ssh-agent: add defaultMaximumIdentityLifetime setting (#7876)

Add option to ssh-agent to add a default value for the maximum lifetime of identities added to the agent.
2026-01-11 17:39:37 +08:00 · 2025-09-25 16:26:39 +02:00
parent 2324540520
commit 39d26c1686
4 changed files with 41 additions and 5 deletions
--- a/modules/services/ssh-agent.nix
+++ b/modules/services/ssh-agent.nix
@@ -4,10 +4,8 @@
  pkgs,
  ...
 }:
-
 let
  cfg = config.services.ssh-agent;
-
 in
 {
  meta.maintainers = [
@@ -28,6 +26,15 @@ in
        The agent's socket; interpreted as a suffix to {env}`$XDG_RUNTIME_DIR`.
      '';
    };
+
+    defaultMaximumIdentityLifetime = lib.mkOption {
+      type = lib.types.nullOr lib.types.ints.positive;
+      default = null;
+      example = 3600;
+      description = ''
+        Set a default value for the maximum lifetime in seconds of identities added to the agent.
+      '';
+    };
  };

  config = lib.mkIf cfg.enable {
@@ -47,7 +54,11 @@ in
        Description = "SSH authentication agent";
        Documentation = "man:ssh-agent(1)";
      };
-      Service.ExecStart = "${lib.getExe' cfg.package "ssh-agent"} -D -a %t/${cfg.socket}";
+      Service.ExecStart = "${lib.getExe' cfg.package "ssh-agent"} -D -a %t/${cfg.socket}${
+        lib.optionalString (
+          cfg.defaultMaximumIdentityLifetime != null
+        ) " -t ${toString cfg.defaultMaximumIdentityLifetime}"
+      }";
    };
  };
 }
--- a/tests/modules/services/ssh-agent/default.nix
+++ b/tests/modules/services/ssh-agent/default.nix
@@ -1,5 +1,9 @@
-{ lib, pkgs, ... }:
-
+{
+  lib,
+  pkgs,
+  ...
+}:
 lib.optionalAttrs pkgs.stdenv.hostPlatform.isLinux {
  ssh-agent-basic-service = ./basic-service.nix;
+  ssh-agent-timeout-service = ./timeout-service.nix;
 }
--- a/tests/modules/services/ssh-agent/timeout-service-expected.service
+++ b/tests/modules/services/ssh-agent/timeout-service-expected.service
@@ -0,0 +1,9 @@
+[Install]
+WantedBy=default.target
+
+[Service]
+ExecStart=@openssh@/bin/ssh-agent -D -a %t/ssh-agent -t 1337
+
+[Unit]
+Description=SSH authentication agent
+Documentation=man:ssh-agent(1)
--- a/tests/modules/services/ssh-agent/timeout-service.nix
+++ b/tests/modules/services/ssh-agent/timeout-service.nix
@@ -0,0 +1,12 @@
+{
+  services.ssh-agent = {
+    enable = true;
+    defaultMaximumIdentityLifetime = 1337;
+  };
+
+  nmt.script = ''
+    assertFileContent \
+      home-files/.config/systemd/user/ssh-agent.service \
+      ${./timeout-service-expected.service}
+  '';
+}