diff --git a/modules/base.nix b/modules/base.nix
index 9f1423af..a38ebeff 100644
--- a/modules/base.nix
+++ b/modules/base.nix
@@ -74,11 +74,7 @@
     #      ```
     #    2. Never leave the device and never sent over the network.
     # 2. Or just use hardware security keys like Yubikey/CanoKey.
-    openssh.authorizedKeys.keys = [
-      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIKlN+Q/GxvwxDX/OAjJHaNFEznEN4Tw4E4TwqQu/eD6 ryan@idols-ai"
-      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPoa9uEI/gR5+klqTQwvCgD6CD5vT5iD9YCNx2xNrH3B ryan@fern"
-      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPwZ9MdotnyhxIJrI4gmVshExHiZOx+FGFhcW7BaYkfR ryan@harmonica"
-    ];
+    openssh.authorizedKeys.keys = myvars.sshAuthorizedKeys;
   };
 
   nix.settings = {
diff --git a/modules/nixos/base/user-group.nix b/modules/nixos/base/user-group.nix
index bc607b6c..216000df 100644
--- a/modules/nixos/base/user-group.nix
+++ b/modules/nixos/base/user-group.nix
@@ -22,7 +22,7 @@
   users.users."${myvars.username}" = {
     # generated by `mkpasswd -m scrypt`
     # we have to use initialHashedPassword here when using tmpfs for /
-    initialHashedPassword = "$7$CU..../....KDvTIXqLTXpmCaoUy2yC9.$145eM358b7Q0sRXgEBvxctd5EAuEEdao57LmZjc05D.";
+    inherit (myvars) initialHashedPassword;
     home = "/home/${myvars.username}";
     isNormalUser = true;
     extraGroups = [
diff --git a/vars/default.nix b/vars/default.nix
index 966b26de..b3db89c5 100644
--- a/vars/default.nix
+++ b/vars/default.nix
@@ -3,4 +3,23 @@
   userfullname = "Ryan Yin";
   useremail = "xiaoyin_c@qq.com";
   networking = import ./networking.nix {inherit lib;};
+  # generated by `mkpasswd -m scrypt`
+  initialHashedPassword = "$7$CU..../....KDvTIXqLTXpmCaoUy2yC9.$145eM358b7Q0sRXgEBvxctd5EAuEEdao57LmZjc05D.";
+  # Public Keys that can be used to login to all my PCs, Macbooks, and servers.
+  #
+  # Since its authority is so large, we must strengthen its security:
+  # 1. The corresponding private key must be:
+  #    1. Generated locally on every trusted client via:
+  #      ```bash
+  #      # KDF: bcrypt with 256 rounds, takes 2s on Apple M2):
+  #      # Passphrase: digits + letters + symbols, 12+ chars
+  #      ssh-keygen -t ed25519 -a 256 -C "ryan@xxx" -f ~/.ssh/xxx`
+  #      ```
+  #    2. Never leave the device and never sent over the network.
+  # 2. Or just use hardware security keys like Yubikey/CanoKey.
+  sshAuthorizedKeys = [
+    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIKlN+Q/GxvwxDX/OAjJHaNFEznEN4Tw4E4TwqQu/eD6 ryan@idols-ai"
+    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPoa9uEI/gR5+klqTQwvCgD6CD5vT5iD9YCNx2xNrH3B ryan@fern"
+    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPwZ9MdotnyhxIJrI4gmVshExHiZOx+FGFhcW7BaYkfR ryan@harmonica"
+  ];
 }