I’ve been playing with the of writing a small function to fetch public ssh keys from places like github and gitlab.
I’ve currently got a simple derivation that does fetch, and it has a bit of awk in the build to spilt they keys if a user has multiple keys. maybe nix can split the keys out without resorting to awk !? It uses a fix output derivation, are they any other ways?
my idea is to create a fetcher for keys, like you would fetch anything else in nix and have that available to derivations, basically almost packaging myself So basically you can fetchsshpubkey
I think that evaluating build outputs is disallowed in some contexts (e.g. Hydra), but your derivation sounds like a very cool thing to have for some servers I maintain with Nixops.
I’ve made the following issue, that if solved would simplify the goal of this post significantly. Users you want the keys for could just be Flake inputs, and updating them could just be part of nix flake update.
Nice idea, i wonder what other things could be done if flakes could fetch files as flake inputs.
You loose a bit of future reproducibility, because it’s not in a file revision blockchain (git), but it may be something that can be used (and hopefully not abused).