diff --git a/infra/common/users.nix b/infra/common/users.nix
index 456ba11..adb6d7c 100644
--- a/infra/common/users.nix
+++ b/infra/common/users.nix
@@ -30,11 +30,4 @@
   security.sudo.wheelNeedsPassword = false;
 
   nix.settings.trusted-users = [ "@wheel" ];
-
-  ## FIXME: Remove direct root authentication once NixOps4 supports users with
-  ## password-less sudo.
-  users.users.root.openssh.authorizedKeys.keys = [
-    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEElREJN0AC7lbp+5X204pQ5r030IbgCllsIxyU3iiKY"
-    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJg5TlS1NGCRZwMjDgBkXeFUXqooqRlM8fJdBAQ4buPg"
-  ];
 }
diff --git a/infra/flake-part.nix b/infra/flake-part.nix
index a0e223d..bbf3f33 100644
--- a/infra/flake-part.nix
+++ b/infra/flake-part.nix
@@ -6,7 +6,7 @@
 }:
 
 let
-  inherit (builtins) mapAttrs;
+  inherit (lib) attrValues mapAttrs;
   inherit (lib.attrsets) genAttrs;
 
   makeResource =
@@ -32,7 +32,13 @@ let
           vmmodule
           ./common
           self.nixosModules.ageSecrets
-          { fediversity.hostPublicKey = self.keys.systems.${vmid}; }
+          {
+            fediversity.hostPublicKey = self.keys.systems.${vmid};
+
+            ## FIXME: Remove direct root authentication once the NixOps4 NixOS
+            ## provider supports users with password-less sudo.
+            users.users.root.openssh.authorizedKeys.keys = attrValues self.keys.contributors;
+          }
         ];
       };
     };