Add ci deploy ssh key to all hosts

nixos-modules/system/default.nix

@@ -4,6 +4,14 @@
   pkgs,
   ...
 }:
+let
+  inherit (lib)
+    concatLists
+    elem
+    mapAttrsToList
+    mkForce
+    ;
+in
 {
   imports = [
     ./applications.nix
@@ -35,20 +43,26 @@
   };
 
   users.mutableUsers = false;
+
   users.users = {
     root.openssh.authorizedKeys.keys =
-      with lib;
-      concatLists (
-        mapAttrsToList (
-          name: user:
-          if elem "wheel" user.extraGroups && name != "root" then user.openssh.authorizedKeys.keys else [ ]
-        ) config.users.users
-      );
+      let
+        wheelUserKeys = concatLists (
+          mapAttrsToList (
+            name: user:
+            if elem "wheel" user.extraGroups && name != "root" then user.openssh.authorizedKeys.keys else [ ]
+          ) config.users.users
+        );
+      in
+      wheelUserKeys
+      ++ [
+        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBS65v7n5ozOUjYGuO/dgLC9C5MUGL5kTnQnvWAYP5B3 ci@git.qo.is"
+      ];
   };
 
   # Disable dependency on xorg
   # TODO: Set environment.noXlibs on hosts that don't need any x libraries.
-  security.pam.services.su.forwardXAuth = lib.mkForce false;
+  security.pam.services.su.forwardXAuth = mkForce false;
 
   # Package management
   nix = {

nixos-modules/system/virtual-machine.nix

@@ -13,10 +13,6 @@ with lib;
 
   config = lib.mkIf cfg.enable {
 
-    users.users.root.openssh.authorizedKeys.keys = [
-      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBS65v7n5ozOUjYGuO/dgLC9C5MUGL5kTnQnvWAYP5B3 ci@git.qo.is"
-    ]; # TODO: Move this key to allow CI deployment for all machines.
-
     boot.loader.grub.enable = true;
 
     system.autoUpgrade.allowReboot = true;