feat(darwin): enable launchd ssh-agent with FIDO/SK support

Apple's built-in ssh-agent has no sk-api/libfido2 support and refuses signing operations for ed25519-sk / ecdsa-sk hardware keys. Enable the existing metacfg.security.ssh module (which runs pkgs.openssh's ssh-agent under launchd) via the common darwin suite, and export SSH_AUTH_SOCK from environment.shellInit so bash, zsh, and fish (via /etc/fish/foreign-env/shellInit) all point at the nix-managed socket.
2026-05-18 12:18:22 +02:00 · 2026-05-18 12:18:22 +02:00 · b185a6159f
commit b185a6159f
parent 0990389464
2 changed files with 4 additions and 4 deletions
--- a/modules/darwin/security/ssh/default.nix
+++ b/modules/darwin/security/ssh/default.nix
@ -20,9 +20,9 @@ in
  config = mkIf cfg.enable {
    environment.systemPackages = with pkgs; [ openssh ];
-    #environment.shellInit = ''
+    environment.shellInit = ''
-    #  export SSH_AUTH_SOCK="$HOME/.ssh/ssh-agent.sock"
+      export SSH_AUTH_SOCK="$HOME/.ssh/ssh-agent.sock"
-    #'';
+    '';
    launchd.user.agents.ssh-agent.serviceConfig = {
      Label = "ssh-agent";
--- a/modules/darwin/suites/common/default.nix
+++ b/modules/darwin/suites/common/default.nix
@ -32,7 +32,7 @@ in
      security = {
        gpg = enabled;
-        #ssh = enabled;
+        ssh = enabled;
      };
    };
  };