diff --git a/modules/hosts/john-pc-ubuntu.nix b/modules/hosts/john-pc-ubuntu.nix
index 92247dd..3ee55d6 100644
--- a/modules/hosts/john-pc-ubuntu.nix
+++ b/modules/hosts/john-pc-ubuntu.nix
@@ -1,81 +1,89 @@
 { inputs, ... }:
 let
-	username = "john";
-	hostname = "john-pc-ubuntu";
-	testTarget = "fded:fb16:653e:25da:be24:11ff:fea0:753f";
+  username = "john";
+  hostname = "john-pc-ubuntu";
+  testTarget = "fded:fb16:653e:25da:be24:11ff:fea0:753f";
 in
 {
-	flake.modules.homeManager."${hostname}" = { pkgs, config, ... }:
-	let
-		flakeDir = "${config.xdg.configHome}/home-manager/jsl-dendritic";
-	in
-	{
-		imports = with inputs.self.modules.homeManager; [
-			rebuild
-			john
-			resticprofile
-			sops
-			docker
-			desktop
-		];
-		targets.genericLinux.enable = true;
+  flake.modules.homeManager."${hostname}" = { pkgs, config, ... }:
+  let
+    flakeDir = "${config.xdg.configHome}/home-manager/jsl-dendritic";
+  in
+  {
+    imports = with inputs.self.modules.homeManager; [
+      rebuild
+      john
+      resticprofile
+      sops
+      docker
+      desktop
+      step-ssh-user
+    ];
+    targets.genericLinux.enable = true;
 
-		shell.program = "zsh";
+    shell.program = "zsh";
 
-		home.username = "${username}";
-		home.homeDirectory = "/home/${username}";
+    home.username = "${username}";
+    home.homeDirectory = "/home/${username}";
 
-		home.packages = with pkgs; [
-			nixos-rebuild
-			(writeShellScriptBin "test-push" ''
-				nixos-rebuild switch --flake ${flakeDir}#janus --target-host root@${testTarget}
-			'')
-		];
-		# TODO: Add host-specific settings here:
-		# - sops secret for `restic_password/john_ubuntu`
-		# - resticprofile profile definition
-		# - zsh RESTIC* session variables
+    home.packages = with pkgs; [
+      nixos-rebuild
+      (writeShellScriptBin "test-push" ''
+        nixos-rebuild switch --flake ${flakeDir}#janus --target-host root@${testTarget}
+      '')
+    ];
+    # TODO: Add host-specific settings here:
+    # - sops secret for `restic_password/john_ubuntu`
+    # - resticprofile profile definition
+    # - zsh RESTIC* session variables
 
-		# TODO: make this more restrictive, rather than allowing all unfree packages
-		nixpkgs.config.allowUnfree = true;
-		nixpkgs.config.permittedInsecurePackages = [ "openssl-1.1.1w" ];
+    # TODO: make this more restrictive, rather than allowing all unfree packages
+    nixpkgs.config.allowUnfree = true;
+    nixpkgs.config.permittedInsecurePackages = [ "openssl-1.1.1w" ];
 
-		homeManagerFlakeDir = flakeDir;
-		docker.enable = true;
-		ssh.certificates.enable = true;
-		ssh.matchSets = {
-			certs = true;
-			appdaemon = true;
-			homelab = true;
-			dev = true;
-		};
-		sops.secrets."restic_password/john_ubuntu" = {
-			path = "${config.xdg.configHome}/resticprofile/password.txt";
-		};
-		programs.resticprofile = {
-			enable= true;
-			profiles = {
-				default = {
-					"inherit" = "base";
-					repository = "rest:https://soteria.john-stream.com/john-ubuntu";
-					# cacert = "${config.home.homeDirectory}/.step/certs/root_ca.crt";
-					# tls-client-cert = "${config.home.homeDirectory}/.step/certs/mtls.pem";
-					backup = {
-						source = [
-							"${config.xdg.userDirs.documents}"
-							"/conf"
-						];
-						schedule = "*-*-* *:15,30,45:00";
-					};
-				};
-			};
-		};
-	};
+    homeManagerFlakeDir = flakeDir;
+    docker.enable = true;
 
-	flake.homeConfigurations."${hostname}" = inputs.home-manager.lib.homeManagerConfiguration {
-		pkgs = import inputs.nixpkgs { system = "x86_64-linux"; };
-		modules = with inputs.self.modules; [
-			homeManager."${hostname}"
-		];
-	};
+    step-ssh-user = {
+      enable = true;
+      principals = ["root" "${username}" "appdaemon"];
+    };
+    ssh = {
+      certificates.enable = true;
+      matchSets = {
+        certs = true;
+        appdaemon = true;
+        homelab = true;
+        dev = true;
+      };
+    };
+    sops.secrets."restic_password/john_ubuntu" = {
+      path = "${config.xdg.configHome}/resticprofile/password.txt";
+    };
+    programs.resticprofile = {
+      enable= true;
+      profiles = {
+        default = {
+          "inherit" = "base";
+          repository = "rest:https://soteria.john-stream.com/john-ubuntu";
+          # cacert = "${config.home.homeDirectory}/.step/certs/root_ca.crt";
+          # tls-client-cert = "${config.home.homeDirectory}/.step/certs/mtls.pem";
+          backup = {
+            source = [
+              "${config.xdg.userDirs.documents}"
+              "/conf"
+            ];
+            schedule = "*-*-* *:15,30,45:00";
+          };
+        };
+      };
+    };
+  };
+
+  flake.homeConfigurations."${hostname}" = inputs.home-manager.lib.homeManagerConfiguration {
+    pkgs = import inputs.nixpkgs { system = "x86_64-linux"; };
+    modules = with inputs.self.modules; [
+      homeManager."${hostname}"
+    ];
+  };
 }