Fetching ssh public keys

I’ve been playing with the of writing a small function to fetch public ssh keys from places like github and gitlab.

I’ve currently got a simple derivation that does fetch, and it has a bit of awk in the build to spilt they keys if a user has multiple keys. maybe nix can split the keys out without resorting to awk !? It uses a fix output derivation, are they any other ways?

my idea is to create a fetcher for keys, like you would fetch anything else in nix and have that available to derivations, basically almost packaging myself :slight_smile: So basically you can fetchsshpubkey

is this even possible? how would i approach this?

{ pkgs, ... }:


  sshkeys  = pkgs.fetchurl {
    url = "https://github.com/nixinator.keys";
    sha256 = "1yryp8d1jdn34zsl8bgnfjxkn702m5h618j57q87zxvvrm1pasxi";


  mykeys = builtins.readFile sshkeys;

expanding on this.

{ stdenv, fetchurl, lib }:


    keys = fetchurl {
    url = "https://github.com/nixinator.keys";
    sha256 = "1yryp8d1jdn34zsl8bgnfjxkn702m5h618j57q87zxvvrm1pasxi";

stdenv.mkDerivation {
  pname = "fetchkeys";
  version = "0.1.0";

  src = keys;

  builder = builtins.toFile "builder.sh" ''
    source $stdenv/setup
    mkdir -p $out
    cd $out
    awk '{f = "key." NR; print $0 > f; close(f)}' $src
    echo "WHATS IN $out"
    ls -la $out

1 Like

Check out builtins.split in the Nix Manual :slight_smile:

I think that evaluating build outputs is disallowed in some contexts (e.g. Hydra), but your derivation sounds like a very cool thing to have for some servers I maintain with Nixops.

1 Like

Check out builtins.split in the Nix Manual

I have this little snippet in my user configuration:

    openssh.authorizedKeys.keys = let
      authorizedKeys = pkgs.fetchurl {
        url = "<url to public keys>";
        sha256 = "1kril7clfay225xdfhpp770gk60g5rp66nr6hzd5gpxvkynyxlrf";
    in pkgs.lib.splitString "\n" (builtins.readFile

and it works great, I imagine this could be packaged as a cool

1 Like

@afontaine @generic-specialty Thanks for you replies! pkgs.lib.splitString looks just what i’m looking for!.

I’ve made the following issue, that if solved would simplify the goal of this post significantly. Users you want the keys for could just be Flake inputs, and updating them could just be part of nix flake update.


1 Like

Nice idea, i wonder what other things could be done if flakes could fetch files as flake inputs.

You loose a bit of future reproducibility, because it’s not in a file revision blockchain (git), but it may be something that can be used (and hopefully not abused).

I had the same issue, and solved it by adding an inputs link to my GitHub public keys:

And referencing the path of the file here:

1 Like