diff --git a/infra/machines/fedi201/fedipanel.nix b/infra/machines/fedi201/fedipanel.nix
index 3559eb91..b49471bb 100644
--- a/infra/machines/fedi201/fedipanel.nix
+++ b/infra/machines/fedi201/fedipanel.nix
@@ -55,9 +55,6 @@ in
         COMPRESS_OFFLINE = true;
         LIBSASS_OUTPUT_STYLE = "compressed";
       };
-    environment = {
-      SSH_PRIVATE_KEY_FILE = config.age.secrets.panel-ssh-key.path;
-    };
     secrets = {
       SECRET_KEY = config.age.secrets.panel-secret-key.path;
     };
diff --git a/launch/README.md b/launch/README.md
index 4c24dae6..af8ed851 100644
--- a/launch/README.md
+++ b/launch/README.md
@@ -18,7 +18,6 @@ $ nix-shell
 $ eval "$(ssh-agent -s)"
 # set your ssh key, e.g.:
 $ ssh_key="$(readlink -f ~/.ssh/id_ed25519)"
-$ echo "{\"ssh_private_key_file\": \"${ssh_key}\", \"deploy_environment\": {\"SSH_AUTH_SOCK\": \"${SSH_AUTH_SOCK}\"}}" > .auto.tfvars.json
 $ rm -rf .terraform/
 $ tofu init
 ```
diff --git a/launch/main.tf b/launch/main.tf
index ecc64951..5095a430 100644
--- a/launch/main.tf
+++ b/launch/main.tf
@@ -47,18 +47,6 @@ variable "initialUser" {
   }
 }
 
-variable "ssh_private_key_file" {
-  type        = string
-  description = "Path to private key used to connect to the target_host"
-  default     = ""
-}
-
-variable "deploy_environment" {
-  type        = map(string)
-  description = "Extra environment variables to be set during deployment."
-  default     = {}
-}
-
 locals {
   system = "x86_64-linux"
   pins = jsondecode(file("${path.module}/.npins.json"))
@@ -107,7 +95,6 @@ resource "terraform_data" "nixos" {
 
   triggers_replace = [
     data.external.hash.result,
-    var.deploy_environment,
     var.domain,
     var.initialUser,
     local.system,
@@ -117,9 +104,9 @@ resource "terraform_data" "nixos" {
 
   provisioner "local-exec" {
     working_dir = path.root
-    environment = merge(var.deploy_environment, {
+    environment = {
       NIX_PATH = join(":", [for name, path in local.pins : "${name}=${path}"]),
-    })
+    }
     # TODO: refactor back to command="ignoreme" interpreter=concat([]) to protect sensitive data from error logs?
     # TODO: build on target?
     command = <<-EOF
@@ -169,7 +156,6 @@ resource "terraform_data" "nixos" {
       sshOpts=(
         -o StrictHostKeyChecking=no
         -o BatchMode=yes
-        -o "IdentityFile='${var.ssh_private_key_file}'"
       )
       outPath=$(nix-store --realize "$drv_path" "$${buildArgs[@]}")
       NIX_SSHOPTS="$${sshOpts[*]}" nix-copy-closure --to "$host" "$outPath" --gzip --use-substitutes
diff --git a/panel/env.nix b/panel/env.nix
index 90d15d7a..b4ecffc5 100644
--- a/panel/env.nix
+++ b/panel/env.nix
@@ -13,5 +13,4 @@
     pkgs.jaq # tf
     (import ../launch/tf.nix { inherit lib pkgs; })
   ];
-  SSH_PRIVATE_KEY_FILE = "";
 }
diff --git a/panel/nix/configuration.nix b/panel/nix/configuration.nix
index 726446ed..24426a96 100644
--- a/panel/nix/configuration.nix
+++ b/panel/nix/configuration.nix
@@ -130,10 +130,6 @@ in
         Contents will be appended to the definitions in `settings`.
       '';
     };
-    environment = mkOption {
-      type = types.attrs;
-      default = {};
-    };
     secrets = mkOption {
       type = types.attrsOf types.path;
       default = { };
@@ -212,7 +208,7 @@ in
       #       - manipulation should be straightforward in both places; e.g. dumping secrets to a directory that is not git-tracked and adding values to an attrset otherwise
       #       - error detection and correction; it should be clear where and why one messed up so it can be fixed immediately
       #     We may also want to test the development environment in CI in order to make sure that we don't break it inadvertently, because misconfiguration due to multiplpe sources of truth wastes a lot of time.
-      environment = environment // cfg.environment;
+      inherit environment;
     };
 
     networking.firewall.allowedTCPPorts = [
diff --git a/panel/src/panel/settings.py b/panel/src/panel/settings.py
index 91aa5824..acbbc1b8 100644
--- a/panel/src/panel/settings.py
+++ b/panel/src/panel/settings.py
@@ -12,7 +12,6 @@ https://docs.djangoproject.com/en/4.2/ref/settings/
 
 import re
 import sys
-import subprocess
 import os
 import json
 import importlib.util
@@ -249,12 +248,3 @@ bin_path=env['BIN_PATH']
 # path of the root flake to trigger nixops from, see #94.
 # to deploy this should be specified, for dev just use a relative path.
 repo_dir = env["REPO_DIR"]
-
-output = subprocess.run(["ssh-agent"], capture_output=True, text=True, env={"PATH": bin_path}).stdout
-ssh_auth_sock = re.search("(?<==)([^;]*)", output)[1]
-ENV_VARS = {
-    "ssh_private_key_file": env["SSH_PRIVATE_KEY_FILE"],
-    "deploy_environment": {
-        "SSH_AUTH_SOCK": ssh_auth_sock,
-    },
-}
diff --git a/panel/src/panel/views.py b/panel/src/panel/views.py
index e39d0f70..1e40ae60 100644
--- a/panel/src/panel/views.py
+++ b/panel/src/panel/views.py
@@ -145,7 +145,7 @@ class DeploymentStatus(ConfigurationForm):
         } | {
             # pass in form info to our deployment
             # FIXME: ensure sensitive info is protected
-            f"TF_VAR_{k}": v if isinstance(v, str) else json.dumps(v) for k, v in (settings.ENV_VARS | deployment_params).items()
+            f"TF_VAR_{k}": v if isinstance(v, str) else json.dumps(v) for k, v in deployment_params.items()
         }
         logger.info("env: %s", env)
         cwd = f"{settings.repo_dir}/launch"