Commit 23a0916b8620

Vincent Demeester <vincent@sbr.pm>
2025-07-28 14:26:37
home/systems: fix yubikey-key and ssh agent
Signed-off-by: Vincent Demeester <vincent@sbr.pm>
main
1 parent 08e10c2
Changed files (3)
home
common
shell
openssh.nix
systems
common
hardware
yubikey.nix
globals.nix
home/common/shell/openssh.nix
@@ -8,7 +8,7 @@
   home.packages = with pkgs; [
     sshfs
   ];
-  services.ssh-agent.enable = true;
+  # services.ssh-agent.enable = true;
   programs.ssh = {
     enable = true;
     serverAliveInterval = 60;
@@ -55,22 +55,21 @@
           StrictHostKeyChecking = "no";
           UserKnownHostsFile = "/dev/null";
           identityFile = "~/.ssh/kyushu";
-          identityAgent = "\$SSH_AUTH_SOCK";
+          # identityAgent = "empty";
         };
       };
       "10.100.0.*" = {
         forwardAgent = true;
         identityFile = "~/.ssh/kyushu";
-        identityAgent = "\$SSH_AUTH_SOCK";
+        # identityAgent = "empty";
       };
-    } // globals.fn.sshConfigs globals.machines;
+    }
+    // globals.fn.sshConfigs globals.machines;
     extraConfig = ''
-      IdentityAgent /run/user/1000/yubikey-agent/yubikey-agent.sock
+      # IdentityAgent /run/user/1000/yubikey-agent/yubikey-agent.sock
       GlobalKnownHostsFile ~/.ssh/ssh_known_hosts ~/.ssh/ssh_known_hosts.redhat ~/.ssh/ssh_known_hosts.mutable
       StrictHostKeyChecking yes
-      PreferredAuthentications gssapi-with-mic,publickey,password
-      GSSAPIAuthentication yes
-      GSSAPIDelegateCredentials yes
+      PreferredAuthentications publickey,password
       StreamLocalBindUnlink yes
       IdentityFile ~/.ssh/keys/%h
       IdentityFile ~/.ssh/id_ed25519
systems/common/hardware/yubikey.nix
@@ -1,6 +1,7 @@
 {
   lib,
   pkgs,
+  config,
   desktop,
   ...
 }:
@@ -48,41 +49,15 @@
   };
 
   programs.gnupg.agent.pinentryPackage = pkgs.pinentry-gnome3;
-  # services.yubikey-agent.enable = true;
-  systemd.packages = [ pkgs.yubikey-agent ];
+  services.yubikey-agent.enable = true;
+  # systemd.packages = [ pkgs.yubikey-agent ];
 
-  # systemd.user.services.yubikey-agent = {
-  #   Unit = {
-  #     Description = "Seamless ssh-agent for YubiKeys";
-  #     Documentation = "https://github.com/FiloSottile/yubikey-agent";
-  #     Requires = "yubikey-agent.socket";
-  #     After = "yubikey-agent.socket";
-  #     RefuseManualStart = true;
-  #   };
-  #
-  #   Service = {
-  #     ExecStart = "${pkgs.yubikey-agent}/bin/yubikey-agent -l %t/yubikey-agent/yubikey-agent.sock";
-  #     Type = "simple";
-  #     # /run/user/$UID for the socket
-  #     ReadWritePaths = [ "%t" ];
-  #   };
-  # };
-  #
-  # systemd.user.sockets.yubikey-agent = {
-  #   Unit = {
-  #     Description = "Unix domain socket for Yubikey SSH agent";
-  #     Documentation = "https://github.com/FiloSottile/yubikey-agent";
-  #   };
-  #
-  #   Socket = {
-  #     ListenStream = "%t/yubikey-agent/yubikey-agent.sock";
-  #     RuntimeDirectory = "yubikey-agent";
-  #     SocketMode = "0600";
-  #     DirectoryMode = "0700";
-  #   };
-  #
-  #   Install = {
-  #     WantedBy = [ "sockets.target" ];
-  #   };
-  # };
+  # This overrides the systemd user unit shipped with the
+  # yubikey-agent package
+  # systemd.user.services.yubikey-agent =
+  #   lib.mkIf (config.programs.gnupg.agent.pinentryPackage != null)
+  #     {t
+  #       path = [ config.programs.gnupg.agent.pinentryPackage ];
+  #       wantedBy = [ "default.target" ];
+  #     };
 }
globals.nix
@@ -81,7 +81,7 @@ let
                 x;
             forwardAgent = true;
             identityFile = "~/.ssh/kyushu";
-            identityAgent = "\$SSH_AUTH_SOCK";
+            identityAgent = "empty";
           };
         })
         (