diff --git a/hosts/common/home/ssh.nix b/hosts/common/home/ssh.nix
index 4e19967c..c8b5c218 100644
--- a/hosts/common/home/ssh.nix
+++ b/hosts/common/home/ssh.nix
@@ -1,3 +1,4 @@
+# TODO: this should be moved to users/colin.nix
 { config, lib, sane-lib, ... }:
 
 with lib;
diff --git a/hosts/common/ssh.nix b/hosts/common/ssh.nix
index 52223926..e896f8fc 100644
--- a/hosts/common/ssh.nix
+++ b/hosts/common/ssh.nix
@@ -2,7 +2,6 @@
 
 let
   inherit (builtins) attrValues head map mapAttrs tail;
-  inherit (lib) concatStringsSep mkMerge reverseList;
 in
 {
   sane.ssh.pubkeys =
@@ -10,9 +9,9 @@ in
     # path is a DNS-style path like [ "org" "uninsane" "root" ]
     keyNameForPath = path:
       let
-        rev = reverseList path;
+        rev = lib.reverseList path;
         name = head rev;
-        host = concatStringsSep "." (tail rev);
+        host = lib.concatStringsSep "." (tail rev);
       in
       "${name}@${host}";
 
@@ -23,9 +22,10 @@ in
       (name: {
         inherit name;
         value = {
-          colin = hostCfg.ssh.user_pubkey;
           root = hostCfg.ssh.host_pubkey;
-        };
+        } // (lib.optionalAttrs hostCfg.ssh.authorized {
+          colin = hostCfg.ssh.user_pubkey;
+        });
       })
       hostCfg.names
     ;
@@ -34,7 +34,7 @@ in
         map keysForHost (builtins.attrValues config.sane.hosts.by-name)
       )
     );
-  in mkMerge (map
+  in lib.mkMerge (map
     ({ path, value }: {
       "${keyNameForPath path}" = lib.mkIf (value != null) value;
     })
diff --git a/hosts/modules/hosts.nix b/hosts/modules/hosts.nix
index bdb40b81..eaf0c27e 100644
--- a/hosts/modules/hosts.nix
+++ b/hosts/modules/hosts.nix
@@ -26,6 +26,11 @@ let
           e.g. "ssh-ed25519 AAAA<base64>".
         '';
       };
+      ssh.authorized = mkOption {
+        type = types.bool;
+        default = true;
+        description = "make this host's ssh key be an authorized_key for the system being deployed to";
+      };
       wg-home.pubkey = mkOption {
         type = types.nullOr types.str;
         default = null;
@@ -92,6 +97,7 @@ in
     };
 
     sane.hosts.by-name."moby" = {
+      ssh.authorized = lib.mkDefault false;  # moby's too easy to hijack: don't let it ssh places
       ssh.user_pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICrR+gePnl0nV/vy7I5BzrGeyVL+9eOuXHU1yNE3uCwU";
       ssh.host_pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO1N/IT3nQYUD+dBlU1sTEEVMxfOyMkrrDeyHcYgnJvw";
       wg-home.pubkey = "I7XIR1hm8bIzAtcAvbhWOwIAabGkuEvbWH/3kyIB1yA=";
@@ -100,6 +106,7 @@ in
     };
 
     sane.hosts.by-name."servo" = {
+      ssh.authorized = lib.mkDefault false;  # servo presents too many services to the internet: easy atack vector
       ssh.user_pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPS1qFzKurAdB9blkWomq8gI1g0T3sTs9LsmFOj5VtqX";
       ssh.host_pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOfdSmFkrVT6DhpgvFeQKm3Fh9VKZ9DbLYOPOJWYQ0E8";
       wg-home.pubkey = "roAw+IUFVtdpCcqa4khB385Qcv9l5JAB//730tyK4Wk=";