make host details like host_pubkey, wg-home.ip be optional

hosts/common/ssh.nix

@@ -5,7 +5,10 @@ let
     (hostName: hostCfg:
       # generate `root@servo`, `colin@servo`, `root@servo-hn`, `colin@servo-hn`, ... as a single attrset:
       lib.foldl' (acc: alias: acc // {
-        "root@${alias}" = hostCfg.ssh.host_pubkey;
+        "root@${alias}" = lib.mkIf (hostCfg.ssh.host_pubkey != null) hostCfg.ssh.host_pubkey;
+        # XXX: ALL `colin@` keys we propagate here are added as authorized keys, in hosts/common/home/ssh.nix.
+        # so only propagate the ones we want to authorize, here!
+        # (this is a confusing footgun, should be changed)
         "colin@${alias}" = lib.mkIf (hostCfg.ssh.user_pubkey != null && hostCfg.ssh.authorized) hostCfg.ssh.user_pubkey;
       })
       {}

hosts/modules/hosts.nix

@@ -18,7 +18,8 @@ let
         '';
       };
       ssh.host_pubkey = mkOption {
-        type = types.str;
+        type = types.nullOr types.str;
+        default = null;
         description = ''
           ssh pubkey which this host will present to connections initiated against it.
           e.g. "ssh-ed25519 AAAA<base64>".

modules/programs/default.nix

@@ -44,7 +44,7 @@ let
         vpn = if sandbox.net == "vpn" then
           lib.findSingle (v: v.isDefault) null null (builtins.attrValues config.sane.vpn)
         else if sandbox.net == "vpn.wg-home" then
-          config.sane.vpn.wg-home
+          config.sane.vpn.wg-home or null
         else
           null
         ;