diff --git a/flake.nix b/flake.nix
index f7ace0712..4a4064ff1 100644
--- a/flake.nix
+++ b/flake.nix
@@ -317,16 +317,14 @@
         catcolab = {
           hostname = "backend.catcolab.org";
           profiles.system = {
-            sshUser = "catcolab";
-            user = "root";
+            sshUser = "root";
             path = deploy-rs.lib.${linuxSystem}.activate.nixos self.nixosConfigurations.catcolab;
           };
         };
         catcolab-next = {
           hostname = "backend-next.catcolab.org";
           profiles.system = {
-            sshUser = "catcolab";
-            user = "root";
+            sshUser = "root";
             path = deploy-rs.lib.${linuxSystem}.activate.nixos self.nixosConfigurations.catcolab-next;
           };
         };
@@ -338,9 +336,8 @@
               "-p"
               "2221"
             ];
-            sshUser = "catcolab";
+            sshUser = "root";
             path = deploy-rs.lib.${linuxSystem}.activate.nixos self.nixosConfigurations.catcolab-vm;
-            user = "root";
           };
         };
       };
diff --git a/infrastructure/hosts/catcolab-next/default.nix b/infrastructure/hosts/catcolab-next/default.nix
index 4ba2d0ff1..c3939503f 100644
--- a/infrastructure/hosts/catcolab-next/default.nix
+++ b/infrastructure/hosts/catcolab-next/default.nix
@@ -5,11 +5,7 @@
   ...
 }:
 let
-  owen = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIF2sBTuqGoEXRWpBRqTBwZZPDdLGGJ0GQcuX5dfIZKb4 o@red-special";
-  epatters = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAKXx6wMJSeYKCHNmbyR803RQ72uto9uYsHhAPPWNl2D evan@epatters.org";
-  jmoggr = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMiaHaeJ5PQL0mka/lY1yGXIs/bDK85uY1O3mLySnwHd j@jmoggr.com";
-  kasbah = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIM1K/FB6dCjo1/xfddi9VoHEGchFo/bcz6v7SC7wAuFQ kaspar@topos";
-  catcolab-next-deployuser = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIM7AYg1fZM0zMxb/BuZTSwK4O3ycUIHruApr1tKoO8nJ deployuser@next.catcolab.org";
+  keys = import ../../ssh-keys.nix;
 in
 {
   imports = [
@@ -41,13 +37,8 @@ in
     environmentFile = config.age.secrets.catcolabSecrets.path;
     host = {
       enable = true;
-      userKeys = [
-        owen
-        epatters
-        jmoggr
-        catcolab-next-deployuser
-        kasbah
-      ];
+      userKeys = keys.hosts.catcolab-next.userKeys;
+      sudoPasswordHash = "$y$j9T$Gvhb3z8dNG2Gzk5STLY2q0$w8hilnb9bC2aNuH8Vx4FpgRzotKpFJeF2oFQ24MGMK8";
       backup = {
         enable = true;
         rcloneConfigFile = config.age.secrets.rcloneConf.path;
diff --git a/infrastructure/hosts/catcolab-vm/default.nix b/infrastructure/hosts/catcolab-vm/default.nix
index 2bf93c483..3466a1bc2 100644
--- a/infrastructure/hosts/catcolab-vm/default.nix
+++ b/infrastructure/hosts/catcolab-vm/default.nix
@@ -6,6 +6,9 @@
   self,
   ...
 }:
+let
+  keys = import ../../ssh-keys.nix;
+in
 {
   imports = [
     (modulesPath + "/profiles/qemu-guest.nix")
@@ -30,10 +33,8 @@
     environmentFile = /etc/catcolab/catcolab-secrets.env;
     host = {
       enable = true;
-      userKeys = [
-        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMiaHaeJ5PQL0mka/lY1yGXIs/bDK85uY1O3mLySnwHd j@jmoggr.com"
-        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIM1K/FB6dCjo1/xfddi9VoHEGchFo/bcz6v7SC7wAuFQ kaspar@topos"
-      ];
+      sudoPasswordHash = "$y$j9T$Gvhb3z8dNG2Gzk5STLY2q0$w8hilnb9bC2aNuH8Vx4FpgRzotKpFJeF2oFQ24MGMK8";
+      userKeys = keys.allUserKeys;
     };
   };
 
diff --git a/infrastructure/hosts/catcolab/default.nix b/infrastructure/hosts/catcolab/default.nix
index 65a3ff107..e59f58484 100644
--- a/infrastructure/hosts/catcolab/default.nix
+++ b/infrastructure/hosts/catcolab/default.nix
@@ -5,10 +5,7 @@
   ...
 }:
 let
-  owen = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIF2sBTuqGoEXRWpBRqTBwZZPDdLGGJ0GQcuX5dfIZKb4 o@red-special";
-  epatters = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAKXx6wMJSeYKCHNmbyR803RQ72uto9uYsHhAPPWNl2D evan@epatters.org";
-  jmoggr = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMiaHaeJ5PQL0mka/lY1yGXIs/bDK85uY1O3mLySnwHd j@jmoggr.com";
-  kasbah = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIM1K/FB6dCjo1/xfddi9VoHEGchFo/bcz6v7SC7wAuFQ kaspar@topos";
+  keys = import ../../ssh-keys.nix;
 in
 {
   imports = [
@@ -38,11 +35,8 @@ in
     environmentFile = config.age.secrets.catcolabSecrets.path;
     host = {
       enable = true;
-      userKeys = [
-        epatters
-        jmoggr
-        kasbah
-      ];
+      userKeys = keys.hosts.catcolab.userKeys;
+      sudoPasswordHash = "$y$j9T$Gvhb3z8dNG2Gzk5STLY2q0$w8hilnb9bC2aNuH8Vx4FpgRzotKpFJeF2oFQ24MGMK8";
       backup = {
         enable = true;
         rcloneConfigFile = config.age.secrets.rcloneConf.path;
diff --git a/infrastructure/modules/catcolab/host.nix b/infrastructure/modules/catcolab/host.nix
index 64e6d927a..dfe03a359 100644
--- a/infrastructure/modules/catcolab/host.nix
+++ b/infrastructure/modules/catcolab/host.nix
@@ -17,6 +17,10 @@ with lib;
       description = "SSH public keys to access the catcolab user.";
       default = [ ];
     };
+    sudoPasswordHash = mkOption {
+      type = types.str;
+      description = "Hashed password for sudo authentication. Generate with: mkpasswd";
+    };
   };
 
   config = lib.mkIf config.catcolab.host.enable {
@@ -26,8 +30,11 @@ with lib;
           isNormalUser = true;
           extraGroups = [ "wheel" ];
           openssh.authorizedKeys.keys = config.catcolab.host.userKeys;
+          hashedPassword = config.catcolab.host.sudoPasswordHash;
         };
-        # TODO: root access can be dropped after the next prod deploy
+
+        # Need to access root for deploying to bypass sudo password. The root user should not generally
+        # not be used directly.
         root.openssh.authorizedKeys.keys = config.catcolab.host.userKeys;
       };
 
@@ -35,11 +42,11 @@ with lib;
       mutableUsers = false;
     };
 
-    security.sudo = {
-      wheelNeedsPassword = false;
+    services.openssh = {
+      enable = true;
+      settings.PasswordAuthentication = false;
     };
 
-    services.openssh.enable = true;
     nix = {
       settings.trusted-users = [
         "catcolab"
diff --git a/infrastructure/secrets/secrets.nix b/infrastructure/secrets/secrets.nix
index 0943f5f68..97cfa208e 100644
--- a/infrastructure/secrets/secrets.nix
+++ b/infrastructure/secrets/secrets.nix
@@ -1,39 +1,17 @@
 let
-  catcolab = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPyxORhhfO+9F2hQZ3I/EiSpfg+caWpG6c8AuG5u1XtK root@ip-172-31-14-38.us-east-2.compute.internal";
-  catcolab-next = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJEyUzs+ymd6YFKnPTi6cfoWuNI/fhBGgcx0YELTzWJI root@ip-172-31-9-115.us-east-2.compute.internal";
-  owen = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIF2sBTuqGoEXRWpBRqTBwZZPDdLGGJ0GQcuX5dfIZKb4 o@red-special";
-  epatters = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAKXx6wMJSeYKCHNmbyR803RQ72uto9uYsHhAPPWNl2D evan@epatters.org";
-  jmoggr = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMiaHaeJ5PQL0mka/lY1yGXIs/bDK85uY1O3mLySnwHd j@jmoggr.com";
-  kasbah = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIM1K/FB6dCjo1/xfddi9VoHEGchFo/bcz6v7SC7wAuFQ kaspar@topos";
-  catcolab-next-deployuser = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIM7AYg1fZM0zMxb/BuZTSwK4O3ycUIHruApr1tKoO8nJ deployuser@next.catcolab.org";
+  keys = import ../ssh-keys.nix;
 in
-builtins.mapAttrs (_: publicKeys: { inherit publicKeys; }) ({
-  "env.next.age" = [
-    catcolab-next
-    owen
-    epatters
-    jmoggr
-    catcolab-next-deployuser
-    kasbah
-  ];
-  "env.prod.age" = [
-    catcolab
-    epatters
-    jmoggr
-    kasbah
-  ];
-  "rclone.conf.next.age" = [
-    catcolab-next
-    owen
-    epatters
-    jmoggr
-    catcolab-next-deployuser
-    kasbah
-  ];
-  "rclone.conf.prod.age" = [
-    catcolab
-    epatters
-    jmoggr
-    kasbah
-  ];
-})
+{
+  "env.next.age" = {
+    publicKeys = keys.hosts.catcolab-next.allKeys;
+  };
+  "rclone.conf.next.age" = {
+    publicKeys = keys.hosts.catcolab-next.allKeys;
+  };
+  "env.prod.age" = {
+    publicKeys = keys.hosts.catcolab.allKeys;
+  };
+  "rclone.conf.prod.age" = {
+    publicKeys = keys.hosts.catcolab.allKeys;
+  };
+}
diff --git a/infrastructure/ssh-keys.nix b/infrastructure/ssh-keys.nix
new file mode 100644
index 000000000..3696a78ee
--- /dev/null
+++ b/infrastructure/ssh-keys.nix
@@ -0,0 +1,38 @@
+let
+  allUserKeys = {
+    owen = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIF2sBTuqGoEXRWpBRqTBwZZPDdLGGJ0GQcuX5dfIZKb4 o@red-special";
+    epatters = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAKXx6wMJSeYKCHNmbyR803RQ72uto9uYsHhAPPWNl2D evan@epatters.org";
+    jmoggr = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMiaHaeJ5PQL0mka/lY1yGXIs/bDK85uY1O3mLySnwHd j@jmoggr.com";
+    kasbah = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIM1K/FB6dCjo1/xfddi9VoHEGchFo/bcz6v7SC7wAuFQ kaspar@topos";
+    catcolab-next-deployuser = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIM7AYg1fZM0zMxb/BuZTSwK4O3ycUIHruApr1tKoO8nJ deployuser@next.catcolab.org";
+  };
+
+  # hostKey comes frome the /etc/ssh/ssh_host_ed25519_key.pub file on each host after the host is first
+  # provisioned
+  hosts = {
+    catcolab = rec {
+      hostKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPyxORhhfO+9F2hQZ3I/EiSpfg+caWpG6c8AuG5u1XtK root@ip-172-31-14-38.us-east-2.compute.internal";
+      userKeys = with allUserKeys; [
+        epatters
+        jmoggr
+        kasbah
+      ];
+      allKeys = [ hostKey ] ++ userKeys;
+    };
+    catcolab-next = rec {
+      hostKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJEyUzs+ymd6YFKnPTi6cfoWuNI/fhBGgcx0YELTzWJI root@ip-172-31-9-115.us-east-2.compute.internal";
+      userKeys = with allUserKeys; [
+        owen
+        epatters
+        jmoggr
+        kasbah
+        catcolab-next-deployuser
+      ];
+      allKeys = [ hostKey ] ++ userKeys;
+    };
+  };
+in
+{
+  inherit hosts;
+  allUserKeys = builtins.attrValues allUserKeys;
+}