Commit 98ee29ad041e

Vincent Demeester <vincent@sbr.pm>
2026-03-27 10:04:03
fix(passage): use non-SK key for automated sync
Added dedicated id_passage keys for kyushu and okinawa to avoid Yubikey touch prompts during nightly passage-update timer runs. The service now uses GIT_SSH_COMMAND with IdentityAgent=none to bypass the SSH agent entirely.
main
1 parent 5801587
Changed files (2)
home
common
desktop
passage.nix
globals.nix
home/common/desktop/passage.nix
@@ -19,6 +19,8 @@
       Type = "oneshot";
       ExecStart = "${pkgs.passage}/bin/passage git pull --rebase";
       WorkingDirectory = config.home.sessionVariables.PASSAGE_DIR;
+      # Use dedicated non-SK key to avoid Yubikey touch prompts during automated sync
+      Environment = "GIT_SSH_COMMAND=ssh -i ${config.home.homeDirectory}/.ssh/id_passage -o IdentitiesOnly=yes -o IdentityAgent=none";
     };
   };
globals.nix
@@ -10,8 +10,10 @@ _: {
       "sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIAGh5p44LvQrWjAMyC/5LjUnViqFl3ddVfiFnoiLgJb7AAAAEnNzaDpjcml0aWNhbC1pbmZyYQ== infra-touch-required"
       # FIDO2 resident keys (okinawa)
       "sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIEefW7gStvkrO98v6UUawwa3yOu896Ei8USE/Sh2DjaUAAAABHNzaDo= vincent@okinawa"
+      # Passage sync keys (non-SK, for automated git pull)
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBqhe3iS2058Ro8jN0b5Sr1tb+fEyqwgEmEC7vCM0za4 vincent@kyushu-passage"
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAII/CgISZ5XVyg8eYH7b56EWo4UGplOzzZKdtMKtkZqxc vincent@okinawa-passage"
       # Host keys (trusted machines)
-      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILfT4qPT4nH+K6wfhnM4JCtflrUEIXPAYpqdN7W7TOBo vincent@okinawa-passage"
       "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILJmTdMKYdgqpbQWBif58VBuwX+GqMGsMfB1ey1TKrM3 vincent@aomi"
       "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGThdcaPfIaB7d+K5uODqEusLKGI5ZCye0aNOCaMoInO Kyushu's ssh key"
     ];