nixos/gnome-keyring: add SSH support by exporting SSH_AUTH_SOCK

[no-mood]

Description of changes

Added SSH support inside the gnome-keyring module, similar to ssh.nix and gnupg.nix by exporting SSH_AUTH_SOCK.

Things done

• Built on platform(s)
  • x86_64-linux
  • aarch64-linux
  • x86_64-darwin
  • aarch64-darwin
• For non-Linux: Is sandboxing enabled in nix.conf? (See Nix manual)
  • sandbox = relaxed
  • sandbox = true
• Tested, as applicable:
  • NixOS test(s) (look inside nixos/tests)
  • and/or package tests
  • or, for functions and "core" functionality, tests in lib/tests or pkgs/test
  • made sure NixOS tests are linked to the relevant packages
• Tested compilation of all packages that depend on this change using nix-shell -p nixpkgs-review --run "nixpkgs-review rev HEAD". Note: all changes have to be committed, also see nixpkgs-review usage
• Tested basic functionality of all binary files (usually in ./result/bin/)
• 24.05 Release Notes (or backporting 23.05 and 23.11 Release notes)
  • (Package updates) Added a release notes entry if the change is major or breaking
  • (Module updates) Added a release notes entry if the change is significant
  • (Module addition) Added a release notes entry if adding a new NixOS module
• Fits CONTRIBUTING.md.

---

Add a 👍 reaction to pull requests you find important.

[pluiedev]

Hmm. Is there no easy way to express this with environment.sessionVariables or environment.variables?

[no-mood]

At first I was trying to use something like this:

environment.sessionVariables = {
  SSH_AUTH_SOCK = "${builtins.getEnv "XDG_RUNTIME_DIR"}/keyring/ssh";
};

Then I relied on what is done with SSH and GnuPG, I thought it was a better practice.

[Aleksanaa]

This ${builtins.getEnv "XDG_RUNTIME_DIR"} is $XDG_RUNTIME_DIR in eval, not in activation.

The current way is not that bad though:

nixpkgs/nixos/modules/services/security/yubikey-agent.nix

Lines 48 to 52 in 8535fb9

	environment.extraInit = ''
	if [ -z "$SSH_AUTH_SOCK" -a -n "$XDG_RUNTIME_DIR" ]; then
	export SSH_AUTH_SOCK="$XDG_RUNTIME_DIR/yubikey-agent/yubikey-agent.sock"
	fi
	'';

[pluiedev]

Also, please make sure the title of both the PR and the commit fit existing conventions. They should look something more like nixos/gnome-keyring: add SSH support by exporting SSH_AUTH_SOCK

[no-mood]

I hadn't realized that in my configuration, the gnome-keyring-daemon is manually launched by my window manager (Hyprland):

exec-once = [ "${gnome.gnome-keyring}/bin/gnome-keyring-daemon --start --components=secrets,ssh" ];

This means that exporting the SSH_AUTH_SOCK variable alone isn't sufficient to handle ssh keys inside gnome-keyring. Unless specified with --components, only the secrets component is run.
Optionals components should be then passed to the wrapper?

There's a home-manager gnome-keyring module that does this in a similar way, but we're still missing a nixos module

Update: These issues may be related; unfortunately, I just discovered them:
#284173
#166887

[maanu1234]

👍

[addy419]

The gnome keyring component for setting ssh is moved to gcr https://wiki.archlinux.org/title/GNOME/Keyring#Setup_gcr

Seems like the systemd component is added to gcr

nixpkgs/pkgs/development/libraries/gcr/default.nix

Line 85 in 4a6b83b

PKG_CONFIG_SYSTEMD_SYSTEMDUSERUNITDIR = "${placeholder "out"}/lib/systemd/user";

So starting the service and setting SSH_AUTH_SOCK should do the trick? In theory

[Aleksanaa]

There is another problem. SSH_AUTH_SOCK should be mutually exclusive in various modules to avoid undefined behavior. In the current implementation, they will not conflict with each other during eval.

[no-mood]

There is another problem. SSH_AUTH_SOCK should be mutually exclusive in various modules to avoid undefined behavior. In the current implementation, they will not conflict with each other during eval.

Something like this was added here:

nixpkgs/nixos/modules/programs/gnupg.nix

Lines 238 to 242 in 71bae31

	assertions = [
	{ assertion = cfg.agent.enableSSHSupport -> !config.programs.ssh.startAgent;
	message = "You can't use ssh-agent and GnuPG agent with SSH support enabled at the same time!";
	}
	];

I feel like we could use add another layer and make an option. Something like services.keyring = gnome-keyring

[pluiedev]

I feel like we could use add another layer and make an option. Something like services.keyring = gnome-keyring

An option for setting SSH_AUTH_SOCK would definitely be nice — I use 1Password as my SSH signer at the moment and that also requires setting SSH_AUTH_SOCK. Having a dedicated option for that would allow both GNOME Keyring and 1Pass to use the same mechanism which should make things much simpler

[no-mood]

An option for setting SSH_AUTH_SOCK would definitely be nice — I use 1Password as my SSH signer at the moment and that also requires setting SSH_AUTH_SOCK. Having a dedicated option for that would allow both GNOME Keyring and 1Pass to use the same mechanism which should make things much simpler

I agree. Is this the right place for this or should I open a new issue?
Could I propose a solution with a commit?

[pluiedev]

An option for setting SSH_AUTH_SOCK would definitely be nice — I use 1Password as my SSH signer at the moment and that also requires setting SSH_AUTH_SOCK. Having a dedicated option for that would allow both GNOME Keyring and 1Pass to use the same mechanism which should make things much simpler

I agree. Is this the right place for this or should I open a new issue? Could I propose a solution with a commit?

I think it's reasonable to add it in this PR and then change the title (therefore repurpose) the PR to reflect the change

[no-mood]

Before making a commit, the idea would be to add a level of abstraction and create an additional option that sets $SSH_AUTH_SOCK. Each module will then offer an option to be set as SSH Agent using that option.

Example: The new option will be users.users.<name>.SSHAgent. Each module, like Gnome-Keyring, instead of setting SSH_AUTH_SOCK directly, will access the SSHAgent parameter like this:
users.users.<name>.SSHAgent ="$XDG_RUNTIME_DIR/ssh-agent".

By creating this option, checking for other active SSH agents won't be needed.

[gabyx]

any progress on this?