From 7c50aea6d6991ff085dcfd11e4b42a49d2a63d00 Mon Sep 17 00:00:00 2001
From: sommerfeld <sommerfeld@sommerfeld.dev>
Date: Thu, 14 May 2026 13:06:20 +0100
Subject: fix(remote-dev): materialize ~/.ssh/config with 0600 perms

mkOutOfStoreSymlink exposes the working-tree file's perms. Under
Ubuntu's default umask 002, git checks out private_dot_ssh/config
as 0664; OpenSSH refuses any group-writable ssh_config.

Replace the home.file symlink with a home-manager activation step
that copies the file to a real ~/.ssh/config with 0600.
---
 remote-dev/home.nix | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

diff --git a/remote-dev/home.nix b/remote-dev/home.nix
index cdb5890..a85c8f3 100644
--- a/remote-dev/home.nix
+++ b/remote-dev/home.nix
@@ -140,8 +140,14 @@ in
   };
 
   # ~/.ssh/config from the dotfiles tree (read-only); keys + known_hosts
-  # stay machine-local on the VM.
-  home.file.".ssh/config".source = link "private_dot_ssh/config";
+  # stay machine-local on the VM. We can't symlink via home.file because
+  # mkOutOfStoreSymlink exposes the working-tree perms (0664 under Ubuntu's
+  # default umask 002) and OpenSSH refuses any group-writable ssh_config.
+  # Materialize a real 0600 file via activation instead.
+  home.activation.sshConfig = lib.hm.dag.entryAfter [ "writeBoundary" ] ''
+    run install -D -m 600 \
+      "${dotfiles}/private_dot_ssh/config" "$HOME/.ssh/config"
+  '';
 
   # ZDOTDIR redirect so login shells find ~/.config/zsh/.zprofile etc.
   home.file.".zshenv".text = ''
-- 
cgit v1.3.1