feat: security - gnupg & openssh's KDF

modules/base.nix

@@ -12,9 +12,20 @@
 
   users.users.${username} = {
     description = userfullname;
+    # Public Keys that can be used to login to all my PCs, Macbooks, and servers.
+    # 
+    # Since its authority is so large, we must strengthen its security:
+    # 1. The corresponding private key must be:
+    #    1. Generated locally on every trusted client via:
+    #      ```bash
+    #      # KDF: bcrypt with 256 rounds, takes 2s on Apple M2):
+    #      # Passphrase: digits + letters + symbols, 12+ chars
+    #      ssh-keygen -t ed25519 -a 256 -C "ryan@xxx" -f ~/.ssh/xxx`
+    #      ```
+    #    2. Never leave the device and never sent over the network.
+    # 2. Or just use hardware security keys like Yubikey/CanoKey.
     openssh.authorizedKeys.keys = [
-      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDiipi59EnVbi6bK1bGrcbfEM263wgdNfbrt6VBC1rHx ryan@ai-idols"
-      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMSfp/hvegbK04HykWvoY1EbDW+vXu1AlCjVivWE2ZeR ryan@shoukei"
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE400EbKY1D9zfevk17AaPTtQ8dxJvCS5Zec+8aleLY4 ryan@fern"
     ];
   };