Commit 0066f5b1198e

Vincent Demeester <vincent@sbr.pm>
2026-02-23 12:01:19
fix(flake-updater): pin SSH identity key
GIT_SSH_COMMAND only disabled ControlMaster but didn't restrict identity files. The Host * SSH config adds the YubiKey SK key to all connections, which hangs and fails in headless systemd context. Pinned to id_ed25519 with IdentitiesOnly to bypass FIDO2 keys entirely.
main
1 parent 41b8a3b
Changed files (1)
modules
nix-flake-updater
default.nix
modules/nix-flake-updater/default.nix
@@ -158,7 +158,7 @@ let
         Type = "oneshot";
         User = instanceCfg.user;
         ExecStart = "${mkUpdateScript name instanceCfg}";
-        Environment = ''"GIT_SSH_COMMAND=ssh -o ControlMaster=no"'';
+        Environment = ''"GIT_SSH_COMMAND=ssh -o ControlMaster=no -o IdentitiesOnly=yes -i /home/${instanceCfg.user}/.ssh/id_ed25519"'';
 
         # Don't fail if update fails (e.g., no changes, build failures)
         SuccessExitStatus = "0 1";