feat(ssh): pin the Gitea host to its IP, overriding DNS

Set HostName 10.187.1.76 on the code.emmathe.dev block so the Gitea remote resolves to the fixed IP without relying on DNS (same user, port 30009 and key). Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
fix(shell): migrate ssh to the settings API; reset stale zcompdump
2026-06-10 13:23:04 +01:00 · 2026-06-10 11:55:46 +01:00
1 changed files with 43 additions and 14 deletions
@@ -218,24 +218,53 @@
  # manages ~/.ssh/config on the personal hosts.
  programs.ssh = {
    enable = true;
-    addKeysToAgent = "yes";
-    # macOS: also cache in the login keychain (no prompt after first unlock).
-    # UseKeychain is unknown to non-Apple openssh, so only emit it on Darwin.
-    extraConfig = lib.optionalString pkgs.stdenv.hostPlatform.isDarwin ''
-      UseKeychain yes
-    '';
-    # Gitea remote (the flake's origin) -- required on every host. Pins the
-    # dedicated key so the right identity is offered. identitiesOnly avoids
-    # "too many authentication failures" when the agent holds several keys.
-    matchBlocks."code.emmathe.dev" = {
-      user = "git";
-      port = 30009; # Gitea listens on a non-default SSH port
-      identityFile = "~/.ssh/code.emmathe.dev";
-      identitiesOnly = true;
+    # The module's built-in default "*" block is being deprecated; opt out and
+    # carry the defaults we want ourselves under settings."*".
+    enableDefaultConfig = false;
+    settings = {
+      # Global defaults (rendered last, as ssh_config wants). AddKeysToAgent
+      # adds the key on first use so the passphrase is typed once per session.
+      "*" = {
+        AddKeysToAgent = "yes";
+        ForwardAgent = false;
+        Compression = false;
+        ServerAliveInterval = 0;
+        ServerAliveCountMax = 3;
+        HashKnownHosts = false;
+        UserKnownHostsFile = "~/.ssh/known_hosts";
+        ControlMaster = "no";
+        ControlPath = "~/.ssh/master-%r@%n:%p";
+        ControlPersist = "no";
+      }
+      # macOS: also cache the passphrase in the login keychain. UseKeychain is
+      # unknown to non-Apple openssh, so only emit it on Darwin.
+      // lib.optionalAttrs pkgs.stdenv.hostPlatform.isDarwin {
+        UseKeychain = "yes";
+      };
+      # Gitea remote (the flake's origin) -- required on every host. HostName
+      # pins the IP so it resolves without DNS. Port 30009 is non-default; pin
+      # the dedicated key (identitiesOnly avoids "too many authentication
+      # failures" when the agent holds several keys).
+      "code.emmathe.dev" = {
+        HostName = "10.187.1.76";
+        User = "git";
+        Port = 30009;
+        IdentityFile = "~/.ssh/code.emmathe.dev";
+        IdentitiesOnly = true;
+      };
    };
  };

  # Run a user ssh-agent on Linux (macOS provides one via launchd). EDaaS also
  # enables this in the work module; both being true merges cleanly.
  services.ssh-agent.enable = lib.mkIf pkgs.stdenv.hostPlatform.isLinux true;
+
+  # Drop the zsh completion dump on every activation. A stale ~/.zcompdump
+  # caches /nix/store paths to completion functions; once a rebuild or GC (the
+  # weekly nh clean) removes them, compinit fails with "_git: function
+  # definition file not found" for every completion. Deleting it forces a fresh
+  # rebuild from the current fpath on the next shell.
+  home.activation.resetZcompdump = lib.hm.dag.entryAfter [ "writeBoundary" ] ''
+    $DRY_RUN_CMD rm -f "$HOME"/.zcompdump* "''${XDG_CACHE_HOME:-$HOME/.cache}"/zsh/.zcompdump* 2>/dev/null || true
+  '';
 }