Commit 5f5bbb9b5687

Vincent Demeester <vincent@sbr.pm>
2026-02-26 12:49:53
fix(flake-updater): resolve signing and SSH failures
Used private key path for commit signing to avoid SSH agent dependency in systemd service. Bypassed SSH config entirely with -F /dev/null to prevent FIDO2 key from being tried and hanging on YubiKey touch.
main
1 parent 6e08219
Changed files (2)
modules
nix-flake-updater
default.nix
tools
nix-flake-update
nix-flake-update.sh
modules/nix-flake-updater/default.nix
@@ -158,7 +158,7 @@ let
         Type = "oneshot";
         User = instanceCfg.user;
         ExecStart = "${mkUpdateScript name instanceCfg}";
-        Environment = ''"GIT_SSH_COMMAND=ssh -o ControlPath=none -o ControlMaster=no -o IdentitiesOnly=yes -i /home/${instanceCfg.user}/.ssh/id_ed25519"'';
+        Environment = ''"GIT_SSH_COMMAND=ssh -F /dev/null -o IdentitiesOnly=yes -i /home/${instanceCfg.user}/.ssh/id_ed25519 -o StrictHostKeyChecking=yes -o UserKnownHostsFile=/home/${instanceCfg.user}/.ssh/known_hosts"'';
 
         # Don't fail if update fails (e.g., no changes, build failures)
         SuccessExitStatus = "0 1";
tools/nix-flake-update/nix-flake-update.sh
@@ -210,7 +210,7 @@ $(nix flake metadata . --json 2>/dev/null | \
 Built systems: $BUILD_SYSTEMS
 "
 
-    git commit -m "$COMMIT_MSG"
+    git -c user.signingkey=/home/vincent/.ssh/id_ed25519 commit -m "$COMMIT_MSG"
 
     if [ "$DRY_RUN" != "false" ] && [ "$DRY_RUN" != "" ] && [ "$DRY_RUN" != "0" ]; then
       log "DRY RUN: Would push to $GIT_REMOTE/$BRANCH_NAME"