ssh-agent: Allow other systemd units access to $SSH_AUTH_SOCK

Quincunx271 · Quincunx271 · commit 0467d026cec1 · 2025-11-02T10:20:04.000-08:00
If another systemd unit wants to talk to the ssh-agent service, they
need to know the SSH_AUTH_SOCK variable to do so.
diff --git a/modules/services/ssh-agent.nix b/modules/services/ssh-agent.nix
@@ -86,11 +86,18 @@ in
         Description = "SSH authentication agent";
         Documentation = "man:ssh-agent(1)";
       };
-      Service.ExecStart = "${lib.getExe' cfg.package "ssh-agent"} -D -a %t/${cfg.socket}${
-        lib.optionalString (
-          cfg.defaultMaximumIdentityLifetime != null
-        ) " -t ${toString cfg.defaultMaximumIdentityLifetime}"
-      }";
+      Service = {
+        ExecStart = "${lib.getExe' cfg.package "ssh-agent"} -D -a %t/${cfg.socket}${
+          lib.optionalString (
+            cfg.defaultMaximumIdentityLifetime != null
+          ) " -t ${toString cfg.defaultMaximumIdentityLifetime}"
+        }";
+        ExecStartPost = "${pkgs.writeShellScript "update-ssh-agent-env" ''
+          if [ -z "$SSH_AUTH_SOCK" ]; then
+            ${pkgs.dbus}/bin/dbus-update-activation-environment --systemd "$@"
+          fi
+        ''} SSH_AUTH_SOCK=%t/${cfg.socket}";
+      };
     };
   };
 }
diff --git a/tests/modules/services/ssh-agent/basic-service-expected.service b/tests/modules/services/ssh-agent/basic-service-expected.service
@@ -3,6 +3,7 @@ WantedBy=default.target
 
 [Service]
 ExecStart=@openssh@/bin/ssh-agent -D -a %t/ssh-agent/socket
+ExecStartPost=/nix/store/00000000000000000000000000000000-update-ssh-agent-env SSH_AUTH_SOCK=%t/ssh-agent/socket
 
 [Unit]
 Description=SSH authentication agent
diff --git a/tests/modules/services/ssh-agent/basic-service.nix b/tests/modules/services/ssh-agent/basic-service.nix
@@ -6,7 +6,7 @@
 
   nmt.script = ''
     assertFileContent \
-      home-files/.config/systemd/user/ssh-agent.service \
+      $(normalizeStorePaths home-files/.config/systemd/user/ssh-agent.service) \
       ${./basic-service-expected.service}
   '';
 }
diff --git a/tests/modules/services/ssh-agent/timeout-service-expected.service b/tests/modules/services/ssh-agent/timeout-service-expected.service
@@ -3,6 +3,7 @@ WantedBy=default.target
 
 [Service]
 ExecStart=@openssh@/bin/ssh-agent -D -a %t/ssh-agent -t 1337
+ExecStartPost=/nix/store/00000000000000000000000000000000-update-ssh-agent-env SSH_AUTH_SOCK=%t/ssh-agent
 
 [Unit]
 Description=SSH authentication agent
diff --git a/tests/modules/services/ssh-agent/timeout-service.nix b/tests/modules/services/ssh-agent/timeout-service.nix
@@ -6,7 +6,7 @@
 
   nmt.script = ''
     assertFileContent \
-      home-files/.config/systemd/user/ssh-agent.service \
+      $(normalizeStorePaths home-files/.config/systemd/user/ssh-agent.service) \
       ${./timeout-service-expected.service}
   '';
 }

Original file line number	Diff line number	Diff line change
`@@ -6,7 +6,7 @@`
`6`	`6`
`7`	`7`	`nmt.script = ''`
`8`	`8`	`assertFileContent \`
`9`		`- home-files/.config/systemd/user/ssh-agent.service \`
	`9`	`+ $(normalizeStorePaths home-files/.config/systemd/user/ssh-agent.service) \`
`10`	`10`	`${./basic-service-expected.service}`
`11`	`11`	`'';`
`12`	`12`	`}`