Generate accepted public key files through sops.

services/openssh.nix

@@ -1,4 +1,4 @@
-{ config, lib, ... }:
+{ config, lib, fn, ... }:
 
 # For reference:
 # https://infosec.mozilla.org/guidelines/openssh.html
@@ -25,4 +25,11 @@ mkIf (elem "openssh" config.machine.services) {
         LogLevel VERBOSE
     '';
   };
+  # Add public keys to /etc/ssh/authorized_keys.d
+  # This replaces users.users.*.openssh.authorizedKeys.*
+  sops.secrets = (fn.sopsHelper
+    (user: "users/${user.name}/publicKey")
+    config.machine.administrators
+    (user: { path = "/etc/ssh/authorized_keys.d/${user.name}"; mode = "444"; })
+  );
 }