From c4ab768f4b79bca562e311745c40e3c8e30c9de3 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Maciej=20Kr=C3=BCger?= <mkg20001@gmail.com>
Date: Tue, 13 Dec 2022 22:40:23 +0100
Subject: [PATCH 1/2] gluon-authorized-keys: add unauthorized_keys to remove
 access

---
 package/gluon-authorized-keys/check_site.lua         |  1 +
 .../luasrc/lib/gluon/upgrade/100-authorized-keys     | 12 +++++++++++-
 2 files changed, 12 insertions(+), 1 deletion(-)

diff --git a/package/gluon-authorized-keys/check_site.lua b/package/gluon-authorized-keys/check_site.lua
index 7daf2115..c92fc3e9 100644
--- a/package/gluon-authorized-keys/check_site.lua
+++ b/package/gluon-authorized-keys/check_site.lua
@@ -1 +1,2 @@
 need_string_array(in_site({'authorized_keys'}))
+need_string_array(in_site({'unauthorized_keys'}), false)
diff --git a/package/gluon-authorized-keys/luasrc/lib/gluon/upgrade/100-authorized-keys b/package/gluon-authorized-keys/luasrc/lib/gluon/upgrade/100-authorized-keys
index 9eb00dec..90e38614 100755
--- a/package/gluon-authorized-keys/luasrc/lib/gluon/upgrade/100-authorized-keys
+++ b/package/gluon-authorized-keys/luasrc/lib/gluon/upgrade/100-authorized-keys
@@ -4,6 +4,7 @@ local site = require 'gluon.site'
 local file = '/etc/dropbear/authorized_keys'
 
 local keys = {}
+local rm_keys = {}
 
 local function load_keys()
 	for line in io.lines(file) do
@@ -11,12 +12,21 @@ local function load_keys()
 	end
 end
 
+for _, key in ipairs(site.unauthorized_keys({})) do
+	rm_keys[key] = true
+end
+
 pcall(load_keys)
 
-local f = io.open(file, 'a')
+local f = io.open(file, 'w')
 for _, key in ipairs(site.authorized_keys()) do
 	if not keys[key] then
 		f:write(key .. '\n')
 	end
 end
+for key, _ in pairs(keys) do
+	if not rm_keys[key] then
+		f:write(key .. '\n')
+	end
+end
 f:close()

From f9b0b6266fe589f9eb3080dd8766b768dc087b80 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Maciej=20Kr=C3=BCger?= <mkg20001@gmail.com>
Date: Sun, 5 Feb 2023 22:23:43 +0100
Subject: [PATCH 2/2] gluon-authorized-keys: document unauthorized-keys

---
 docs/features/authorized-keys.rst | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/docs/features/authorized-keys.rst b/docs/features/authorized-keys.rst
index 2f23ded5..7cee7943 100644
--- a/docs/features/authorized-keys.rst
+++ b/docs/features/authorized-keys.rst
@@ -13,3 +13,13 @@ If you select this package, add a list of authorized keys to ``site.conf`` like
     ...
 
 Existing keys in ``/etc/dropbear/authorized_keys`` will be preserved.
+
+If you want to remove specific keys in the future, specify them like this:::
+
+  {
+    unauthorized_keys = { 'ssh-rsa AAA.... user1@host',
+                          'ssh-rsa AAA.... user2@host' },
+    authorized_keys = { 'ssh-rsa AAA.... user3@host',
+                        'ssh-rsa AAA.... user4@host' },
+    hostname_prefix = ...
+    ...