From 14ec441479ed20238ae5d63d8452d3aedc1feacf Mon Sep 17 00:00:00 2001
From: Emma Thorpe <emma.thorpe@citrix.com>
Date: Wed, 10 Jun 2026 11:36:14 +0100
Subject: [PATCH] feat(ssh): pin the Gitea remote in the managed ssh config

The flake's origin (ssh://git@code.emmathe.dev) must resolve on every host.
Add a matchBlock for code.emmathe.dev: user git, Port 30009 (Gitea's
non-default SSH port -- the critical bit), the dedicated
~/.ssh/code.emmathe.dev key, and identitiesOnly. The work box keeps its own
ssh config (programs.ssh forced off there) which already has the entry.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
---
 lyrathorpe/home/shell.nix | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/lyrathorpe/home/shell.nix b/lyrathorpe/home/shell.nix
index 385ede8..9236917 100644
--- a/lyrathorpe/home/shell.nix
+++ b/lyrathorpe/home/shell.nix
@@ -224,6 +224,15 @@
     extraConfig = lib.optionalString pkgs.stdenv.hostPlatform.isDarwin ''
       UseKeychain yes
     '';
+    # Gitea remote (the flake's origin) -- required on every host. Pins the
+    # dedicated key so the right identity is offered. identitiesOnly avoids
+    # "too many authentication failures" when the agent holds several keys.
+    matchBlocks."code.emmathe.dev" = {
+      user = "git";
+      port = 30009; # Gitea listens on a non-default SSH port
+      identityFile = "~/.ssh/code.emmathe.dev";
+      identitiesOnly = true;
+    };
   };
 
   # Run a user ssh-agent on Linux (macOS provides one via launchd). EDaaS also