feat(darwin): enable launchd ssh-agent with FIDO/SK support

Apple's built-in ssh-agent has no sk-api/libfido2 support and refuses signing operations for ed25519-sk / ecdsa-sk hardware keys. Enable the existing metacfg.security.ssh module (which runs pkgs.openssh's ssh-agent under launchd) via the common darwin suite, and export SSH_AUTH_SOCK from environment.shellInit so bash, zsh, and fish (via /etc/fish/foreign-env/shellInit) all point at the nix-managed socket.
2026-05-18 12:18:22 +02:00 · 2026-05-18 12:18:22 +02:00 · b185a6159f
commit b185a6159f
parent 0990389464
2 changed files with 4 additions and 4 deletions
--- a/modules/darwin/security/ssh/default.nix
+++ b/modules/darwin/security/ssh/default.nix
@ -20,9 +20,9 @@ in
  config = mkIf cfg.enable {
    environment.systemPackages = with pkgs; [ openssh ];

-    #environment.shellInit = ''
-    #  export SSH_AUTH_SOCK="$HOME/.ssh/ssh-agent.sock"
-    #'';
+    environment.shellInit = ''
+      export SSH_AUTH_SOCK="$HOME/.ssh/ssh-agent.sock"
+    '';

    launchd.user.agents.ssh-agent.serviceConfig = {
      Label = "ssh-agent";