me like nix
make codeberg ssh try yubikey before 1password
author
Sean Aye
date
(Jun 15, 2026, 9:53 PM -0400)
commit
65635aa7
65635aa7f22766fab38ae033397c4217bcb93f3d
parent
1520f0cb
1520f0cbfb0b548f56844138323957c9895c8c4f
change-id
mpvvwkkv
mpvvwkkvkxtmlyqkqommozzyprqrxsyr
+25
-5
+25
-5
modules/sean.nix
+25
-5
modules/sean.nix
···
40
40
};
41
41
42
42
flake.modules.homeManager.sean =
43
-
{ pkgs, config, ... }:
43
+
{
44
+
pkgs,
45
+
config,
46
+
lib,
47
+
...
48
+
}:
44
49
{
45
50
home.username = "sean";
46
51
home.homeDirectory = "/home/sean";
···
62
67
enableDefaultConfig = false;
63
68
matchBlocks = {
64
69
# For git/jj over SSH, try the local YubiKey-backed security key
65
-
# first. If the key is not plugged in, OpenSSH will continue on to
66
-
# whatever agent SSH_AUTH_SOCK points at (1Password locally, or a
67
-
# forwarded agent inside `ssh -A` sessions).
70
+
# first. For Codeberg, restrict agent identities so 1Password is
71
+
# only used as a fallback after the YubiKey identity.
72
+
"codeberg.org" = lib.hm.dag.entryBefore [ "git-forges" ] {
73
+
identityFile = [
74
+
"${config.home.homeDirectory}/.ssh/id_ed25519_sk_rk"
75
+
"${config.home.homeDirectory}/.ssh/1password-codeberg.pub"
76
+
];
77
+
identityAgent = [
78
+
"${config.home.homeDirectory}/.1password/agent.sock"
79
+
];
80
+
identitiesOnly = true;
81
+
};
68
82
"git-forges" = {
69
-
host = "github.com gist.github.com codeberg.org gitlab.com";
83
+
host = "github.com gist.github.com gitlab.com";
70
84
identityFile = [
71
85
"${config.home.homeDirectory}/.ssh/id_ed25519_sk_rk"
72
86
];
···
118
132
home.file.".ssh/allowed_signers".text = ''
119
133
hello@seanaye.ca ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDCIqgZ7kedxo+mOW7YG73Vp3zel3h180y3GKvHtRsXfGlpIIvRDy7pgCBQ4AGXYD4y78URQmFohYSAPqCPOPaWcU2un3XG9KvCzEsHmsbskPonitUmCiKvrKkb6oW4jCBtd7AEtBn+AiajAQFtPZ7NN2Df3AmTypvR6Irg7R+nxnfc9NTIHmGvxSDyWcbb4pguL20sctUSqGL6xGh8q/bqhdOThSimM+z9bEUNxK/5rPhwkNniMrp4pJcUrUiAh5/4DiRFG6KT+oeg+/myoz/Z1sPvAs7u/8JDQI4RshRD8Hu0oTkRBN6Hxj478q2SXbeBUZlD6IdjP3RhGpmSecoDdtWqKbpuV3eVRtQtba3KL86GBeV/bugaOdJ1Aud+1SOFJreAAuvxzMMKT+cdQZk6oOPP148DA/No+mDm/2S43lcdCXh79wA6YRAmKQ8jmZxTCtPutrvuZK1rguvvUlEoG/vhdNHh7eDa4Td07V6bjCRPUl8qk/e4M0E3pwsTlZc=
120
134
hello@seanaye.ca sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAILdilHXHdAP/V8Zq28EzHKtLAMMaFPu4+1det2N50QfhAAAABHNzaDo= sean@framework16
135
+
'';
136
+
137
+
# Public half of the 1Password Codeberg key, used to make OpenSSH try
138
+
# this agent identity only after the YubiKey security key.
139
+
home.file.".ssh/1password-codeberg.pub".text = ''
140
+
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHfOR2xQ1b+oZytOmbNvThIRym0R1zKtCd0dbwjPcxd1 SSH Key Codeberg
121
141
'';
122
142
123
143
# Yubikey identity for agenix