diff --git a/hive.nix b/hive.nix
index a78c086..1dee3cb 100644
--- a/hive.nix
+++ b/hive.nix
@@ -2,7 +2,6 @@ let
   mods = import ./modules;
   users = import ./users;
   sources = import ./npins;
-  id_sylvain = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCvi5VUsDrwS4XqQQfFFIx1JoRDPVdtChUQWqKFbPFtP8gH51woXiKtKRbDebL0z/EmkdYKxxIkzixHTR5xQXjo8JiFZbwldZi5IvMr3x//ad9sVyOhmbRx1DXLKjyOdWyo+w0vORvbEDu2lHktfSvhHGrvUHfFc3EY+cAl7IImgGEeGNPruAuNkN90Lth9QgwJVsdOEs9j7hwwKtpfMMETL5tkW34Nu7io03+SaPxwi2xLuWTdTklfZ7GWYtG2w/hFkzDbkW97rp5dxB1HO58cPqyRlqyfhZFpiUmWlyuMba3Tip6JarCa52IpFffEIDR0CSeh5CFPoeppo/TPDiXDie370TjjQpxJiG+9PobBhmChH5FmQ/lksffI/WimqpVO7Ixf5cYiHN5Z0mgJgZsXwI3YPICQLA8ebSKHA8+mdmkunDmCBRaBj1qEgkp/UoYqXT6BjBm07nOsnL+3SG/yfx4fLotgWtdm2mkjEAG+OGVR7G3Vk/POxn0EqX7Z+gU= sylvain@idefix";
   mkNixpkgsSrc = (import sources.nix-patches { patchFile = ./patches; }).mkNixpkgsSrc;
 in
 {
@@ -31,8 +30,6 @@ in
     {
       imports = [
         ./kat
-        "${sources.home-manager}/nixos"
-        "${sources.disko}/module.nix"
       ];
       networking.hostName = name;
     };
@@ -75,7 +72,7 @@ in
     };
 
   kat-virt =
-    { users, ... }:
+    { ssh-keys, ... }:
     {
       deployment = {
         targetHost = "virt.kat";
@@ -89,14 +86,11 @@ in
       imports = [
         ./machines/kat-virt
       ];
-      users.users.root.openssh.authorizedKeys.keys = [
-        id_sylvain
-        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGoQZ/77uiai4rBHYwL55IweUOdR9svxDxlP/o7sulRT gdesfrene@clipper.ens.fr"
-      ];
+      users.users.root.openssh.authorizedKeys.keys = with ssh-keys; sylvain ++ gaby;
     };
 
   kat-mail-test =
-    { users, ... }:
+    { ssh-keys, ... }:
     {
       deployment = {
         targetHost = "mail-test.kat";
@@ -110,7 +104,7 @@ in
       imports = [
         ./machines/kat-mail-test
       ];
-      users.users.root.openssh.authorizedKeys.keys = [ id_sylvain ];
+      users.users.root.openssh.authorizedKeys.keys = ssh-keys.sylvain;
     };
 
   kat-son =
diff --git a/kat/default.nix b/kat/default.nix
index 9ba55bd..1a74cee 100644
--- a/kat/default.nix
+++ b/kat/default.nix
@@ -2,6 +2,7 @@
   lib,
   config,
   pkgs,
+  sources,
   ...
 }:
 with lib;
@@ -10,6 +11,8 @@ with lib;
     ./users
     ./proxies
     ./root.nix
+    "${sources.home-manager}/nixos"
+    "${sources.disko}/module.nix"
   ];
   options.kat = {
     wireguardPubKey = mkOption {
@@ -18,18 +21,18 @@ with lib;
     fqdn = mkOption {
       type = types.str;
     };
-    path = mkOption {
-      readOnly = true;
-      type = types.path;
-    };
     anywhere = lib.mkOption {
       type = lib.types.package;
       readOnly = true;
     };
   };
   config = {
+    _module.args = {
+      ssh-keys = import ./ssh-keys { inherit lib; };
+      kat-path = ./.;
+    };
+
     kat = {
-      path = ./.;
       anywhere = pkgs.writeShellApplication {
         name = "anywhere-deploy_${name}.sh";
         runtimeInputs = [ pkgs.nixos-anywhere ];
diff --git a/kat/root.nix b/kat/root.nix
index 8d960f0..f64b8e3 100644
--- a/kat/root.nix
+++ b/kat/root.nix
@@ -1,7 +1,5 @@
-{ ... }:
+{ ssh-keys, ... }:
 {
-  users.users.root.openssh.authorizedKeys.keys = [
-    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAA16foz+XzwKwyIR4wFgNIAE3Y7AfXyEsUZFVVz8Rie catvayor@katvayor"
-  ];
+  users.users.root.openssh.authorizedKeys.keys = ssh-keys.catvayor;
   home-manager.users.root = { };
 }
diff --git a/kat/ssh-keys/catvayor.keys b/kat/ssh-keys/catvayor.keys
new file mode 100644
index 0000000..901a99a
--- /dev/null
+++ b/kat/ssh-keys/catvayor.keys
@@ -0,0 +1 @@
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAA16foz+XzwKwyIR4wFgNIAE3Y7AfXyEsUZFVVz8Rie catvayor@katvayor
diff --git a/kat/ssh-keys/default.nix b/kat/ssh-keys/default.nix
new file mode 100644
index 0000000..73e7aa8
--- /dev/null
+++ b/kat/ssh-keys/default.nix
@@ -0,0 +1,15 @@
+{ lib }:
+with lib;
+let
+  key-files = filterAttrs (name: _: name != "default.nix") (builtins.readDir ./.);
+  readKeys =
+    file:
+    let
+      lines = map trim (splitString "\n" (readFile file));
+    in
+    filter (line: line != "" && !hasPrefix "#" line) lines;
+in
+mapAttrs' (name: _: {
+  name = removeSuffix ".keys" name;
+  value = readKeys ./${name};
+}) key-files
diff --git a/kat/ssh-keys/gaby.keys b/kat/ssh-keys/gaby.keys
new file mode 100644
index 0000000..11c9764
--- /dev/null
+++ b/kat/ssh-keys/gaby.keys
@@ -0,0 +1 @@
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGoQZ/77uiai4rBHYwL55IweUOdR9svxDxlP/o7sulRT gdesfrene@clipper.ens.fr
diff --git a/kat/ssh-keys/sylvain.keys b/kat/ssh-keys/sylvain.keys
new file mode 100644
index 0000000..0ceea4c
--- /dev/null
+++ b/kat/ssh-keys/sylvain.keys
@@ -0,0 +1 @@
+ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCvi5VUsDrwS4XqQQfFFIx1JoRDPVdtChUQWqKFbPFtP8gH51woXiKtKRbDebL0z/EmkdYKxxIkzixHTR5xQXjo8JiFZbwldZi5IvMr3x//ad9sVyOhmbRx1DXLKjyOdWyo+w0vORvbEDu2lHktfSvhHGrvUHfFc3EY+cAl7IImgGEeGNPruAuNkN90Lth9QgwJVsdOEs9j7hwwKtpfMMETL5tkW34Nu7io03+SaPxwi2xLuWTdTklfZ7GWYtG2w/hFkzDbkW97rp5dxB1HO58cPqyRlqyfhZFpiUmWlyuMba3Tip6JarCa52IpFffEIDR0CSeh5CFPoeppo/TPDiXDie370TjjQpxJiG+9PobBhmChH5FmQ/lksffI/WimqpVO7Ixf5cYiHN5Z0mgJgZsXwI3YPICQLA8ebSKHA8+mdmkunDmCBRaBj1qEgkp/UoYqXT6BjBm07nOsnL+3SG/yfx4fLotgWtdm2mkjEAG+OGVR7G3Vk/POxn0EqX7Z+gU= sylvain@idefix