Commit 82b929b41d7c

Vincent Demeester <vincent@sbr.pm>
2025-07-23 11:29:50
systems: trying to use yubikey-agent and ssh-agent at the same time
Starting both, but only setting the env variable for ssh-agent. Then, use the ssh configuration to enforce the yubikey-agent for most things but not all. Signed-off-by: Vincent Demeester <vincent@sbr.pm>
main
1 parent 1ebacf2
Changed files (3)
home
common
shell
openssh.nix
systems
common
hardware
yubikey.nix
globals.nix
home/common/shell/openssh.nix
@@ -8,6 +8,7 @@
   home.packages = with pkgs; [
     sshfs
   ];
+  services.ssh-agent.enable = true;
   programs.ssh = {
     enable = true;
     serverAliveInterval = 60;
@@ -53,13 +54,18 @@
         extraOptions = {
           StrictHostKeyChecking = "no";
           UserKnownHostsFile = "/dev/null";
+          identityFile = "~/.ssh/kyushu";
+          identityAgent = "\$SSH_AUTH_SOCK";
         };
       };
       "10.100.0.*" = {
         forwardAgent = true;
+        identityFile = "~/.ssh/kyushu";
+        identityAgent = "\$SSH_AUTH_SOCK";
       };
     } // globals.fn.sshConfigs globals.machines;
     extraConfig = ''
+      IdentityAgent /run/user/1000/yubikey-agent/yubikey-agent.sock
       GlobalKnownHostsFile ~/.ssh/ssh_known_hosts ~/.ssh/ssh_known_hosts.redhat ~/.ssh/ssh_known_hosts.mutable
       StrictHostKeyChecking yes
       PreferredAuthentications gssapi-with-mic,publickey,password
systems/common/hardware/yubikey.nix
@@ -12,6 +12,7 @@
       yubico-piv-tool
       yubikey-personalization
       yubikey-manager
+      yubikey-agent
     ]
     ++ lib.optionals (builtins.isString desktop) [
       yubioath-flutter # Maybe not necessary
@@ -47,5 +48,41 @@
   };
 
   programs.gnupg.agent.pinentryPackage = pkgs.pinentry-gnome3;
-  services.yubikey-agent.enable = true;
+  # services.yubikey-agent.enable = true;
+  systemd.packages = [ pkgs.yubikey-agent ];
+
+  # systemd.user.services.yubikey-agent = {
+  #   Unit = {
+  #     Description = "Seamless ssh-agent for YubiKeys";
+  #     Documentation = "https://github.com/FiloSottile/yubikey-agent";
+  #     Requires = "yubikey-agent.socket";
+  #     After = "yubikey-agent.socket";
+  #     RefuseManualStart = true;
+  #   };
+  #
+  #   Service = {
+  #     ExecStart = "${pkgs.yubikey-agent}/bin/yubikey-agent -l %t/yubikey-agent/yubikey-agent.sock";
+  #     Type = "simple";
+  #     # /run/user/$UID for the socket
+  #     ReadWritePaths = [ "%t" ];
+  #   };
+  # };
+  #
+  # systemd.user.sockets.yubikey-agent = {
+  #   Unit = {
+  #     Description = "Unix domain socket for Yubikey SSH agent";
+  #     Documentation = "https://github.com/FiloSottile/yubikey-agent";
+  #   };
+  #
+  #   Socket = {
+  #     ListenStream = "%t/yubikey-agent/yubikey-agent.sock";
+  #     RuntimeDirectory = "yubikey-agent";
+  #     SocketMode = "0600";
+  #     DirectoryMode = "0700";
+  #   };
+  #
+  #   Install = {
+  #     WantedBy = [ "sockets.target" ];
+  #   };
+  # };
 }
globals.nix
@@ -80,7 +80,8 @@ let
               else
                 x;
             forwardAgent = true;
-            identityFile = [ "~/.ssh/kyushu" ];
+            identityFile = "~/.ssh/kyushu";
+            identityAgent = "\$SSH_AUTH_SOCK";
           };
         })
         (
@@ -199,7 +200,7 @@ in
       };
       ssh = {
         hostKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIM/4KRP1rzOwyA2zP1Nf1WlLRHqAGutLtOHYWfH732xh";
-        # root = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFQVlSrUKU0xlM9E+sJ8qgdgqCW6ePctEBD2Yf+OnyME root@aomi";
+        # root = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFQVlSrUKU0xlM9E+sJ8qgdgqCW6ePctEBD2Yf+OnyME root@aomiy";
         # vincent = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILJmTdMKYdgqpbQWBif58VBuwX+GqMGsMfB1ey1TKrM3 vincent@aomi";
       };
       syncthing = {