From 761d02dddaea8241633b09cc4e0c4b2307aa9ed4 Mon Sep 17 00:00:00 2001
From: Emma Thorpe <emma.thorpe@citrix.com>
Date: Wed, 10 Jun 2026 14:20:58 +0100
Subject: [PATCH] fix(ssh): guard macOS UseKeychain with IgnoreUnknown

nixpkgs' openssh lacks Apple's keychain patch, so `UseKeychain yes` is
rejected as "Bad configuration option" when that ssh is on PATH. Prefix
it with `IgnoreUnknown UseKeychain` (the module emits IgnoreUnknown first)
so a non-Apple ssh skips it while Apple's ssh still honours it. Still
Darwin-only.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
---
 lyrathorpe/home/shell.nix | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/lyrathorpe/home/shell.nix b/lyrathorpe/home/shell.nix
index 8d4bd9f..eae0552 100644
--- a/lyrathorpe/home/shell.nix
+++ b/lyrathorpe/home/shell.nix
@@ -245,9 +245,13 @@
         ControlPath = "~/.ssh/master-%r@%n:%p";
         ControlPersist = "no";
       }
-      # macOS: also cache the passphrase in the login keychain. UseKeychain is
-      # unknown to non-Apple openssh, so only emit it on Darwin.
+      # macOS: also cache the passphrase in the login keychain. UseKeychain
+      # exists only in Apple's ssh; nixpkgs' openssh (which may be the `ssh` on
+      # PATH) rejects it as "Bad configuration option". IgnoreUnknown (emitted
+      # first by the module) makes any non-Apple ssh skip it instead of erroring,
+      # while Apple's ssh still honours it. Darwin-only.
       // lib.optionalAttrs pkgs.stdenv.hostPlatform.isDarwin {
+        IgnoreUnknown = "UseKeychain";
         UseKeychain = "yes";
       };
       # Gitea remote (the flake's origin) -- required on every host. HostName