sshAuthSock: set in systemd

`SSH_AUTH_SOCK` is exported in shells only, which systemd does not inherit from. With this commit, it is also set in systemd such that systemd-managed applications can access the SSH agent by declaring dependencies onto 'sshAuthSock.systemd.socketProviderUnit'. Closes #7971.
2026-06-05 21:02:51 +00:00 · 2026-06-02 14:43:55 +02:00
parent f4534a4f3c
commit f1d5aa6f69
8 changed files with 54 additions and 1 deletions
--- a/modules/misc/ssh-auth-sock.nix
+++ b/modules/misc/ssh-auth-sock.nix
@@ -1,4 +1,9 @@
-{ config, lib, ... }:
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:

 let
  cfg = config.sshAuthSock;
@@ -44,6 +49,18 @@ in
        };
      };

+    systemd.socketProviderUnit = lib.mkOption {
+      description = ''
+        The name of the systemd unit responsible for providing the {env}`SSH_AUTH_SOCK`.
+
+        Services that rely on an active SSH authentication agent can reference
+        this option to declare a dependency onto this unit, ensuring that the
+        socket is available and being served before they start.
+      '';
+      example = "ssh-agent.service";
+      type = lib.types.str;
+    };
+
  };

  config =
@@ -78,5 +95,26 @@ in
      programs.fish.shellInit = lib.mkOrder 900 fishIntegration;
      programs.nushell.extraConfig = lib.mkOrder 900 nushellIntegration;
      programs.zsh.envExtra = lib.mkOrder 900 zshIntegration;
+
+      # Replace this service by an environment generator as soon as they are
+      # available per-user. See https://github.com/systemd/systemd/issues/32423
+      # for more information.
+      systemd.user.services.set-SSH_AUTH_SOCK = {
+        Unit = {
+          Description = "Sets SSH_AUTH_SOCK in the D-BUS daemon and systemd";
+          Before = [ cfg.systemd.socketProviderUnit ];
+        };
+        Service = {
+          Type = "oneshot";
+          ExecStart = pkgs.writeShellScript "set-SSH_AUTH_SOCK" ''
+            ${bashIntegration}
+            ${pkgs.dbus}/bin/dbus-update-activation-environment --systemd SSH_AUTH_SOCK
+          '';
+        };
+        Install.WantedBy = [
+          "default.target"
+          cfg.systemd.socketProviderUnit
+        ];
+      };
    };
 }
--- a/modules/services/gpg-agent.nix
+++ b/modules/services/gpg-agent.nix
@@ -393,6 +393,7 @@ in
          $env.SSH_AUTH_SOCK = $"(${gpgPkg}/bin/gpgconf --list-dirs agent-ssh-socket)"
        '';
      };
+      systemd.socketProviderUnit = "gpg-agent-ssh.socket";
    };

    programs = {
--- a/modules/services/proton-pass-agent.nix
+++ b/modules/services/proton-pass-agent.nix
@@ -86,6 +86,7 @@ in
              ''$"($env.XDG_RUNTIME_DIR)/${cfg.socket}"''
          }";
        };
+        systemd.socketProviderUnit = "proton-pass-agent.service";
      };

      systemd.user.services.proton-pass-agent = {
--- a/modules/services/ssh-agent.nix
+++ b/modules/services/ssh-agent.nix
@@ -80,6 +80,7 @@ in
              ''$"($env.XDG_RUNTIME_DIR)/${cfg.socket}"''
          }";
        };
+      systemd.socketProviderUnit = "ssh-agent.service";
    };

    systemd.user.services.ssh-agent = {
--- a/modules/services/ssh-tpm-agent.nix
+++ b/modules/services/ssh-tpm-agent.nix
@@ -80,6 +80,7 @@ in
        fish = ''set -x SSH_AUTH_SOCK "$XDG_RUNTIME_DIR/ssh-tpm-agent.sock"'';
        nushell = ''$env.SSH_AUTH_SOCK = $"($env.XDG_RUNTIME_DIR)/ssh-tpm-agent.sock"'';
      };
+      systemd.socketProviderUnit = lib.mkOverride 90 "ssh-tpm-agent.socket";
    };

    systemd.user = {
--- a/modules/services/yubikey-agent.nix
+++ b/modules/services/yubikey-agent.nix
@@ -42,6 +42,7 @@ in
              ''$"($env.XDG_RUNTIME_DIR | default $"/run/user/(id -u)")/yubikey-agent/yubikey-agent.sock"''
          }";
        };
+      systemd.socketProviderUnit = "yubikey-agent.socket";
    };

    systemd.user.services.yubikey-agent = {
--- a/tests/modules/misc/ssh-auth-sock/disabled.nix
+++ b/tests/modules/misc/ssh-auth-sock/disabled.nix
@@ -19,5 +19,7 @@
    assertFileNotRegex \
      home-files/.zshenv \
      'SSH_AUTH_SOCK'
+
+    assertPathNotExists home-files/.config/systemd/user/set-SSH_AUTH_SOCK.service
  '';
 }
--- a/tests/modules/misc/ssh-auth-sock/enabled.nix
+++ b/tests/modules/misc/ssh-auth-sock/enabled.nix
@@ -1,3 +1,5 @@
+{ config, lib, ... }:
+
 {
  programs.bash.enable = true;
  programs.fish.enable = true;
@@ -11,6 +13,7 @@
      fish = "echo fish";
      nushell = "echo nushell";
    };
+    systemd.socketProviderUnit = "foo.socket";
  };

  nmt.script = ''
@@ -26,5 +29,10 @@
    assertFileContains \
      home-files/.zshenv \
      'if [ -z "$SSH_AUTH_SOCK" -o -z "$SSH_CONNECTION" ]; then'
+  ''
+  + lib.optionalString config.systemd.user.enable ''
+    assertFileExists home-files/.config/systemd/user/set-SSH_AUTH_SOCK.service
+    assertFileContains home-files/.config/systemd/user/set-SSH_AUTH_SOCK.service 'Before=foo.socket'
+    assertFileContains home-files/.config/systemd/user/set-SSH_AUTH_SOCK.service 'WantedBy=foo.socket'
  '';
 }