ewancroft.uk / nix
My nix-darwin and NixOS config
3
fork

Configure Feed

Select the types of activity you want to include in your feed.

ssh: auto-load keys into agent on login (macOS + Linux desktop)

UseKeychain yes was removed in macOS Tahoe, so replace it with a
LaunchAgent running `ssh-add --apple-load-keychain` at login.

On Linux, add an ssh-agent service and a systemd user service that
loads keys via ksshaskpass/KWallet. Both are gated on isDesktop —
the server only accepts inbound SSH so needs neither.

Ewan Croft 2c643385 392a42aa

+42 -5
+1 -1
home/home.nix
··· 25 25 ./programs/git.nix 26 26 ./programs/yarn.nix 27 27 (import ./programs/zsh.nix { inherit hostName isDarwin; }) 28 - (import ./programs/ssh.nix { inherit isDarwin; }) 28 + (import ./programs/ssh.nix { inherit isDarwin isDesktop; }) 29 29 ./programs/starship.nix 30 30 ./programs/fastfetch.nix 31 31 ./programs/vscode.nix
+41 -4
home/programs/ssh.nix
··· 1 - { isDarwin }: 1 + { isDarwin, isDesktop ? true }: 2 2 { config, pkgs, lib, cfgLib, ... }: 3 3 4 4 let ··· 56 56 }; 57 57 }; 58 58 59 - # Linux: Enable SSH agent service via systemd user service 60 - # On macOS, the system handles this automatically 61 - services.ssh-agent = lib.mkIf (!isDarwin) { 59 + # Linux desktop: enable SSH agent and load keys into it at login. 60 + # On macOS the system keychain handles this automatically. 61 + # The server doesn't need this — we SSH into it, not out from it. 62 + services.ssh-agent = lib.mkIf (!isDarwin && isDesktop) { 63 + enable = true; 64 + }; 65 + 66 + # ksshaskpass pops a KWallet GUI prompt on first login after a reboot; 67 + # subsequent logins retrieve the passphrase from KWallet silently. 68 + # SSH_AUTH_SOCK must be set explicitly — systemd user services don't 69 + # inherit the shell environment, so reference the socket path directly. 70 + systemd.user.services.ssh-load-keys = lib.mkIf (!isDarwin && isDesktop) { 71 + Unit = { 72 + Description = "Load SSH keys into agent via KWallet"; 73 + After = [ "ssh-agent.service" "graphical-session.target" ]; 74 + PartOf = [ "graphical-session.target" ]; 75 + }; 76 + Service = { 77 + Type = "oneshot"; 78 + ExecStart = "${pkgs.openssh}/bin/ssh-add"; 79 + Environment = [ 80 + "SSH_AUTH_SOCK=%t/ssh-agent" 81 + "SSH_ASKPASS=${pkgs.kdePackages.ksshaskpass}/bin/ksshaskpass" 82 + "SSH_ASKPASS_REQUIRE=prefer" 83 + ]; 84 + RemainAfterExit = true; 85 + }; 86 + Install.WantedBy = [ "graphical-session.target" ]; 87 + }; 88 + 89 + # macOS: Load SSH keys from Keychain into the agent at login. 90 + # Replaces the old `UseKeychain yes` ssh_config option (removed in Tahoe). 91 + # Equivalent to running `ssh-add --apple-load-keychain` manually after each reboot. 92 + launchd.agents.ssh-load-keychain = lib.mkIf isDarwin { 62 93 enable = true; 94 + config = { 95 + ProgramArguments = [ "/usr/bin/ssh-add" "--apple-load-keychain" ]; 96 + RunAtLoad = true; 97 + StandardOutPath = "/tmp/ssh-add-keychain.log"; 98 + StandardErrorPath = "/tmp/ssh-add-keychain.log"; 99 + }; 63 100 }; 64 101 65 102 # Ensure the socket directory exists