diff --git a/home/ssh/default.nix b/home/ssh/default.nix
index e9fd834..1665c18 100644
--- a/home/ssh/default.nix
+++ b/home/ssh/default.nix
@@ -1,69 +1,35 @@
 { config, pkgs, ... }:
 
-{
+let
+  defaultBlock = {
+    identitiesOnly = true;
+    identityFile = "~/.ssh/id_rsa_yubikey.pub";
+    certificateFile = "~/.ssh/id_rsa_yubikey-cert.pub";
+    forwardAgent = true;
+    port = 22;
+  };
+in {
   home.file.".ssh/id_rsa_yubikey.pub".source = ./id_rsa_yubikey.pub;
   home.file.".ssh/id_rsa_yubikey-cert.pub".source = ./id_rsa_yubikey-cert.pub;
   programs.ssh = {
     enable = true;
     matchBlocks = {
 
-      "github.com" = {
-        identitiesOnly = true;
-        identityFile = "~/.ssh/id_rsa_yubikey.pub";
-      };
+      "github.com" = defaultBlock;
 
-      "openwrt" = {
-        identitiesOnly = true;
-        identityFile = "~/.ssh/id_rsa_yubikey.pub";
-        forwardAgent = true;
-        user = "root";
-      };
+      "openwrt" = defaultBlock // { user = "root"; };
 
-      "narwhal" = {
-        identitiesOnly = true;
-        identityFile = "~/.ssh/id_rsa_yubikey.pub";
-        certificateFile = "~/.ssh/id_rsa_yubikey-cert.pub";
-        forwardAgent = true;
-        port = 22;
-      };
+      "suricata" = defaultBlock;
+      "pikvm" = defaultBlock;
+      "narwhal" = defaultBlock;
+      "trantor" = defaultBlock;
+      "axolotl" = defaultBlock;
+      "caladan" = defaultBlock;
+      "fugu" = defaultBlock;
 
-      "trantor" = {
-        identitiesOnly = true;
-        identityFile = "~/.ssh/id_rsa_yubikey.pub";
-        certificateFile = "~/.ssh/id_rsa_yubikey-cert.pub";
-        forwardAgent = true;
-        port = 22;
-      };
-
-      "axolotl" = {
-        identitiesOnly = true;
-        identityFile = "~/.ssh/id_rsa_yubikey.pub";
-        certificateFile = "~/.ssh/id_rsa_yubikey-cert.pub";
-        forwardAgent = true;
-        port = 22;
-      };
-
-      "caladan" = {
-        identitiesOnly = true;
-        identityFile = "~/.ssh/id_rsa_yubikey.pub";
-        certificateFile = "~/.ssh/id_rsa_yubikey-cert.pub";
-        forwardAgent = true;
-        port = 22;
-      };
-
-      "fugu" = {
-        identitiesOnly = true;
-        identityFile = "~/.ssh/id_rsa_yubikey.pub";
-        certificateFile = "~/.ssh/id_rsa_yubikey-cert.pub";
-        forwardAgent = true;
-        port = 22;
-      };
-
-      "bitbucket.org" = {
+      "bitbucket.org" = defaultBlock // {
         user = "git";
-        identitiesOnly = true;
         identityFile = "~/.ssh/bitbucket_rsa";
-        port = 22;
       };
 
     };
diff --git a/nixos/common.nix b/nixos/common.nix
index 851b919..f3bf42b 100644
--- a/nixos/common.nix
+++ b/nixos/common.nix
@@ -221,7 +221,7 @@
     }];
 
     knownHosts = {
-      "*.monotremata.xyz,10.*,narwhal,suricata,caladan,fugu,snitch,trantor,capibara,axolotl,echidna" =
+      "*.monotremata.xyz,10.*,narwhal,suricata,pikvm,caladan,fugu,snitch,trantor,capibara,axolotl,echidna" =
         {
           certAuthority = true;
           publicKey =