diff --git a/lyrathorpe/home/shell.nix b/lyrathorpe/home/shell.nix
index 9236917..a1ede63 100644
--- a/lyrathorpe/home/shell.nix
+++ b/lyrathorpe/home/shell.nix
@@ -218,24 +218,51 @@
   # manages ~/.ssh/config on the personal hosts.
   programs.ssh = {
     enable = true;
-    addKeysToAgent = "yes";
-    # macOS: also cache in the login keychain (no prompt after first unlock).
-    # UseKeychain is unknown to non-Apple openssh, so only emit it on Darwin.
-    extraConfig = lib.optionalString pkgs.stdenv.hostPlatform.isDarwin ''
-      UseKeychain yes
-    '';
-    # Gitea remote (the flake's origin) -- required on every host. Pins the
-    # dedicated key so the right identity is offered. identitiesOnly avoids
-    # "too many authentication failures" when the agent holds several keys.
-    matchBlocks."code.emmathe.dev" = {
-      user = "git";
-      port = 30009; # Gitea listens on a non-default SSH port
-      identityFile = "~/.ssh/code.emmathe.dev";
-      identitiesOnly = true;
+    # The module's built-in default "*" block is being deprecated; opt out and
+    # carry the defaults we want ourselves under settings."*".
+    enableDefaultConfig = false;
+    settings = {
+      # Global defaults (rendered last, as ssh_config wants). AddKeysToAgent
+      # adds the key on first use so the passphrase is typed once per session.
+      "*" = {
+        AddKeysToAgent = "yes";
+        ForwardAgent = false;
+        Compression = false;
+        ServerAliveInterval = 0;
+        ServerAliveCountMax = 3;
+        HashKnownHosts = false;
+        UserKnownHostsFile = "~/.ssh/known_hosts";
+        ControlMaster = "no";
+        ControlPath = "~/.ssh/master-%r@%n:%p";
+        ControlPersist = "no";
+      }
+      # macOS: also cache the passphrase in the login keychain. UseKeychain is
+      # unknown to non-Apple openssh, so only emit it on Darwin.
+      // lib.optionalAttrs pkgs.stdenv.hostPlatform.isDarwin {
+        UseKeychain = "yes";
+      };
+      # Gitea remote (the flake's origin) -- required on every host. Port 30009
+      # is non-default; pin the dedicated key (identitiesOnly avoids "too many
+      # authentication failures" when the agent holds several keys).
+      "code.emmathe.dev" = {
+        User = "git";
+        Port = 30009;
+        IdentityFile = "~/.ssh/code.emmathe.dev";
+        IdentitiesOnly = true;
+      };
     };
   };
 
   # Run a user ssh-agent on Linux (macOS provides one via launchd). EDaaS also
   # enables this in the work module; both being true merges cleanly.
   services.ssh-agent.enable = lib.mkIf pkgs.stdenv.hostPlatform.isLinux true;
+
+  # Drop the zsh completion dump on every activation. A stale ~/.zcompdump
+  # caches /nix/store paths to completion functions; once a rebuild or GC (the
+  # weekly nh clean) removes them, compinit fails with "_git: function
+  # definition file not found" for every completion. Deleting it forces a fresh
+  # rebuild from the current fpath on the next shell.
+  home.activation.resetZcompdump = lib.hm.dag.entryAfter [ "writeBoundary" ] ''
+    $DRY_RUN_CMD rm -f "$HOME"/.zcompdump* "''${XDG_CACHE_HOME:-$HOME/.cache}"/zsh/.zcompdump* 2>/dev/null || true
+  '';
 }