
@@ -14,4 +14,4 @@ jobs:
     - uses: DeterminateSystems/nix-installer-action@v4
     - uses: DeterminateSystems/magic-nix-cache-action@v2
     - run: nix flake check
-    - run: nix build --json --no-link --print-build-logs
+    - run: nix develop -c just check
diff --git a/README.md b/README.md
index 9d6e274..7879440 100644
--- a/README.md
+++ b/README.md
@@ -46,7 +46,7 @@ No modules.
 | <a name="input_name"></a> [name](#input\_name) | The name of the repository | `string` | n/a | yes |
 | <a name="input_owner"></a> [owner](#input\_owner) | The name of the repository | `string` | n/a | yes |
 | <a name="input_required_status_checks_contexts"></a> [required\_status\_checks\_contexts](#input\_required\_status\_checks\_contexts) | The list of status checks to require in order to merge into this branch | `list(string)` | `[]` | no |
-| <a name="input_team_slug"></a> [team\_slug](#input\_team\_slug) | The slug of the team to grant access to | `string` | `null` | no |
+| <a name="input_teams"></a> [teams](#input\_teams) | The teams to grant access to, and their permission levels | `map(string)` | `{}` | no |
 | <a name="input_topics"></a> [topics](#input\_topics) | The topics of the repository | `list(string)` | `[]` | no |
 | <a name="input_visibility"></a> [visibility](#input\_visibility) | The visibility of the repository | `string` | `"private"` | no |
 | <a name="input_vulnerability_alerts"></a> [vulnerability\_alerts](#input\_vulnerability\_alerts) | Whether the repository has vulnerability alerts enabled | `bool` | `false` | no |
@@ -63,4 +63,4 @@ No modules.
 | <a name="output_repo_id"></a> [repo\_id](#output\_repo\_id) | The ID of the repository. |
 | <a name="output_ssh_clone_url"></a> [ssh\_clone\_url](#output\_ssh\_clone\_url) | The SSH URL of the repository. |
 | <a name="output_svn_url"></a> [svn\_url](#output\_svn\_url) | The SVN URL of the repository. |
-<!-- END_TF_DOCS -->
\ No newline at end of file
+<!-- END_TF_DOCS -->
diff --git a/data.tf b/data.tf
index 522c72a..5de98fb 100644
--- a/data.tf
+++ b/data.tf
@@ -1,5 +1,5 @@
 data "github_team" "self" {
-  count = var.team_slug != null ? 1 : 0
+  count = length(keys(var.teams))
 
-  slug = var.team_slug
+  slug = keys(var.teams)[count.index]
 }
diff --git a/flake.nix b/flake.nix
index af0b13b..dabebeb 100644
--- a/flake.nix
+++ b/flake.nix
@@ -8,6 +8,7 @@
       systems = [ "x86_64-linux" "aarch64-darwin" "x86_64-darwin" ];
       perSystem = { config, self', inputs', pkgs, system, ... }:
         let
+          inherit (pkgs) just terraform terraform-docs;
           terraform-github = pkgs.terraform-providers.mkProvider {
             homepage = "https://registry.terraform.io/providers/integrations/github";
             owner = "integrations";
@@ -42,7 +43,8 @@
 
           devShells = {
             default = pkgs.mkShell {
-              buildInputs = with pkgs; [
+              buildInputs = [
+                just
                 terraform
                 terraform-docs
               ];
diff --git a/makefile b/justfile
similarity index 62%
rename from makefile
rename to justfile
index 2d6ad33..e3647b0 100644
--- a/makefile
+++ b/justfile
@@ -1,3 +1,6 @@
+check:
+  nix build --json --no-link --print-build-logs
+
 docs:
 	terraform-docs markdown table \
 		--output-file README.md \
diff --git a/main.tf b/main.tf
index 4f4a614..969118b 100644
--- a/main.tf
+++ b/main.tf
@@ -1,9 +1,9 @@
 resource "github_team_repository" "self" {
-  count = var.team_slug != null ? 1 : 0
+  count = length(keys(var.teams))
 
-  permission = "admin"
+  permission = var.teams[keys(var.teams)[count.index]]
   repository = github_repository.self.name
-  team_id    = data.github_team.self[0].id
+  team_id    = data.github_team.self[count.index].id
 }
 
 resource "github_repository" "self" {
diff --git a/variables.tf b/variables.tf
index 967d380..703eeac 100644
--- a/variables.tf
+++ b/variables.tf
@@ -85,10 +85,28 @@ variable "required_status_checks_contexts" {
   type        = list(string)
 }
 
-variable "team_slug" {
-  default     = null
-  description = "The slug of the team to grant access to"
-  type        = string
+variable "teams" {
+  default     = {}
+  description = "The teams to grant access to, and their permission levels"
+  type        = map(string)
+
+  validation {
+    condition = alltrue([
+      for value in var.teams : contains(
+        [
+          // https://registry.terraform.io/providers/integrations/github/latest/docs/resources/team_repository#permission
+          "pull",
+          "triage",
+          "push",
+          "maintain",
+          "admin"
+        ],
+        value
+      )
+    ])
+
+    error_message = "Team permissions must be one of 'pull', 'triage', 'push', 'maintain', 'admin'."
+  }
 }
 
 variable "topics" {