diff --git a/hosts/known-hosts.toml b/hosts/known-hosts.toml
index 98ad87d..20436a0 100644
--- a/hosts/known-hosts.toml
+++ b/hosts/known-hosts.toml
@@ -11,11 +11,11 @@
 # buildMachine.protocol
 # ssh.listenUser
 # ssh.listenPort
-# ssh.listenPublicKey # cat /etc/ssh/ssh_host_ed25519_key.pub || ssh-keyscan {{fqdn}}
-# ssh.userPublicKey   # sudo ssh-keygen -t ed25519 && sudo cat /root/.ssh/id_ed25519.pub
-# ssh.proxyJump      # optional hostname
-# ssh.userPrivateKey # optional IdentityFile to use
+# ssh.listenPublicKey   # cat /etc/ssh/ssh_host_ed25519_key.pub || ssh-keyscan {{fqdn}}
+# ssh.proxyJump         # optional hostname
 # ssh.connectTimeout
+# ssh.userPrivateKey    # optional IdentityFile to use
+# ssh.userPublicKey     # sudo ssh-keygen -t ed25519 && sudo cat /root/.ssh/id_ed25519.pub
 
 
 # buildMachine.supportedFeatures:
diff --git a/profiles/known-hosts.nix b/profiles/known-hosts.nix
index 9550aec..db65661 100644
--- a/profiles/known-hosts.nix
+++ b/profiles/known-hosts.nix
@@ -4,8 +4,15 @@
 # TODO: https://exozy.me/about
 
 let
-  inherit (builtins) map fromTOML readFile elem attrNames attrValues;
-  inherit (lib) mkIf;
+  inherit (builtins)
+    map
+    fromTOML
+    toString
+    readFile
+    elem
+    attrNames
+    attrValues
+    ;
 
   known-hosts = let
     known-hosts' = lib.importTOML ../hosts/known-hosts.toml; # TODO: eww
@@ -13,14 +20,13 @@ let
     lib.pipe known-hosts' [
       (lib.flip lib.removeAttrs ["__default__"])
       (lib.mapAttrs (fqdn: host:
-        lib.recursiveUpdate (
-          (known-hosts'."__default__" or {})
-          // { isAlias = false; }
-        ) host
+        lib.recursiveUpdate (known-hosts'."__default__" or {}) host
       ))
-      (lib.mapAttrsToList (fqdn: host: let
+      (lib.mapAttrsToList (fqdn: host:
+        let
           allHostnames = [ fqdn ] ++ host.aliases;
-        in lib.forEach allHostnames (alias:
+        in
+        lib.forEach allHostnames (alias:
           lib.nameValuePair
             alias
             (host // {
@@ -35,8 +41,8 @@ let
   hostNames = attrNames known-hosts;
   thisHost = known-hosts.${config.networking.fqdn};
   thisHostIsBuilder = thisHost.buildMachine.maxJobs > 0;
-  thisHostIsHopHost = builtins.elem config.networking.fqdn (lib.forEach (attrValues known-hosts) (host: host.ssh.proxyJump or null));
-  thisHostIsConsumer = thisHost.ssh ? userPublicKey;
+  thisHostIsBuildee = thisHost.ssh ? userPublicKey;
+  thisHostIsHopHost = elem config.networking.fqdn (lib.forEach (attrValues known-hosts) (host: host.ssh.proxyJump or null));
 
   mkRemoteConfig = fqdn: let
     thatHost = known-hosts.${fqdn};
@@ -46,11 +52,11 @@ let
       sshUser = thatHost.ssh.listenUser;
     };
     thatHostIsBuilder = thatHost.buildMachine.maxJobs > 0;
-    thatHostIsConsumer = thatHost.ssh ? userPublicKey && thisHostIsBuilder;
-    thatHostIsThis = builtins.elem config.networking.fqdn ([ fqdn ] ++ thatHost.aliases);
-  in mkIf (!thatHostIsThis) ( lib.mkMerge [
+    thatHostIsBuildee = thatHost.ssh ? userPublicKey && thisHostIsBuilder;
+    thatHostIsThis = elem config.networking.fqdn ([ fqdn ] ++ thatHost.aliases);
+  in lib.mkIf (!thatHostIsThis) ( lib.mkMerge [
     # out
-    (lib.mkIf (thisHostIsConsumer && thatHostIsBuilder) {
+    (lib.mkIf (thisHostIsBuildee && thatHostIsBuilder) {
 
       # TODO: Allow setting speedFactor for local builds, as local is currently fixed to 0
       # https://github.com/NixOS/nix/issues/2457
@@ -62,17 +68,17 @@ let
 
     })
     # out or jump
-    (lib.mkIf (thisHostIsConsumer && thatHost.ssh ? listenPublicKey) {
+    (lib.mkIf (thisHostIsBuildee && thatHost.ssh ? listenPublicKey) {
       programs.ssh.knownHosts.${fqdn}.publicKey = thatHost.ssh.listenPublicKey;
       # TODO: use nix.buildMachines.*.publicHostKey ?
 
       # timeouts are great when remote is unresponsive. nix doesn't care, lix is way and tests each remote only once
       programs.ssh.extraConfig = ''
         Host ${fqdn}
-          ConnectTimeout ${builtins.toString thatHost.ssh.connectTimeout}
-          Port ${builtins.toString thatHost.ssh.listenPort}
+          ConnectTimeout ${toString thatHost.ssh.connectTimeout}
+          Port ${toString thatHost.ssh.listenPort}
           ${lib.optionalString (thatHost.ssh ? proxyJump) ''
-            ProxyJump ${thatJump.ssh.listenUser}@${thatHost.ssh.proxyJump}:${builtins.toString thatJump.ssh.listenPort}
+            ProxyJump ${thatJump.ssh.listenUser}@${thatHost.ssh.proxyJump}:${toString thatJump.ssh.listenPort}
           ''}
           ${lib.optionalString (thatHost.ssh ? userPrivateKey) ''
             IdentityFile ${thatHost.ssh.userPrivateKey}
@@ -85,14 +91,14 @@ let
 
     })
     # in
-    (mkIf ((thisHostIsBuilder || thisHostIsHopHost) && thatHostIsConsumer) {
+    (lib.mkIf ((thisHostIsBuilder || thisHostIsHopHost) && thatHostIsBuildee) {
       users.users.${thisHost.ssh.listenUser} = {
         isSystemUser = lib.mkDefault (!config.users.users.${thisHost.ssh.listenUser}.isNormalUser);
         openssh.authorizedKeys.keys = [ thatHost.ssh.userPublicKey ];
         group = lib.mkOptionDefault "nogroup";
       };
     })
-    (mkIf (thisHostIsBuilder && thatHostIsConsumer) {
+    (lib.mkIf (thisHostIsBuilder && thatHostIsBuildee) {
       nix.settings.allowed-users = [ thisHost.ssh.listenUser ];
       nix.settings.trusted-users = [ thisHost.ssh.listenUser ];
     })