From b185a6159f807801256dede8734b5f0c8469a6eb Mon Sep 17 00:00:00 2001 From: Harald Hoyer Date: Mon, 18 May 2026 12:18:22 +0200 Subject: [PATCH] feat(darwin): enable launchd ssh-agent with FIDO/SK support Apple's built-in ssh-agent has no sk-api/libfido2 support and refuses signing operations for ed25519-sk / ecdsa-sk hardware keys. Enable the existing metacfg.security.ssh module (which runs pkgs.openssh's ssh-agent under launchd) via the common darwin suite, and export SSH_AUTH_SOCK from environment.shellInit so bash, zsh, and fish (via /etc/fish/foreign-env/shellInit) all point at the nix-managed socket. --- modules/darwin/security/ssh/default.nix | 6 +++--- modules/darwin/suites/common/default.nix | 2 +- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/modules/darwin/security/ssh/default.nix b/modules/darwin/security/ssh/default.nix index 88dbba9..e494ef5 100644 --- a/modules/darwin/security/ssh/default.nix +++ b/modules/darwin/security/ssh/default.nix @@ -20,9 +20,9 @@ in config = mkIf cfg.enable { environment.systemPackages = with pkgs; [ openssh ]; - #environment.shellInit = '' - # export SSH_AUTH_SOCK="$HOME/.ssh/ssh-agent.sock" - #''; + environment.shellInit = '' + export SSH_AUTH_SOCK="$HOME/.ssh/ssh-agent.sock" + ''; launchd.user.agents.ssh-agent.serviceConfig = { Label = "ssh-agent"; diff --git a/modules/darwin/suites/common/default.nix b/modules/darwin/suites/common/default.nix index bdbf638..099acf1 100644 --- a/modules/darwin/suites/common/default.nix +++ b/modules/darwin/suites/common/default.nix @@ -32,7 +32,7 @@ in security = { gpg = enabled; - #ssh = enabled; + ssh = enabled; }; }; };