nathan/home-manager
1
0
Fork 0
mirror of https://github.com/nix-community/home-manager.git synced 2026-06-05 21:02:51 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
f1d5aa6f690b46440ce3b36b0d50ae984e82c82e
home-manager/modules/services/ssh-agent.nix
Benedikt Rips f1d5aa6f69 sshAuthSock: set in systemd 
`SSH_AUTH_SOCK` is exported in shells only, which systemd does not
inherit from. With this commit, it is also set in systemd such that
systemd-managed applications can access the SSH agent by declaring
dependencies onto 'sshAuthSock.systemd.socketProviderUnit'.

Closes #7971.
2026-06-04 12:20:50 -05:00

132 lines
3.8 KiB
Nix
Raw Blame History

{
config,
lib,
pkgs,
...
}:
let
cfg = config.services.ssh-agent;
in
{
meta.maintainers = [
lib.maintainers.bmrips
lib.hm.maintainers.lheckemann
];
imports =
map (shell: lib.mkRemovedOptionModule [ "services" "ssh-agent" "enable${shell}Integration" ] "")
[
"Bash"
"Zsh"
"Fish"
"Nushell"
];
options.services.ssh-agent = {
enable = lib.mkEnableOption "OpenSSH private key agent";
package = lib.mkPackageOption pkgs "openssh" { };
socket = lib.mkOption {
type = lib.types.str;
default = "ssh-agent";
example = "ssh-agent/socket";
description = ''
The agent's socket; interpreted as a suffix to {env}`$XDG_RUNTIME_DIR`
on Linux and `$(getconf DARWIN_USER_TEMP_DIR)` on macOS.
'';
};
defaultMaximumIdentityLifetime = lib.mkOption {
type = lib.types.nullOr lib.types.ints.positive;
default = null;
example = 3600;
description = ''
Set a default value for the maximum lifetime in seconds of identities added to the agent.
'';
};
pkcs11Whitelist = lib.mkOption {
type = lib.types.listOf lib.types.str;
default = [ ];
example = lib.literalExpression ''[ "''${pkgs.tpm2-pkcs11}/lib/*" ]'';
description = ''
Specify a list of approved path patterns for PKCS#11 and FIDO authenticator middleware libraries. When using the -s or -S options with {manpage}`ssh-add(1)`, only libraries matching these patterns will be accepted.
See {manpage}`ssh-agent(1)`.
'';
};
};
config = lib.mkIf cfg.enable {
sshAuthSock = {
enable = true;
initialization =
let
socketPath =
if pkgs.stdenv.isDarwin then
"$(${lib.getExe pkgs.getconf} DARWIN_USER_TEMP_DIR)/${cfg.socket}"
else
"$XDG_RUNTIME_DIR/${cfg.socket}";
in
{
bash = ''export SSH_AUTH_SOCK="${socketPath}"'';
fish = ''set -x SSH_AUTH_SOCK "${socketPath}"'';
nushell = "$env.SSH_AUTH_SOCK = ${
if pkgs.stdenv.isDarwin then
''$"(${lib.getExe pkgs.getconf} DARWIN_USER_TEMP_DIR)/${cfg.socket}"''
else
''$"($env.XDG_RUNTIME_DIR)/${cfg.socket}"''
}";
};
systemd.socketProviderUnit = "ssh-agent.service";
};
systemd.user.services.ssh-agent = {
Install.WantedBy = [ "default.target" ];
Unit = {
Description = "SSH authentication agent";
Documentation = "man:ssh-agent(1)";
};
Service = {
ExecStart = "${lib.getExe' cfg.package "ssh-agent"} -D -a %t/${cfg.socket}${
lib.optionalString (
cfg.defaultMaximumIdentityLifetime != null
) " -t ${toString cfg.defaultMaximumIdentityLifetime}"
}${
lib.optionalString (
cfg.pkcs11Whitelist != [ ]
) " -P '${lib.concatStringsSep "," cfg.pkcs11Whitelist}'"
}";
SuccessExitStatus = 2;
};
};
launchd.agents.ssh-agent = {
enable = true;
config = {
ProgramArguments = [
(lib.getExe pkgs.bash)
"-c"
''${lib.getExe' cfg.package "ssh-agent"} -D -a "$(${lib.getExe pkgs.getconf} DARWIN_USER_TEMP_DIR)/${cfg.socket}"${
lib.optionalString (
cfg.defaultMaximumIdentityLifetime != null
) " -t ${toString cfg.defaultMaximumIdentityLifetime}"
}${
lib.optionalString (
cfg.pkcs11Whitelist != [ ]
) " -P '${lib.concatStringsSep "," cfg.pkcs11Whitelist}'"
}''
];
KeepAlive = {
Crashed = true;
SuccessfulExit = false;
};
ProcessType = "Background";
RunAtLoad = true;
};
};
};
}
Reference in New Issue View Git Blame Copy Permalink