diff options
| author |  sommerfeld <sommerfeld@sommerfeld.dev> | 2026-05-14 13:06:20 +0100 |
|---|---|---|
| committer | sommerfeld <sommerfeld@sommerfeld.dev> | 2026-05-14 13:06:20 +0100 |
| commit | 7c50aea6d6991ff085dcfd11e4b42a49d2a63d00 (patch) | |
| tree | 64804d1ea79e72b776af9725180c89755c4731fd /remote-dev | |
| parent | 26616fced56d7d4b18ec4f3157a65366be35f90f (diff) | |
| download | dotfiles-7c50aea6d6991ff085dcfd11e4b42a49d2a63d00.tar.gz dotfiles-7c50aea6d6991ff085dcfd11e4b42a49d2a63d00.tar.bz2 dotfiles-7c50aea6d6991ff085dcfd11e4b42a49d2a63d00.zip | |
fix(remote-dev): materialize ~/.ssh/config with 0600 perms
mkOutOfStoreSymlink exposes the working-tree file's perms. Under
Ubuntu's default umask 002, git checks out private_dot_ssh/config
as 0664; OpenSSH refuses any group-writable ssh_config.
Replace the home.file symlink with a home-manager activation step
that copies the file to a real ~/.ssh/config with 0600.
Diffstat (limited to 'remote-dev')
| -rw-r--r-- | remote-dev/home.nix | 10 |
1 files changed, 8 insertions, 2 deletions
diff --git a/remote-dev/home.nix b/remote-dev/home.nix index cdb5890..a85c8f3 100644 --- a/remote-dev/home.nix +++ b/remote-dev/home.nix @@ -140,8 +140,14 @@ in }; # ~/.ssh/config from the dotfiles tree (read-only); keys + known_hosts - # stay machine-local on the VM. - home.file.".ssh/config".source = link "private_dot_ssh/config"; + # stay machine-local on the VM. We can't symlink via home.file because + # mkOutOfStoreSymlink exposes the working-tree perms (0664 under Ubuntu's + # default umask 002) and OpenSSH refuses any group-writable ssh_config. + # Materialize a real 0600 file via activation instead. + home.activation.sshConfig = lib.hm.dag.entryAfter [ "writeBoundary" ] '' + run install -D -m 600 \ + "${dotfiles}/private_dot_ssh/config" "$HOME/.ssh/config" + ''; # ZDOTDIR redirect so login shells find ~/.config/zsh/.zprofile etc. home.file.".zshenv".text = '' |