From da6bb1aaabd88dc7643de9d5edfe72e2f4edee44 Mon Sep 17 00:00:00 2001
From: Brad Stein <Brad.Stein@gmail.com>
Date: Sun, 5 Apr 2026 10:06:55 -0300
Subject: [PATCH] metis: source peer access keys from env-backed secrets

---
 inventory.titan-rpi4.yaml |  8 ++++----
 pkg/inventory/types.go    | 11 +++++++++--
 2 files changed, 13 insertions(+), 6 deletions(-)

diff --git a/inventory.titan-rpi4.yaml b/inventory.titan-rpi4.yaml
index 0ecd15c..83614bf 100644
--- a/inventory.titan-rpi4.yaml
+++ b/inventory.titan-rpi4.yaml
@@ -283,7 +283,7 @@ nodes:
     ssh_user: atlas
     ssh_authorized_keys:
       - ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOb8oMX6u0z3sH/p/WBGlvPXXdbGETCKzWYwR/dd6fZb titan-bastion
-      - ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBlmAXoeYVcX3zE+MSsvjB7gpAHRX0djiWYxoAuAFEQx brad.stein@bstein.dev
+      - ${METIS_SSH_KEY_BRAD}
   - name: titan-db
     class: rpi5-ubuntu-host
     hostname: titan-db
@@ -294,8 +294,8 @@ nodes:
     ssh_user: atlas
     ssh_authorized_keys:
       - ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOb8oMX6u0z3sH/p/WBGlvPXXdbGETCKzWYwR/dd6fZb titan-bastion
-      - ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBlmAXoeYVcX3zE+MSsvjB7gpAHRX0djiWYxoAuAFEQx brad.stein@bstein.dev
-      - ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIA48uzhL71cXeFDb+LGla1z0kFUYfWPWIgby7uaaGAaY hecate-tethys-forward
+      - ${METIS_SSH_KEY_BRAD}
+      - ${METIS_SSH_KEY_HECATE_TETHYS}
   - name: titan-24
     class: amd64-debian-worker
     hostname: titan-24
@@ -306,7 +306,7 @@ nodes:
     ssh_user: atlas
     ssh_authorized_keys:
       - ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOb8oMX6u0z3sH/p/WBGlvPXXdbGETCKzWYwR/dd6fZb titan-bastion
-      - ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBlmAXoeYVcX3zE+MSsvjB7gpAHRX0djiWYxoAuAFEQx brad.stein@bstein.dev
+      - ${METIS_SSH_KEY_BRAD}
   - name: titan-0a
     class: rpi5-ubuntu-control-plane
     hostname: titan-0a
diff --git a/pkg/inventory/types.go b/pkg/inventory/types.go
index a486bb6..b3ffae1 100644
--- a/pkg/inventory/types.go
+++ b/pkg/inventory/types.go
@@ -3,6 +3,7 @@ package inventory
 import (
 	"fmt"
 	"os"
+	"strings"
 
 	"gopkg.in/yaml.v3"
 )
@@ -106,9 +107,15 @@ func expandInventory(inv *Inventory) {
 		for taintIdx, value := range inv.Nodes[idx].Taints {
 			inv.Nodes[idx].Taints[taintIdx] = os.ExpandEnv(value)
 		}
-		for keyIdx, value := range inv.Nodes[idx].SSHAuthorized {
-			inv.Nodes[idx].SSHAuthorized[keyIdx] = os.ExpandEnv(value)
+		expandedKeys := make([]string, 0, len(inv.Nodes[idx].SSHAuthorized))
+		for _, value := range inv.Nodes[idx].SSHAuthorized {
+			expanded := strings.TrimSpace(os.ExpandEnv(value))
+			if expanded == "" {
+				continue
+			}
+			expandedKeys = append(expandedKeys, expanded)
 		}
+		inv.Nodes[idx].SSHAuthorized = expandedKeys
 		for diskIdx := range inv.Nodes[idx].LonghornDisks {
 			inv.Nodes[idx].LonghornDisks[diskIdx].Mountpoint = os.ExpandEnv(inv.Nodes[idx].LonghornDisks[diskIdx].Mountpoint)
 			inv.Nodes[idx].LonghornDisks[diskIdx].UUID = os.ExpandEnv(inv.Nodes[idx].LonghornDisks[diskIdx].UUID)