diff --git a/infra/libkookie/configuration/users/spacekookie/default.nix b/infra/libkookie/configuration/users/spacekookie/default.nix
index 5db2e19a7e8..01eea96fa4b 100644
--- a/infra/libkookie/configuration/users/spacekookie/default.nix
+++ b/infra/libkookie/configuration/users/spacekookie/default.nix
@@ -10,4 +10,10 @@
     extraGroups = [ "wheel" "dialout" ];
     shell = lib.mkDefault pkgs.fish;
   };
+
+  pubkeys = [
+    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBdIsXiaE3YLuqekTg8Xq65n1GUX5IQc8/FKMrbCsCWY" # tempest
+    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBALMtai+K3wBvpSf9ntuBH1GNte7quhIA4/ZWKlvF0A" # uwu
+    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICPQ7alBckvMjRL/Tp38dSkZDTR/cLHRcJPwhP5+/fdM" # qq
+  ];
 }
diff --git a/infra/libkookie/modules/harness/users.nix b/infra/libkookie/modules/harness/users.nix
index 525c7d6ead2..6586e7b0dea 100644
--- a/infra/libkookie/modules/harness/users.nix
+++ b/infra/libkookie/modules/harness/users.nix
@@ -7,7 +7,7 @@ let
     options = {
       name = mkOption { type = str; description = "The name of the user"; };
       cfg = mkOption { description = "The user configuration"; };
-      pubkeys = mkOption { type = listOf path;
+      pubkeys = mkOption { type = listOf str;
                            default = [];
                            description = "Set of ssh public keys to include"; };
     };
@@ -28,9 +28,9 @@ in
 
   config = {
     users.mutableUsers = false;
-    users.users = builtins.listToAttrs (map ({ name, cfg, ... }:
+    users.users = builtins.listToAttrs (map ({ name, cfg, pubkeys }:
       nameValuePair "${name}"
-        (cfg // { group = "${name}"; })) config.libkookie.activeUsers);
+        (cfg // { group = "${name}"; openssh.authorizedKeys.keys = pubkeys; })) config.libkookie.activeUsers);
 
     users.groups = builtins.listToAttrs (map ({ name, ... }:
       nameValuePair "${name}" {}) config.libkookie.activeUsers);