nix-darwin icon indicating copy to clipboard operation
nix-darwin copied to clipboard

Published 20 hours ago verified publisher icon LnL7

preserve host ssh agent

Open austinrivas opened this issue 3 weeks ago • 0 comments

there are some pretty significant difference between the ssh agent shipped with nix-darwin and the default macOS / Darwin ssh agent.

is there any way to prevent nix-darwin from overriding the default host ssh agent in favor of relying on macOS's ssh agent?

an example of one of the issues I have encountered is enabling keychain usage on MacOS.

the nix-darwin ssh options appear to be rather limited: https://mynixos.com/nix-darwin/options/programs.ssh

here is an example configuration using home-manager that does not seem to correctly enable ssh MacOS keychain integration.

ssh = {
    enable = true;
    extraOptionOverrides = {
      ForwardAgent = "no";
      # MacOS Keychain Support
      # https://docs.github.com/en/authentication/connecting-to-github-with-ssh/generating-a-new-ssh-key-and-adding-it-to-the-ssh-agent#adding-your-ssh-key-to-the-ssh-agent
      # Run /usr/bin/ssh-add --apple-use-keychain ~/.ssh/id_github_<id>
      AddKeysToAgent = "yes";
      UseKeychain = "yes";
      IgnoreUnknown = "UseKeychain";
    };
    # How to use multiple SSH config with GH
    # https://medium.com/the-andela-way/a-practical-guide-to-managing-multiple-github-accounts-8e7970c8fd46
    # generate an ssh key and add it below
    # create a workspace .gitconfig and add it to the global .gitconfig as an includeif directive
    # confirm it is working via $ ssh -T github.com-personal
    # https://dev.to/chakrit/multiple-identity-gitconfig-with-gpg-signing-8c0
    matchBlocks = {
      "github.com-austinrivas" = {
        hostname = "github.com";
        user = "git";
        identityFile = [
          (lib.mkIf pkgs.stdenv.hostPlatform.isLinux
            "/home/${user}/.ssh/id_github_austinrivas"
          )
          (lib.mkIf pkgs.stdenv.hostPlatform.isDarwin
            "/Users/${user}/.ssh/id_github_austinrivas"
          )
        ];
      };
      "github.com-some-other-gh-user" = {
        hostname = "github.com";
        user = "git";
        identityFile = [
          (lib.mkIf pkgs.stdenv.hostPlatform.isLinux
            "/home/${user}/.ssh/id_github_some-other-gh-user"
          )
          (lib.mkIf pkgs.stdenv.hostPlatform.isDarwin
            "/Users/${user}/.ssh/id_github_some-other-gh-user"
          )
        ];
      };
      "github.com-a-third-gh-user" = {
        hostname = "github.com";
        user = "git";
        identityFile = [
          (lib.mkIf pkgs.stdenv.hostPlatform.isLinux
            "/home/${user}/.ssh/id_github_a-third-gh-user"
          )
          (lib.mkIf pkgs.stdenv.hostPlatform.isDarwin
            "/Users/${user}/.ssh/id_github_a-third-gh-user"
          )
        ];
      };
    };
  };

this results in the following ssh config

AddKeysToAgent yes
ForwardAgent no
IgnoreUnknown UseKeychain
UseKeychain yes
Host github.com-austinrivas
User git
HostName github.com
IdentityFile /Users/minion/.ssh/id_github_austinrivas
Host github.com-some-other-gh-user
User git
HostName github.com
IdentityFile /Users/minion/.ssh/id_github_some-other-gh-user
Host github.com-a-third-gh-user
User git
HostName github.com
IdentityFile /Users/minion/.ssh/id_github_a-third-gh-user

Host *
ForwardAgent no
AddKeysToAgent no
Compression no
ServerAliveInterval 0
ServerAliveCountMax 3
HashKnownHosts no
UserKnownHostsFile ~/.ssh/known_hosts
ControlMaster no
ControlPath ~/.ssh/master-%r@%n:%p
ControlPersist no

austinrivas avatar Jun 19 '24 12:06 austinrivas