From 89c9508bbe9b40d36b3dc206c2483ef176f15173 Mon Sep 17 00:00:00 2001
From: Benedikt Rips <benedikt.rips@gmail.com>
Date: Wed, 19 Nov 2025 23:31:39 +0100
Subject: [PATCH] ssh-agent: set $SSH_AUTH_SOCK in non-interactive shells

Since PR #8099, the module sets `$SSH_AUTH_SOCK` through shells' options
for interactive shell initialization instead of
`home.sessionVariablesExtra`. The replacement was not faithful, however,
since `home.sessionVariablesExtra` is sourced also in non-interactive
shells. With this commit, the shells' profile options (where
`home.sessionVariablesExtra` is sourced) are used to set
`$SSH_AUTH_SOCK`.

Fixes #8129.
---
 modules/services/ssh-agent.nix                       | 12 +++++-------
 .../services/ssh-agent/darwin/bash-integration.nix   |  2 +-
 2 files changed, 6 insertions(+), 8 deletions(-)

diff --git a/modules/services/ssh-agent.nix b/modules/services/ssh-agent.nix
index 35714e2b9..8bb68a40a 100644
--- a/modules/services/ssh-agent.nix
+++ b/modules/services/ssh-agent.nix
@@ -84,13 +84,11 @@ in
                 '';
           in
           {
-            bash.initExtra = lib.mkIf cfg.enableBashIntegration bashIntegration;
-
-            zsh.initContent = lib.mkIf cfg.enableZshIntegration bashIntegration;
-
-            fish.interactiveShellInit = lib.mkIf cfg.enableFishIntegration fishIntegration;
-
-            nushell.extraConfig = lib.mkIf cfg.enableNushellIntegration nushellIntegration;
+            # $SSH_AUTH_SOCK has to be set early since other tools rely on it
+            bash.profileExtra = lib.mkIf cfg.enableBashIntegration (lib.mkOrder 900 bashIntegration);
+            fish.shellInit = lib.mkIf cfg.enableFishIntegration (lib.mkOrder 900 fishIntegration);
+            nushell.extraConfig = lib.mkIf cfg.enableNushellIntegration (lib.mkOrder 900 nushellIntegration);
+            zsh.envExtra = lib.mkIf cfg.enableZshIntegration (lib.mkOrder 900 bashIntegration);
           };
       }
 
diff --git a/tests/modules/services/ssh-agent/darwin/bash-integration.nix b/tests/modules/services/ssh-agent/darwin/bash-integration.nix
index b4fb91096..2341462ac 100644
--- a/tests/modules/services/ssh-agent/darwin/bash-integration.nix
+++ b/tests/modules/services/ssh-agent/darwin/bash-integration.nix
@@ -8,7 +8,7 @@
 
   nmt.script = ''
     assertFileContains \
-      home-files/.bashrc \
+      home-files/.profile \
       'export SSH_AUTH_SOCK=$(@getconf-system_cmds@/bin/getconf DARWIN_USER_TEMP_DIR)/ssh-agent'
   '';
 }