feat(meta/checks): check only for required ssh keys

meta/options.nix

@@ -8,11 +8,14 @@
 
 let
   inherit (lib)
+    concatLists
+    mapAttrsToList
     mkEnableOption
     mkDefault
     mkIf
     mkOption
     optionalAttrs
+    unique
     ;
 
   inherit (lib.types)
@@ -382,6 +385,12 @@ in
       groupsExists = nameExists groups;
 
       extract = name: builtins.mapAttrs (_: builtins.getAttr name);
+
+      nodeAdmins =
+        _:
+        { admins, adminGroups, ... }:
+        (builtins.foldl' (members: group: members ++ org.groups.${group})) admins adminGroups;
+      all-admins = unique (org.groups.root ++ concatLists (mapAttrsToList nodeAdmins config.nodes));
     in
     {
       assertions = builtins.concatLists [
@@ -419,7 +428,7 @@ in
         (builtins.map (name: {
           assertion = ((import ../keys)._keys.${name} or [ ]) != [ ];
           message = "No ssh keys found for ${name}.";
-        }) members)
+        }) all-admins)
       ];
     };
 }