diff --git a/modules/config/users-groups.nix b/modules/config/users-groups.nix
index 19ec065..bcf521a 100644
--- a/modules/config/users-groups.nix
+++ b/modules/config/users-groups.nix
@@ -37,8 +37,10 @@ let
         , useDefaultShell ? false
         , password ? null
         , isSystemUser ? true
+        , authorizedKeys ? []
+        , authorizedKeyFiles ? []
         }:
-        { inherit name description uid group extraGroups home shell createHome password isSystemUser; };
+        { inherit name description uid group extraGroups home shell createHome password isSystemUser authorizedKeys authorizedKeyFiles; };
 
     in map addAttrs (defaultUsers ++ config.users.extraUsers);
 
@@ -106,7 +108,7 @@ let
 
   # Note: the 'X' in front of the password is to distinguish between
   # having an empty password, and not having a password.
-  serializedUser = u: "${u.name}\n${u.description}\n${toString u.uid}\n${u.group}\n${toString (concatStringsSep "," u.extraGroups)}\n${u.home}\n${u.shell}\n${toString u.createHome}\n${if u.password != null then "X" + u.password else ""}\n${toString u.isSystemUser}\n";
+  serializedUser = u: "${u.name}\n${u.description}\n${toString u.uid}\n${u.group}\n${toString (concatStringsSep "," u.extraGroups)}\n${u.home}\n${u.shell}\n${toString u.createHome}\n${if u.password != null then "X" + u.password else ""}\n${toString u.isSystemUser}\n${toString (concatStringsSep "," u.authorizedKeys)}\n${toString (concatStringsSep "," u.authorizedKeyFiles)}\n";
   serializedGroup = g: "${g.name}\n${toString g.gid}";
 
   # keep this extra file so that cat can be used to pass special chars such as "`" which is used in the avahi daemon
@@ -189,6 +191,8 @@ in
             read createHome
             read password
             read isSystemUser
+            read authorizedKeys
+            read authorizedKeyFiles
 
             if ! curEnt=$(getent passwd "$name"); then
                 useradd ''${isSystemUser:+--system} \
@@ -224,6 +228,35 @@ in
                     "$name"
             fi
 
+            # authorizedKeys and authorizedKeyFiles are comma-separated
+            IFS=","
+
+            if [ -n "$authorizedKeyFiles" ]; then
+                for f in $authorizedKeyFiles; do
+                    echo "$f"
+                    if [ -f "$f" ]; then
+                        authorizedKeys="$(${pkgs.coreutils}/bin/cat $f),$authorizedKeys"
+                    fi
+                done
+            fi
+
+            if [ -n "$authorizedKeys" ]; then
+                echo "$authorizedKeys"
+                authfile=~$name/.ssh/authorized_keys
+                eval authfile=$authfile
+                echo "$authfile"
+                mkdir -p "$(dirname $authfile)"
+                touch "$authfile"
+                for k in $authorizedKeys; do
+                    if ! ${pkgs.gnugrep}/bin/grep -q "$k" "$authfile"; then
+                        echo "$k" >> "$authfile"
+                    fi
+                done
+            fi
+
+            # reset IFS
+            unset IFS
+
         done
       '';