diff --git a/modules/features/git.nix b/modules/features/git.nix
index a79200a..43fab0c 100644
--- a/modules/features/git.nix
+++ b/modules/features/git.nix
@@ -17,8 +17,8 @@ in
         scope:
         let
           email = account.emails.${scope}.address;
-          key = machine.sourceControl.${scope};
-          hasSigningKey = key != null && key.publicKey != null;
+          key = lib.attrByPath [ scope ] null machine.sshKeys;
+          hasSigningKey = key != null;
         in
         {
           allowedSigners = lib.optional hasSigningKey "${email} ${key.publicKey}";
diff --git a/modules/features/services/openssh.nix b/modules/features/services/openssh.nix
index 0dee956..21fdb27 100644
--- a/modules/features/services/openssh.nix
+++ b/modules/features/services/openssh.nix
@@ -1,6 +1,11 @@
-{ config, ... }:
+{ config, lib, ... }:
 let
   account = config.repo.account;
+  personalPublicKeys =
+    machines:
+    map (machine: machine.sshKeys.personal.publicKey) (
+      lib.filter (machine: machine.sshKeys ? personal) (builtins.attrValues machines)
+    );
 in
 {
   flake.modules.nixos.ssh-agent-auth = {
@@ -23,5 +28,7 @@ in
           AllowUsers = [ account.name ];
         };
       };
+
+      users.users.${account.name}.openssh.authorizedKeys.keys = personalPublicKeys config.repo.machines;
     };
 }
diff --git a/modules/hosts/orion/default.nix b/modules/hosts/orion/default.nix
index ef81da6..7e13883 100644
--- a/modules/hosts/orion/default.nix
+++ b/modules/hosts/orion/default.nix
@@ -34,11 +34,6 @@ in
         ./_disk.nix
       ];
 
-      users.users.${account.name} = {
-        linger = true;
-        openssh.authorizedKeys.keys = [
-          "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAU2LydkXRTtNFY7oyX8JQURwXLVhB71DeK8XzrXeFX1 openpgp:0xA490D93A"
-        ];
-      };
+      users.users.${account.name}.linger = true;
     };
 }
diff --git a/modules/hosts/polaris/default.nix b/modules/hosts/polaris/default.nix
index ada4649..7ce912b 100644
--- a/modules/hosts/polaris/default.nix
+++ b/modules/hosts/polaris/default.nix
@@ -8,8 +8,10 @@ let
 in
 {
   repo.machines.polaris = {
-    sourceControl.personal.publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEVORk45HKkX7gaGGp90KsVyUy6t+fKhbWN/grjkf3cQ kiri@polaris";
-    sourceControl.work.publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIM5DMV6EQzsscgEOE0912mNglUHTEl+LPnaWYjj0y57B kiri@polaris#work";
+    sshKeys = {
+      personal.publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEVORk45HKkX7gaGGp90KsVyUy6t+fKhbWN/grjkf3cQ kiri@polaris";
+      work.publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIM5DMV6EQzsscgEOE0912mNglUHTEl+LPnaWYjj0y57B kiri@polaris#work";
+    };
 
     syncthingId = "6HBAKXB-DB3B4H2-BODCAXF-KD23H5W-6X5LGLC-ZJHZHLG-7U7YMGO-BB6IXQ3";
 
diff --git a/modules/hosts/zenith/default.nix b/modules/hosts/zenith/default.nix
index 508ca74..6c2c334 100644
--- a/modules/hosts/zenith/default.nix
+++ b/modules/hosts/zenith/default.nix
@@ -10,7 +10,7 @@ in
   repo.machines.zenith = {
     portable = true;
 
-    sourceControl = {
+    sshKeys = {
       personal.publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIQy4k04gU7UpjBgyUQ57kUwxOdt79LvMCiCekXZeZhd kiri@zenith";
       work.publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIHJz5uHKm0/TiMNh/cmzrODHNZ8NgEEZe+47XnJwQGk kiri@zenith#work";
     };
diff --git a/modules/lib/schema.nix b/modules/lib/schema.nix
index 2c6e688..8509de7 100644
--- a/modules/lib/schema.nix
+++ b/modules/lib/schema.nix
@@ -25,6 +25,22 @@ let
     }
   );
 
+  sshKeyType = lib.types.submodule (
+    { name, ... }:
+    {
+      options = {
+        publicKey = lib.mkOption {
+          type = lib.types.str;
+        };
+
+        privateKeyPath = lib.mkOption {
+          type = lib.types.str;
+          default = "~/.ssh/id_${name}";
+        };
+      };
+    }
+  );
+
   accountType = lib.types.submodule (
     { config, ... }:
     {
@@ -107,40 +123,6 @@ let
     }
   );
 
-  sourceControlMachineKeyType = lib.types.submodule (
-    { name, ... }:
-    {
-      options = {
-        publicKey = lib.mkOption {
-          type = lib.types.nullOr lib.types.str;
-          default = null;
-        };
-
-        privateKeyPath = lib.mkOption {
-          type = lib.types.str;
-          default = "~/.ssh/id_${name}";
-        };
-      };
-    }
-  );
-
-  sourceControlMachineType = lib.types.submodule (
-    { ... }:
-    {
-      options = {
-        personal = lib.mkOption {
-          type = lib.types.nullOr sourceControlMachineKeyType;
-          default = null;
-        };
-
-        work = lib.mkOption {
-          type = lib.types.nullOr sourceControlMachineKeyType;
-          default = null;
-        };
-      };
-    }
-  );
-
   machineType = lib.types.submodule (
     { name, config, ... }:
     {
@@ -164,8 +146,8 @@ let
           default = { };
         };
 
-        sourceControl = lib.mkOption {
-          type = sourceControlMachineType;
+        sshKeys = lib.mkOption {
+          type = lib.types.attrsOf sshKeyType;
           default = { };
         };